US Government Offers $25,000 Prize For Inventing A Way To Secure IoT Devices

An anonymous reader writes: America's Federal Trade Commission has announced a $25,000 prize for whoever creates the best tool for securing consumers' IoT devices. The so-called "IoT Home Inspector Challenge" asks participants to create something that will work on current, already-on-the-market IoT devices, with extra points also awarded for scalability ad easy of use.

"Contestants have the option of adding features, such as those that would address hard-coded, factory default, or easy-to-guess passwords," according to the official site, but "The tool would, at a minimum, help protect consumers from security vulnerabilities caused by out-of-date software." The winning submission can't be just a policy (or legal) solution, and will be judged by a panel which includes two computer science professors and a vulnerability researcher from Carnegie Mellon University's CERT Coordination Center.
Computerworld points out that "This isn't the first time the FTC has offered cash for software tools. In 2015, it awarded $10,500 to developers of an app that could block robocalls."

Solution

Throw the IoT in the trash and get regular devices that do not connect to the internet.

Re: Solution

[FatdogHaiku]

I liked this part near the bottom of the rules (12 f.)
"The Sponsor reserves the right to amend the terms and conditions of the official rules at any time, including the rights or obligations of the Contestants and the Sponsor.

So kids, Hurry and send in your multi-million dollar product in good working order and we'll give you a pittance and introduce you to the civil legal system!

Re: Solution

[nbauman]

I liked this part near the bottom of the rules (12 f.)
"The Sponsor reserves the right to amend the terms and conditions of the official rules at any time, including the rights or obligations of the Contestants and the Sponsor.

So kids, Hurry and send in your multi-million dollar product in good working order and we'll give you a pittance and introduce you to the civil legal system!

Your legal analysis is correct.

I once heard a freelance writer give a talk on writing contracts, and she described the worst contract (for the writer) she had ever seen. It was the Redbook "Writing contest."

Redbook readers were invited to submit short story manuscripts, the winners would get a pittance (and the honor of being the winner), and Redbook would own all the rights.

I realized that Redbook was basically asking people to submit stories on spec, in the hope that they would be chosen out of thousands of entries. If they were chosen, Redbook would own the work, and give them a small fee to print it.

That's what contests are. They ask you to work for nothing, compete with thousands of people, and if they like yours better than all the others, they'll own the work and give you a modest payment.

Spending 6 months or a year (or even a month) for $25,000 -- if they feel like it -- isn't a great deal.

If the FTC wants to secure IOT devices, let them hire a staff to work on it. Or let them award competitive grants.

Easy Solution - Hold Manufacturers Responsible

[sinij]

Easy Solution - Hold Manufacturers Responsible. Pass legislation that any IoT device must be maintained with security patches for 2 years past sale and any substantial deviation from industry best practices (e.g. hard coded credentials, open telnet) would lead to hefty penalty.

Treat these guys as you'd treat factories that dumped toxic waste into rivers.

The Backasswards solution

[geekmux]

I have a better idea. How about the US Government fine companies 75% of their net profits every time they design and sell a product that's insecure to begin with.

That goes for everything, not just IoT. The future of autonomous vehicles scares the shit out of me because of the half-assed approach towards securing them.

Re:The Backasswards solution

[Sarten-X]

The problem is defining "secure" and "insecure". In the US, the standard is "perfect tender", where the company just has to produce a product that is perfect to the best of their ability, and acceptable to the customer. The product may have been insecure from the start, but nobody knew it, because the vulnerabilities weren't known yet.

Three years ago, we had no idea that the rowhammer effect could corrupt data. Two years ago, we didn't think it had security implications. Now we know better, but my desktop was built four years ago.

There are some vulnerabilities that can be resolved, like default passwords... but those are comparatively rare. For production and installation ease, the devices are usually shipped with a default password and the user is provided instructions to change the password. The problem is that the users don't read the instruction manual for their new lightbulbs. In this case, the product is designed and sold to be secure, but the user's inaction caused the insecurity.

Ultimately, the liability for an attack lies (legally) with the attacker. It's been that way for several thousand years, and is fundamental to the legal framework in this country. Trying to change that will have many unintended consequences.

Re:The Backasswards solution

[Sarten-X]

Joseph Bramah's lock was considered secure for 67 years, until Alfred Charles Hobbs picked it after a 51-hour effort in 1851. Now, modern tools and techniques can pick such a lock in a matter of minutes.

So let's suppose you had purchased one of Bramah's locks in 1850, with a 65-year history of perfection. If you were robbed in 1853, who bears the liability? Is it Bramah (actually his sons who inherited the business) for making an insecure lock that was sold as being secure? Is it you, for not replacing the lock as soon as a picking technique had been proven? Or is it the thief who actually exploited the vulnerability and broke the law?

If I could secure IoT devices

[rsilvergun]

I could make a heck of alot more than $25k...

Multi faceted approach

[JASegler]

There isn't going to be a magic wand for this. But a multifaceted approach would help.

1) Standards body to oversee the software and protocols.

2) Standard IOT base software stacks and protocols. Ideally run as an open source style project with companies encouraged to give back to the software stacks. Maybe protection from being sued for security problems found if they are using the certified software stacks. i.e. we were using the certified software stack in a certified way is a valid legal defense. If your modifications are the problem you lose that protection. Makes getting your modifications into the base stacks very appealing to the lawyers, etc.

3) Certification program that takes completed devices and runs them through tests. Penetration tests of the completed devices. Manual and automated review of the software. Should be easy to fast track the software reviews if your building on top of one of the approved IOT base software stacks.

4) Require a way to easily update the software of the devices. The reality is forced updates are going to have to be required because most won't manually update the devices.

5) Require that a fully functional software stack be put in escrow for each device and revision of software. The company must provide support for the device or the the software base is released. Lack of support for the device is decided by standards board not the company. Fully functional means that someone can take the stack, compile it and successfully install it on the device. No hidden BS boot encryption keys that are missing, etc. If there are encryption keys like that then they have to be put in escrow with the rest of the software stack.

6) Media campaign to get people to buy only certified IOT devices.

Probably plenty more things that are good ideas/best practices. But this would be a start.

Verry simple

[MeNeXT]

Unmaintained, unsupported or unpatched (say 30 days) products no longer benefit from copyright and patent law.