Stories
Slash Boxes
Comments

SoylentNews is people

posted by janrinok on Saturday January 07 2017, @06:27AM   Printer-friendly
from the something-desperately-needed dept.

The Federal Trade Commission announces

The Federal Trade Commission (FTC) is hosting a prize competition that challenges the public to create a technical solution ("tool") that consumers can use to guard against security vulnerabilities in software found on the Internet of Things (IoT) devices in their homes.

The tool would, at a minimum, help protect consumers from security vulnerabilities caused by out-of-date software. Contestants have the option of adding features, such as those that would address hard-coded, factory default or easy-to-guess passwords.

The prize for the competition is up to $25,000, with $3,000 available for each [of three] honorable mention winner(s).

However, not only do the gov't workers not put ALL of the details on ONE page like people with normal intelligence, you also can't see the part of the page that contains the Registration and Submission link unless you have JavaScript enabled.

In their coverage, El Reg notes

Anyone who gets a genuinely good solution to this stuff won't need the $25,000 for long: they'll be scooped up by Silicon Valley in less time than it takes to say "elevator pitch".

Submissions for the [FTC] contest open on March 1, 2017 and close on May 22, 2017. Winners will be announced on July 27, 2017.

They also have a not-exactly-short list of IoT stuff that has already been pwned or has shipped with insecure configurations.

We can probably all agree that the current situation with insecure devices that can be hijacked and used as bots is unsatisfactory, but has anyone got any suggestions that would still enable a company to market secure devices while keeping the costs at a reasonable level?


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2) by maxwell demon on Saturday January 07 2017, @07:10AM

    by maxwell demon (1608) on Saturday January 07 2017, @07:10AM (#450641) Journal

    but has anyone got any suggestions that would still enable a company to market secure devices while keeping the costs at a reasonable level?

    Are secure default configurations really so much more expensive than insecure ones?

    --
    The Tao of math: The numbers you can count are not the real numbers.
    Starting Score:    1  point
    Karma-Bonus Modifier   +1  

    Total Score:   2  
  • (Score: 0) by Anonymous Coward on Saturday January 07 2017, @07:11AM

    by Anonymous Coward on Saturday January 07 2017, @07:11AM (#450642)

    What's a secure default configuration? A random default password? Plenty of time to brute force guess it.

    • (Score: 2) by maxwell demon on Saturday January 07 2017, @07:45AM

      by maxwell demon (1608) on Saturday January 07 2017, @07:45AM (#450645) Journal

      Yeah, good luck guessing a random 64-bit character sequence. Hint: If you had tried one every microsecond since the big bang, you would still have covered less than 0.005% of the password space.

      --
      The Tao of math: The numbers you can count are not the real numbers.
      • (Score: 0) by Anonymous Coward on Saturday January 07 2017, @07:52AM

        by Anonymous Coward on Saturday January 07 2017, @07:52AM (#450648)

        Yeah, see here's the thing. A lot of people never change the default password, and a lot of people are bad at inputting random junk, so if you make it too long, people will call support and complain that their default password doesn't work, every time they try to use it. Have fun with those support calls, especially when your company is paying for them.

        • (Score: 2) by MostCynical on Saturday January 07 2017, @09:00AM

          by MostCynical (2589) on Saturday January 07 2017, @09:00AM (#450671) Journal

          And there you have the thing that will win the money - come up with a way to make users *work* for security.

          2000 volts to the private parts every time a password is no good?

          200,000 volts to the QA or designer who made a password validator that forces bad passwords, and won't allow good ones?

          Or a device that takes every insecure IoT device (tautology?) and shoves it back where it came from?

          --
          "I guess once you start doubting, there's no end to it." -Batou, Ghost in the Shell: Stand Alone Complex
        • (Score: 2) by maxwell demon on Saturday January 07 2017, @09:42AM

          by maxwell demon (1608) on Saturday January 07 2017, @09:42AM (#450672) Journal

          Integrate a password manager into the app that comes with the device. Indeed, you could even use a Bluetooth connection to transfer that password once during initialization, so you never have to enter it manually, requiring to press a physical button to initiate the password transfer.

          Yes, this is still vulnerable to physical access, but then, physical access is always a vulnerability, and physically securing your home is a problem that you have to solve anyway (and breaking into every home is certainly not a practical method of building a botnet).

          --
          The Tao of math: The numbers you can count are not the real numbers.
      • (Score: 0) by Anonymous Coward on Saturday January 07 2017, @12:14PM

        by Anonymous Coward on Saturday January 07 2017, @12:14PM (#450703)

        If you had tried one every microsecond since the big bang, you would still have covered less than 0.005% of the password space.

        So you're saying there's a chance I could have guessed it by now? I like those odds.

    • (Score: 2) by Immerman on Saturday January 07 2017, @03:11PM

      by Immerman (3985) on Saturday January 07 2017, @03:11PM (#450733)

      How about requiring a physical button press to log in? Attempt login, get shown a "now push the login button within 60 seconds" screen. Fail to do so, and the login aborts.

  • (Score: 2) by Arik on Saturday January 07 2017, @10:17AM

    by Arik (4543) on Saturday January 07 2017, @10:17AM (#450678) Journal
    The short answer is yes, actually, they are. The support cost from a sane configuration is significantly higher, and not only because customers are idiots who lose their credentials then call the manufacturer expecting them to have a magic wand. The magic wand for many of these devices is that wide-open completely insecure default, because that's the easiest state in which to get it to hook up and 'work' so you can quit supporting it.

    Now that's not the whole problem, it's just one piece; by itself that's not fatal. The smart thing to do is just make the device so it's totally open by default - but only for local access. Only for the person who is physically holding it in their hands. That permits some level of control still. But then take that practice and transpose it onto devices that don't have any physical access - no console port, not even an ethernet jack. Just this mindless always-on wifi constantly searching for a network, any network, from which to take commands. Add to that these things are done so cheaply they write very little if any code, they just pay some kid to crib code from random github projects until it works then push it out the door.

    It's a miracle more of them haven't been turned against their owners already.

    --
    If laughter is the best medicine, who are the best doctors?
    • (Score: 2) by FatPhil on Saturday January 07 2017, @11:22AM

      by FatPhil (863) <pc-soylentNO@SPAMasdf.fi> on Saturday January 07 2017, @11:22AM (#450694) Homepage
      > The smart thing to do is just make the device so it's totally open by default - but only for local access. Only for the person who is physically holding it in their hands.

      I get the feeling that baby monitors having that feature wouldn't have much of a market.

      I think my solution would be to ship the device non-working apart from an initial password setting interface, perhaps with a nasty noisy squawking (or even a voice that says "configure me, you dozy twat" repeatedly) to persuade you to not leave it in this state for long, and have the computer/phone program that talks to your newly-switched on device also remember the password for you, so that it can't get lost or forgotten. Sure, the hackers have won your baby-monitor if they get physical access to your phone or computer, but who gives a fuck about the baby monitor, the fuckers have got your phone or computer, that's a bigger problem. Configured - you're good to go with all the video capture, mail ordering, privacy-raping bullshit features that your IoT (internet of trash?) device performs.

      That way, the hackers have to find your open device in the sliver of time between you turning it on and you configuring it. Assuming that's 3 minutes rather than 3 years of device life, that's already >500000 times more secure than an always-working default password. (or 19 bits, if you're counting bits) Heck, if the setup-program has you set up everything, and then when you click "I'm ready" it then instructs you to turn the device on, hunt, hunt, configure, secure. That's 3 seconds of insecure time. 31 million times safer than what we currently suffer (or 25 bits).

      People will go "wah, wah, wah, but I shouldn't have to go through this palaver" the first few times, but if we keep telling them "yes, you do need to go through this palaver, this is good for you and for everyone" then eventually they'll stop complaining, and finally they won't even notice it, it might even give them warm fuzzies (which is what most "security" actually is) and they might even be suspicious of things that don't give them the warm fuzzies. It's no more of a palaver than the BT device pairing by pin.
      --
      Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
      • (Score: 2) by Arik on Saturday January 07 2017, @04:30PM

        by Arik (4543) on Saturday January 07 2017, @04:30PM (#450757) Journal
        "I get the feeling that baby monitors having that feature wouldn't have much of a market."

        Why not? You really think baby is going to manage to find a paperclip, depress a recessed button, and hold it for 15 seconds?

        Your solution has some good ideas but don't kid yourself that they would *greatly* increase the support cost. And if you don't provide hand-holding, you'll get customer backlash, reviews will say your product is trash, it can't be configured, no one will help you....
        --
        If laughter is the best medicine, who are the best doctors?
    • (Score: 1) by RS3 on Saturday January 07 2017, @05:41PM

      by RS3 (6367) on Saturday January 07 2017, @05:41PM (#450775)

      How about if simple default "admin:[serial number]" login is only good for 15 seconds or so after powerup?

      • (Score: 0) by Anonymous Coward on Saturday January 07 2017, @07:41PM

        by Anonymous Coward on Saturday January 07 2017, @07:41PM (#450809)

        I think you're close. How about requiring three fields to login instead of two?
        - username
        - password
        - serial number or unique key (printed on the bottom of the unit)

        The device would prevent login attempts for five minutes after three failed attempts. Even if the default username/password never gets changed this would make logging in require physical access (at least once).

      • (Score: 1) by tftp on Sunday January 08 2017, @07:39AM

        by tftp (806) on Sunday January 08 2017, @07:39AM (#450971) Homepage

        How about if simple default "admin:[serial number]" login is only good for 15 seconds or so after powerup?

        Most devices take longer to boot up. But let's say you increase the time to 15 minutes. That works. I have seen WiFi routers with semi-random passwords printed on their FCC stickers. That is both secure and easy enough to use if you have the device in your hands. Those are permanent factory default passwords, not timeout-protected ones. Don't know in what circumstances the timeout makes sense. Usually the device has to communicate with the owner and (more and more often) with the cloud. Unique, strong default passwords may be better than "hunter2" that the customer is likely to enter. Perhaps the OEM should not even allow customer-entered passwords... only the factory-generated ones should be used, and they will be long and strong.

    • (Score: 0) by Anonymous Coward on Saturday January 07 2017, @06:00PM

      by Anonymous Coward on Saturday January 07 2017, @06:00PM (#450779)

      The smart thing to do is just make the device so it's totally open by default

      You misspelled "currently profitable".

      ...and a recent story says this won't be profitable for very much longer.
      This very same agency has demonstrated its dim view of that sort of behavior.
      FTC sues D-Link over router and camera security flaws [ftc.gov]

      -- OriginalOwner_ [soylentnews.org]