The Federal Trade Commission announces
The Federal Trade Commission (FTC) is hosting a prize competition that challenges the public to create a technical solution ("tool") that consumers can use to guard against security vulnerabilities in software found on the Internet of Things (IoT) devices in their homes.
The tool would, at a minimum, help protect consumers from security vulnerabilities caused by out-of-date software. Contestants have the option of adding features, such as those that would address hard-coded, factory default or easy-to-guess passwords.
The prize for the competition is up to $25,000, with $3,000 available for each [of three] honorable mention winner(s).
However, not only do the gov't workers not put ALL of the details on ONE page like people with normal intelligence, you also can't see the part of the page that contains the Registration and Submission link unless you have JavaScript enabled.
In their coverage, El Reg notes
Anyone who gets a genuinely good solution to this stuff won't need the $25,000 for long: they'll be scooped up by Silicon Valley in less time than it takes to say "elevator pitch".
Submissions for the [FTC] contest open on March 1, 2017 and close on May 22, 2017. Winners will be announced on July 27, 2017.
They also have a not-exactly-short list of IoT stuff that has already been pwned or has shipped with insecure configurations.
We can probably all agree that the current situation with insecure devices that can be hijacked and used as bots is unsatisfactory, but has anyone got any suggestions that would still enable a company to market secure devices while keeping the costs at a reasonable level?
(Score: 2) by maxwell demon on Saturday January 07 2017, @07:10AM
Are secure default configurations really so much more expensive than insecure ones?
The Tao of math: The numbers you can count are not the real numbers.
(Score: 0) by Anonymous Coward on Saturday January 07 2017, @07:11AM
What's a secure default configuration? A random default password? Plenty of time to brute force guess it.
(Score: 2) by maxwell demon on Saturday January 07 2017, @07:45AM
Yeah, good luck guessing a random 64-bit character sequence. Hint: If you had tried one every microsecond since the big bang, you would still have covered less than 0.005% of the password space.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 0) by Anonymous Coward on Saturday January 07 2017, @07:52AM
Yeah, see here's the thing. A lot of people never change the default password, and a lot of people are bad at inputting random junk, so if you make it too long, people will call support and complain that their default password doesn't work, every time they try to use it. Have fun with those support calls, especially when your company is paying for them.
(Score: 2) by MostCynical on Saturday January 07 2017, @09:00AM
And there you have the thing that will win the money - come up with a way to make users *work* for security.
2000 volts to the private parts every time a password is no good?
200,000 volts to the QA or designer who made a password validator that forces bad passwords, and won't allow good ones?
Or a device that takes every insecure IoT device (tautology?) and shoves it back where it came from?
"I guess once you start doubting, there's no end to it." -Batou, Ghost in the Shell: Stand Alone Complex
(Score: 2) by maxwell demon on Saturday January 07 2017, @09:42AM
Integrate a password manager into the app that comes with the device. Indeed, you could even use a Bluetooth connection to transfer that password once during initialization, so you never have to enter it manually, requiring to press a physical button to initiate the password transfer.
Yes, this is still vulnerable to physical access, but then, physical access is always a vulnerability, and physically securing your home is a problem that you have to solve anyway (and breaking into every home is certainly not a practical method of building a botnet).
The Tao of math: The numbers you can count are not the real numbers.
(Score: 0) by Anonymous Coward on Saturday January 07 2017, @12:14PM
If you had tried one every microsecond since the big bang, you would still have covered less than 0.005% of the password space.
So you're saying there's a chance I could have guessed it by now? I like those odds.
(Score: 2) by Immerman on Saturday January 07 2017, @03:11PM
How about requiring a physical button press to log in? Attempt login, get shown a "now push the login button within 60 seconds" screen. Fail to do so, and the login aborts.
(Score: 2) by Arik on Saturday January 07 2017, @10:17AM
Now that's not the whole problem, it's just one piece; by itself that's not fatal. The smart thing to do is just make the device so it's totally open by default - but only for local access. Only for the person who is physically holding it in their hands. That permits some level of control still. But then take that practice and transpose it onto devices that don't have any physical access - no console port, not even an ethernet jack. Just this mindless always-on wifi constantly searching for a network, any network, from which to take commands. Add to that these things are done so cheaply they write very little if any code, they just pay some kid to crib code from random github projects until it works then push it out the door.
It's a miracle more of them haven't been turned against their owners already.
If laughter is the best medicine, who are the best doctors?
(Score: 2) by FatPhil on Saturday January 07 2017, @11:22AM
I get the feeling that baby monitors having that feature wouldn't have much of a market.
I think my solution would be to ship the device non-working apart from an initial password setting interface, perhaps with a nasty noisy squawking (or even a voice that says "configure me, you dozy twat" repeatedly) to persuade you to not leave it in this state for long, and have the computer/phone program that talks to your newly-switched on device also remember the password for you, so that it can't get lost or forgotten. Sure, the hackers have won your baby-monitor if they get physical access to your phone or computer, but who gives a fuck about the baby monitor, the fuckers have got your phone or computer, that's a bigger problem. Configured - you're good to go with all the video capture, mail ordering, privacy-raping bullshit features that your IoT (internet of trash?) device performs.
That way, the hackers have to find your open device in the sliver of time between you turning it on and you configuring it. Assuming that's 3 minutes rather than 3 years of device life, that's already >500000 times more secure than an always-working default password. (or 19 bits, if you're counting bits) Heck, if the setup-program has you set up everything, and then when you click "I'm ready" it then instructs you to turn the device on, hunt, hunt, configure, secure. That's 3 seconds of insecure time. 31 million times safer than what we currently suffer (or 25 bits).
People will go "wah, wah, wah, but I shouldn't have to go through this palaver" the first few times, but if we keep telling them "yes, you do need to go through this palaver, this is good for you and for everyone" then eventually they'll stop complaining, and finally they won't even notice it, it might even give them warm fuzzies (which is what most "security" actually is) and they might even be suspicious of things that don't give them the warm fuzzies. It's no more of a palaver than the BT device pairing by pin.
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 2) by Arik on Saturday January 07 2017, @04:30PM
Why not? You really think baby is going to manage to find a paperclip, depress a recessed button, and hold it for 15 seconds?
Your solution has some good ideas but don't kid yourself that they would *greatly* increase the support cost. And if you don't provide hand-holding, you'll get customer backlash, reviews will say your product is trash, it can't be configured, no one will help you....
If laughter is the best medicine, who are the best doctors?
(Score: 1) by RS3 on Saturday January 07 2017, @05:41PM
How about if simple default "admin:[serial number]" login is only good for 15 seconds or so after powerup?
(Score: 0) by Anonymous Coward on Saturday January 07 2017, @07:41PM
I think you're close. How about requiring three fields to login instead of two?
- username
- password
- serial number or unique key (printed on the bottom of the unit)
The device would prevent login attempts for five minutes after three failed attempts. Even if the default username/password never gets changed this would make logging in require physical access (at least once).
(Score: 1) by tftp on Sunday January 08 2017, @07:39AM
How about if simple default "admin:[serial number]" login is only good for 15 seconds or so after powerup?
Most devices take longer to boot up. But let's say you increase the time to 15 minutes. That works. I have seen WiFi routers with semi-random passwords printed on their FCC stickers. That is both secure and easy enough to use if you have the device in your hands. Those are permanent factory default passwords, not timeout-protected ones. Don't know in what circumstances the timeout makes sense. Usually the device has to communicate with the owner and (more and more often) with the cloud. Unique, strong default passwords may be better than "hunter2" that the customer is likely to enter. Perhaps the OEM should not even allow customer-entered passwords... only the factory-generated ones should be used, and they will be long and strong.
(Score: 0) by Anonymous Coward on Saturday January 07 2017, @06:00PM
The smart thing to do is just make the device so it's totally open by default
You misspelled "currently profitable".
...and a recent story says this won't be profitable for very much longer.
This very same agency has demonstrated its dim view of that sort of behavior.
FTC sues D-Link over router and camera security flaws [ftc.gov]
-- OriginalOwner_ [soylentnews.org]