Stories
Slash Boxes
Comments

SoylentNews is people

FTC Announces $25k Internet-of-Things Security Challenge

posted by janrinok on Saturday January 07 2017, @06:27AM   Printer-friendly
from the something-desperately-needed dept.

-- OriginalOwner_ writes:

The Federal Trade Commission announces

The Federal Trade Commission (FTC) is hosting a prize competition that challenges the public to create a technical solution ("tool") that consumers can use to guard against security vulnerabilities in software found on the Internet of Things (IoT) devices in their homes.

The tool would, at a minimum, help protect consumers from security vulnerabilities caused by out-of-date software. Contestants have the option of adding features, such as those that would address hard-coded, factory default or easy-to-guess passwords.

The prize for the competition is up to $25,000, with $3,000 available for each [of three] honorable mention winner(s).

However, not only do the gov't workers not put ALL of the details on ONE page like people with normal intelligence, you also can't see the part of the page that contains the Registration and Submission link unless you have JavaScript enabled.

In their coverage, El Reg notes

Anyone who gets a genuinely good solution to this stuff won't need the $25,000 for long: they'll be scooped up by Silicon Valley in less time than it takes to say "elevator pitch".

Submissions for the [FTC] contest open on March 1, 2017 and close on May 22, 2017. Winners will be announced on July 27, 2017.

They also have a not-exactly-short list of IoT stuff that has already been pwned or has shipped with insecure configurations.

We can probably all agree that the current situation with insecure devices that can be hijacked and used as bots is unsatisfactory, but has anyone got any suggestions that would still enable a company to market secure devices while keeping the costs at a reasonable level?

Original Submission

 
This discussion has been archived. No new comments can be posted.
FTC Announces $25k Internet-of-Things Security Challenge | Log In/Create an Account | Top | 32 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 0) by Anonymous Coward on Saturday January 07 2017, @11:44AM

    by Anonymous Coward on Saturday January 07 2017, @11:44AM (#450696)

    assumed every IOT device is on the local LAN and one doesn't have to walk more then
    500 meters to each device then the solution is:

    1) plug in a tiny usb "key"(*) device into the computer.
    2) register it with some "cloud provider". write down yar account details for case of lose of "key" and subsequent required cloning.
    3) unplug usb-key device, walk to IOT device and plug in the usb-key and press a button on IOT device to have it download your "key".
    4) GOTO 3)
    5) IOT will join all other devices with which this procure has been done.

    For updates:
    1) walk to IOT device plug-in usb-key device which will unlock the "upgrade" mode.
    2) connect to IOT device w/ usb-key inserted via local network and proceed to update device.
    3) GOTO 4) for each IOT device.
    4) once all IOT is updated, remove the usb-key and store in safe location.

    Security:
    IOT device is view-able ("request data") via local network ONLY and commands can be issued ("send data") if required ('turn off power/light") but cannot be updated or modified.
    Can ONLY be managed from a local lan IP (needs some sort of VPN as separate device).

    Profit .. NON because it's too difficult and people are GOTO "subject".

    (*) some sort of encryption and identity key that is stored on the device. size approx.: like a logitech wireless mouse usb receiver -aka- tiny and easy to lose : )

  • (Score: 0) by Anonymous Coward on Sunday January 08 2017, @06:15PM

    by Anonymous Coward on Sunday January 08 2017, @06:15PM (#451110)

    hi,

    iot devices often do not provide for a "usb key" to be plugged into so that you can do any of your other steps. it is like you think my dishwasher that tracks loads so it can order replacement detergent from amazon, is actually something that responds to pings and can be interfaced directly by your computer.

    what else can I do for a device that has a wireless connection and no admin interface except for Cloud?

  • (Score: 1) by trimtab on Monday January 09 2017, @09:11PM

    by trimtab (2194) on Monday January 09 2017, @09:11PM (#451632)

    Your list sounds very similar to the way Z-wave devices are joined to a network controller. In that case, proximity to the controller limits what can be done remotely.

    - Z-wave works as a network mesh between AC powered devices.
    - Battery powered devices can use the mesh, but don't actively repeat packets.
    - After a device and controller exchange keys when joined all network traffic is encrypted.
    - Z-wave is not TCP/IP or WiFi, so the only thing really vulnerable is the Controller which likely is on an Internet connected network.

    Of course, if you use a Z-wave controller that can controlled over the Internet or updated with unsigned firmware remotely... well, just don't do that. Mkay.