FTC Announces $25,000 Internet of Things Security Challenge

H

HardOCP News

[H] News
Joined
Dec 31, 1969
Messages
0
The FTC wants your ideas on how to make IoT devices more secure and they are offering a cash prize of $25,000. I don't think they liked my "quit hooking refrigerators and toasters to the internet you idiots" submission.

The Federal Trade Commission announced today that it is challenging the public to create an innovative tool that will help protect consumers from security vulnerabilities in the software of home devices connected to the Internet of Things. The agency is offering a cash prize of up to $25,000 for the best technical solution, with up to $3,000 available for up to three honorable mention winner(s).
 
And then they will take the idea they paid $25,000 for and make BILLIONS off of it.

Yeah, not even worth my time.
 
Thats a bit vague... with what required functionality? "secure" against what threat vectors?
 
RYkA.jpg

where's my 25k?
 
Retronym said:
"Public key"

Make the check payable to cash, morons.
Click to expand...
You beat me to it. Encrypt everything and require basic authentication checks. TLS does everything we need here, why can't it just be required to get certification. Each device gets issued a certificate generated and signed by the manufacturer. Make sure connections use PFS to prevent key database leaks from being a problem. Each user upon buying the device and setting it up enters their public key and locks it down to them so only they can update things. All the technology exist already it's the fucking cheapskates business idiots that run companies that don't want to implement this.
 
Now, they'll all be wireless, so I suggest a faraday cage around them. Done.
 
After playing follow the click trail, found the actual contest rules. They appear to require a video presentation as one of 3 submission parts. So your "How to make IoT more secure." entry requires a Youtube video, 5 minutes or less. This is going to turn out well.
 
/usr/sbin said:
The only real way to do network security:
Blacklist all by default.
Whitelist as needed.

Where's my 25k?
Click to expand...

Pretty much. I've always blocked all MAC addresses on my routers and all the devices in manually.
 
What others have said. In addition, completely remove (don't just disable) services that are not required for an IoT device. That means NO telnet or SSH or FTP of any kind, no UPnP, no cloud integration. The damn thing should not be able to connect out to the internet on it's own, ever. Also, no default passwords that can't be changed, and make changing the password a required step before it will operate. I get that removing these things will also not allow for some services that people want, but boo hoo. This whole bullshit about uploading everything to the "cloud" by default needs to go away.
 
I get asked by relatives why I don't have IoT crap even though I'm an engineer and into technology.

Because I'd rather have a heater that works 100% of the time when I walk over and turn it on. Get a top of the line 50 dollar Honeywell thermostat with timers, and it will work forever, no botnet, no russian teens turning off your heat.
 
PhaseNoise said:
I get asked by relatives why I don't have IoT crap even though I'm an engineer and into technology.

Because I'd rather have a heater that works 100% of the time when I walk over and turn it on. Get a top of the line 50 dollar Honeywell thermostat with timers, and it will work forever, no botnet, no russian teens turning off your heat.
Click to expand...

Yes it's like they don't click to the obvious and think "Hang on, this guy is into tech and an engineer yet doesn't use this stuff, there must be a good reason not to, maybe we should ask why is he not using it instead of why not is he using it".
 
They want "a tool". Wrong approach. There is no magic bullet for this. A good start would be to have something like the UL which tests and certifies IoT devices to meet basic minimum security requirements. Like not having open ports/services that aren't needed. Like not having trivial logins and passwords for needed services. Let's eliminate the low hanging fruit that comprises 90% of all the intrusion vectors first. Then we can start talking about "tools".
 
You must log in or register to reply here.
Back
Top