FTC Announces $25,000 Internet of Things Security Challenge

HardOCP News

[H] News
Joined
Dec 31, 1969
Messages
0
The FTC wants your ideas on how to make IoT devices more secure and they are offering a cash prize of $25,000. I don't think they liked my "quit hooking refrigerators and toasters to the internet you idiots" submission.

The Federal Trade Commission announced today that it is challenging the public to create an innovative tool that will help protect consumers from security vulnerabilities in the software of home devices connected to the Internet of Things. The agency is offering a cash prize of up to $25,000 for the best technical solution, with up to $3,000 available for up to three honorable mention winner(s).
 

cyclone3d

[H]ardForum Junkie
Joined
Aug 16, 2004
Messages
13,255
And then they will take the idea they paid $25,000 for and make BILLIONS off of it.

Yeah, not even worth my time.
 

tazeat

[H]ard|Gawd
Joined
Jul 3, 2007
Messages
1,256
Thats a bit vague... with what required functionality? "secure" against what threat vectors?
 

JosiahBradley

[H]ard|Gawd
Joined
Mar 19, 2006
Messages
1,763
"Public key"

Make the check payable to cash, morons.
You beat me to it. Encrypt everything and require basic authentication checks. TLS does everything we need here, why can't it just be required to get certification. Each device gets issued a certificate generated and signed by the manufacturer. Make sure connections use PFS to prevent key database leaks from being a problem. Each user upon buying the device and setting it up enters their public key and locks it down to them so only they can update things. All the technology exist already it's the fucking cheapskates business idiots that run companies that don't want to implement this.
 

MV75

[H]ard|Gawd
Joined
Nov 13, 2007
Messages
1,025
Now, they'll all be wireless, so I suggest a faraday cage around them. Done.
 

Dead Parrot

2[H]4U
Joined
Mar 4, 2013
Messages
2,703
After playing follow the click trail, found the actual contest rules. They appear to require a video presentation as one of 3 submission parts. So your "How to make IoT more secure." entry requires a Youtube video, 5 minutes or less. This is going to turn out well.
 

auntjemima

[H]ardness Supreme
Joined
Mar 1, 2014
Messages
5,636
The only real way to do network security:
Blacklist all by default.
Whitelist as needed.

Where's my 25k?
Pretty much. I've always blocked all MAC addresses on my routers and all the devices in manually.
 

i960

Limp Gawd
Joined
Jul 13, 2005
Messages
335
What others have said. In addition, completely remove (don't just disable) services that are not required for an IoT device. That means NO telnet or SSH or FTP of any kind, no UPnP, no cloud integration. The damn thing should not be able to connect out to the internet on it's own, ever. Also, no default passwords that can't be changed, and make changing the password a required step before it will operate. I get that removing these things will also not allow for some services that people want, but boo hoo. This whole bullshit about uploading everything to the "cloud" by default needs to go away.
 

PhaseNoise

2[H]4U
Joined
May 11, 2005
Messages
2,360
I get asked by relatives why I don't have IoT crap even though I'm an engineer and into technology.

Because I'd rather have a heater that works 100% of the time when I walk over and turn it on. Get a top of the line 50 dollar Honeywell thermostat with timers, and it will work forever, no botnet, no russian teens turning off your heat.
 

MV75

[H]ard|Gawd
Joined
Nov 13, 2007
Messages
1,025
I get asked by relatives why I don't have IoT crap even though I'm an engineer and into technology.

Because I'd rather have a heater that works 100% of the time when I walk over and turn it on. Get a top of the line 50 dollar Honeywell thermostat with timers, and it will work forever, no botnet, no russian teens turning off your heat.
Yes it's like they don't click to the obvious and think "Hang on, this guy is into tech and an engineer yet doesn't use this stuff, there must be a good reason not to, maybe we should ask why is he not using it instead of why not is he using it".
 

PaulP

Gawd
Joined
Oct 31, 2016
Messages
776
They want "a tool". Wrong approach. There is no magic bullet for this. A good start would be to have something like the UL which tests and certifies IoT devices to meet basic minimum security requirements. Like not having open ports/services that aren't needed. Like not having trivial logins and passwords for needed services. Let's eliminate the low hanging fruit that comprises 90% of all the intrusion vectors first. Then we can start talking about "tools".
 
Top