04
Jan 17

The FTC’s Internet of Things (IoT) Challenge

One of the biggest cybersecurity stories of 2016 was the surge in online attacks caused by poorly-secured “Internet of Things” (IoT) devices such as Internet routers, security cameras, digital video recorders (DVRs) and smart appliances. Many readers here have commented with ideas about how to counter vulnerabilities caused by out-of-date software in IoT devices, so why not pitch your idea for money? Who knows, you could win up to $25,000 in a new contest put on by the U.S. Federal Trade Commission (FTC).

Electronics giant LG said at the Consumer Electronics Show (CES) today that all of its devices from now on will have Wi-Fi built in. Image: @Karissabe

Electronics giant LG said today at the Consumer Electronics Show (CES) that all of its appliances from now on will have Wi-Fi built in and be connected to the cloud. Image: Mashable

The FTC’s IoT Home Inspector Challenge is seeking ideas for a tool of some sort that would address the burgeoning IoT mess. The agency says it’s offering a cash prize of up to $25,000 for the best technical solution, with up to $3,000 available for as many as three honorable mention winner(s).

The FTC said an ideal tool “might be a physical device that the consumer can add to his or her home network that would check and install updates for other IoT devices on that home network, or it might be an app or cloud-based service, or a dashboard or other user interface. Contestants also have the option of adding features such as those that would address hard-coded, factory default or easy-to-guess passwords.”

According to the contest’s home page, submissions will be accepted as early as March 1, 2017 and are due May 22, 2017 at 12:00 p.m. EDT. Winners will be announced on or about July 27, 2017.

I’m glad to see the FTC engaging the public on this important issue. Gartner Inc. forecasts that 6.4 billion connected things will be in use worldwide in 2016, up 30 percent from 2015, and will reach 20.8 billion by 2020. In 2016, 5.5 million new things will get connected each day, Gartner estimates. If only a fraction of these new IoT devices are shipped with sloppy security defaults — such as hard-coded accounts and passwords — the IoT problem is going to get a lot worse in the coming years.

Tags: , , , , , ,

58 comments

  1. Tiny IOT devices mostly lack a way to reliably update multiple times without bricking – they lack the more sophisticated dual memory bank features and being 100% assured that power won’t drop during an automatic update when they are reprogramming themselves. More sophisticated devices include a number of features to prevent the embarrassing and expensive brick situation.

    • I find bricks pretty useful for construction.

      • Seriously. That is the only possibly effective solution and I am sure it already exists in some form. Simply, probe the entire net for insecure devices and then brick them. When customers complain, point them to the manufacturer and retailers for restitution. This is a national security issue and therefore the inconvenience and cost to consumers should be removed from the equation.

        • Blindly bricking internet-connected devices is a very bad idea.
          Given that many of those devices are likely to be industrial control systems or SCADA devices, you would cause grave harm to people, en masse.
          Vehicles, medical devices etc, would also fall into the same category, but only harming an individual or a small number of people rather than a complete neighborhood, city or region.

          • I agree that bricking all devices en masse is a bad idea. However, I think it would be easy enough to distinguish vulnerable video cams, such as the ones used in recent DDOS attacks, and similar devices from SCADA devices. That latter need to be address in different ways, such as a warning letter to the owner to have vulnerable devices repaired or replaced within a certain time period.

  2. I have just the tool, it is a swift knee in the guts to anyone who thinks mass IoT can ever or will ever be a good idea.

  3. Simple, a device that surges voltage through the IoT device… never will be a security issue again.

  4. I don’t think the solution is to have the consumer buying a tool to cover up sloppy design and have the consumer paying to maintain the tool.

    The FTC should forbid companies from selling device which contains IoT features unless they comply with a list of specifications and they have a mechanism for automatically correcting any flaw discovered, to provide at least 5-10 years of free support for security issues, and issue huge penalties for not fixing issues in a timely manner. Then, lazy companies would have to shell out the big bucks to repair their mistakes if they are not careful enough. Some companies would come and go, but many names that would like to build brand recognition would have to adapt.

    There could be different specs for different devices. For example, a good starting point for routers specs could be Michael Horowitz routeursecurity.org checklist.

    And while we’re at it, why not chart some privacy’s requirements as well to prevent things like Samsung listening to your private living room conversations so you can turn on your tv with your voice?

    • So basically you want the guberment to mandate that effectively every IoT device will cost at least $3000… hmmm… you know… you could actually spend that much already NOW on quality devices and not buy the cheap $30 garbage you keep buying!!!

      • Not exactly.

        For example, a commercial Peplink router can be had for 180$ and they fix security issues (not that I want to advertise this specific company). I’m sure that companies could do it properly instead of focusing on bloat.

        And since no home router has been better in terms of security than the home router I bought 14 years ago (not a Peplink), I still use it.

        Last thing is do we really want the world to be filled with garbage cheap insecure products that facilitates hackers’ entry into your house and attack others as well as stealing your things?I think most people would think not but they just don’t know how bad this situation can be when they buy that stuff.

        This is the role of government. When used well, rules can make the ground equal for all companies so they have to follow minimum requirements before competing on price. This is capitalism at its best. Competition but with some specs for quality. If you don’t do that, you end up with the current mess we have with every company selling your personal data and providing you cheap or 300$ routers with bloat that are not even secure.

        Since you seem interested in economics, I suggest you read the excellent book from the former chief economist of the World Bank Joseph Stilglitz “Globalization and its discontent”. Maybe it could help you see things in a different light.

        And sorry for the wrong link. Yes, I am native French speaker so my mistake.

        • Don’t worry about your spelling. My wife was brought up speaking four languages. You should see what happens when she types in Word or any other tool with a spell checker.

      • Government agencies control and regulate food quality standards to keep us relatively safe and a steak doesn’t cost $3000 (yet).
        Government agencies also control and regulate clothing safety standards and a hoody doesn’t cost $3000 either.
        Regulation and enforcement does not need to be overly difficult and expensive, so your statement is invalid.

    • Bad URL. The “French” spelling of router doesn’t work, but http://www.routersecurity.org does.

    • “The FTC should forbid companies from selling device which contains IoT features unless …”

      That would cover the U.S., but not the rest of the world.
      Plenty of devices to commandeer in other countries.

      • I agree, but the US is often an inspiration to the rest of the world. If the U.S. citizens are at least protected from that garbage inside their house, that is at least a first win.

        Then, other countries might follow.

        Also, it might not be expensive for companies to deploy the technology to all products once developed. It is just cheap electronic. They could have a hard reset switch in case of power loss that would restore a basic firmware used only to update to the latest firmware or something like that. There’s plenty of things that can be done and once the system is in place, I don’t think it would add that much to the cost.

    • I like this argument. It would make the companies compete on an equal footing to create a secure device with support. Moreover, it reduces the amount of waste of devices going obsolete and being thrown in the garbage every couple of years. Basically, the most efficient companies that build a quality device will win, which is what an ethical capitalistic economy should be about. Sure, there will be higher costs, but it probably cheaper overall for society than having products being garbage every couple of years and the cost of an insecure internet.

  5. Antonio De Vido

    Thanks for the info Brian Krebs

  6. There is no one solution to combat every single IoT device. There are tons of proprietary IoT devices and not to mention the biggest problem is the lack of user awareness that the device is vulnerable. A lot of companies rarely issue security alerts regarding their devices although this has been changing in recent years a lot of companies still avoid disclosing to customers. Companies tend to lax on issuing patches to resolve these issues and then it falls on the customer to make sure the device is update. That and the fact most IoT devices treat security as an after thought. It is evident now that IoT devices are a prime resource for botnets and until companies and customers work together towards securing their devices the trend of using IoT devices in botnets will simply continue to rise.

  7. One easy partial fix step is to get on the config for one’s home modem and DISABLE any UPnP capabilities. That would prevent devices on the inside from creating holes in the modem’s firewall.

    Of course, that doesn’t help when the modem itself is an attack surface with a public-side hard-coded password on an interface that does not , but that’s why I called it a “partial” fix step.

    If inside devices are able to punch themselves through the NAT without the user’s knowledge, that’s an issue.

    If users need to create port non-standard port forwards in order to see their house cameras from outside the internet, then users need to LEARN how things work and configure these things themselves. We cannot afford lazy convenience but must learn to think and understand how our devices function. That’s the price of having devices and luxuries, such as being able to see inside one’s house to know if a burglar is present. (Seriously, that’s a luxury, not a standard of living we should expect.)

    If one’s modem (router) does not allow disabling of UPnP, then it’s time to think about another model or getting a separate firewall–another expense that not all can afford. It is the customer’s responsibility to learn and configure their devices for proper use. What really steams me more than the deliberate laziness of most customers, but that the Chinese company that made this stuff undermined the security of diligent and capable customers while selling “convenience.”

    • SORRY for the big edit error in there. I got a phone call. I was typing about a hard-coded password and meant to finish the statement, “…on an interface that does not obey the user’s configuration, but that’s why I called it …”

      “Interface” in that statement is in the networking sense, the hardware “jack”, not in the sense of a “web interface” such as the user sees for configuration.

  8. IRS iTUNE cards (real)

    Not every bloody thing should be connected to the internet, period

  9. It is very simple really, just stop using them. Do you really need to be able to turn on a light globe at home whilst sittng at your desk, or to see a live shot of your dog whilst it has a drink??

  10. IoT should not speak TCP/IP. Development efforts in the late 1960s and early 1970s created the TCP/IP protocol, which was originally designed to allow smaller local networks to communicate between short distances in ways they had never before. However at the time of its inception, reliability was the only concern as the idea of security was a man with a machine gun guarding the facility. Despite being an incredible development, as a result we are left with a protocol that is incredibly reliable, yet inherently unsecure as trusted identities was not part of the design. This has led to today’s environment, where components are bolted-on for security, rather than baked in from the start. And given the number of data breaches we see in the headlines, we can all see how that’s working out. The time has more than come to re-evaluate the Gremlin of Internet protocols, TCP/IP. The Internet Engineering Task Force recently approved a standard-track network security protocol: The Host Identity Protocol, which many in the IETF community recognize as the next big change in IP-architecture. The protocol has been under development for nearly 20 years, in coordination with standards bodies, as well as many large corporations (Verizon, Ericson, Yokogawa, etc.). HIP is an alternative encryption technology that was first deployed within the defense and aerospace industry, where nation-state attacks occur every hour. Specifically designed to be secure by default, HIP shifts the network trust model completely, by introducing trusted cryptographic identities within any network.

    • I like your idea the best. Almost run IOT devices over a different network. Obviously the same physical network, but a different virtual network with different and secure protocols.

      Access to the IOT data is from the cloud not directly from the IOT device to your PC (or via the router).

      An independent organisation(s) provides certification that the IOT meets certain security requirements. Consumers are educated to choose the IOT products with certification and are made aware of the risks of buying IOT devices without the certification.

      • A separate network for IoT devices would really not work, as most of these devices are meant to communicate with your smartphone or desktop/laptop, which needs to be on the same network (subnet). And virtual networks, which I assume you mean VLANs, are no substitute for security whatsoever. VLANS do not provide any security.

      • Not necessarily a “second network”, but a second radio added to IoT devices can provide a means for two-factor authentication, security audits, kill switches, and more. Newer LPWAN radios with 1-2 mile range limit access to the second radio from outside that range, while newer low power networking protocols can assist in masking SSIDs and managing WiFi devices. Comments welcome on a new piece published here: http://bit.ly/iotkillswitch

  11. I think once people read the rules and other requirements that the FTC is imposing on the contestants to enter their submissions will limit it to lawyers only. They even impose an age limit of 18. I’m well past that but have known a number of young teenagers fully capable of coming up with ideas worthy of consideration.

    While the FTC’s contest is a good idea – it’s a lousy implementation and will discourage a great many from submitting their ideas.

    A better way for the contest may be a collaboration effort by finalists that are selected by experts in the cyber-security field. Then have the final proposal(s) awarded to technical educational facilities to optimize the solutions and make them into viable open-source products. I doubt there ever will be a single, viable solution (other than turning the internet off) that will solve this IoT dilemma.

    Making it an open-source solution puts the power of many behind the maintenance of the solutions that do bubble to the top.

    Not the best idea in the world perhaps but I think it’s a better approach than what the FTC is doing – lawyering a contest…!

  12. “They even impose an age limit of 18. I’m well past that but have known a number of young teenagers fully capable of coming up with ideas worthy of consideration.”

    That might be a problem of legality: entering into a contract with a minor (providing a service for a fee is a contract).

  13. Chip manufacturers be advised that IoT hardware which operates in an insecure manner may in near future become illegal. Advise companies such as Digikey that the sale of such items may carry penalties to the re-seller. Federal bounty for each IoT device discovered sending out HTTP traffic combined with legal action taken against the top 100 reported business entities responsible for the sale of such hardware.

  14. Up to $25,000 for a technical solution to a problem that could cost hundreds of millions of dollars… I’m sure the brightest of minds will be racing each other to claim that prize!

    • It is not just the prize.
      Many manufacturers might utilize the solution, bringing considerable license/royalty fees to the inventor.

      • The abstracts are public but valuable details in the longer submission can be kept private. If you are worried about exposing valuable intellectual property, please know that the longer fifteen page submissions will not be made public. The authors also retain the right to publish, is they want to.

        Thanks for your thoughts on the contest.

  15. Although there are many possible solutions doesn’t it seem likely that the problem will grow until the bulk of the DDOS volume is throttled or cut off through the IoT device’s household connection, either web filtering routers or the ISPs.

  16. Help is on its way.

  17. My suggestion:

    Replace the FTC with a government agency that actually does its job for once.

    I await your $25,000.

  18. I wonder if this “solution” is a one time thing, or will it require the “winner” to provide updates to the tool.

    Additionally, some countries may take offense to another country scanning for vulnerabilities.

    Let’s hope the tool will be used for identifying and contacting them through certified mail the owner(s) of these devices.

    One can hope that this bundle of information will not used a potential entry to “suspect networks”.

    It’s a mess. Hopefully it can be cleaned up quickly. The government should set up grant money to organizations that will certify IoT type devices and any upgrades. These certified IoT devices could be listed on a gov website and have a recognizable seal on the outside of the box. It may not be the cheapest solution, but in the long run, its less investigation and cleanup.

    Or, Get the can of RAID !

  19. For starters can we simply ban the use of the telnet protocol? It’s sadly still used by many IoT and router manufacturers. Port 23 is the always the most probed port on my firewall.

  20. The flood of SoC based IP connected devices can’t be stopped. IP cams for $20, routers for $10, connected thermostats, toasters, etc. Many of the people who sell them don’t care where the OS image comes from as long as it works. More often than not cheap and convenient trumps quality and security. On top of that the USA can’t regulate the world. IMO the carriers should bear some responsibility for the traffic from devices connected to THEIR networks. The technology exists now and the carriers have the means to detect and manage the rogues.

  21. We can’t blame ordinary non-technical consumers for not updating their devices when a surprising number of techies refuse to apply Windows updates to their Windows XP systems. A quick search with Shodan reveals similarly old VAX VMS systems exposed on the internet.

    @Joe – price is not a determinant of quality. Samsung produced a high-end “smart” fridge that included an insecure SMTP server which hacked to send SPAM. Therefore you must arguing for the creation of some organization to classify products by quality. Inevitably such an organization will not cover all products, especially the bright, shiny new ones. If it’s private or a non-profit, it will charge a subscription fee for the information, leading to less than total accessibility. If it’s a government organization, companies (and politicians) will complain about the government picking winners and losers. I believe the same kind of regulatory framework that applies to radio transmitters will be needed.

    @Matt Senechal – while the idea sounds attractive, it has been shown repeatedly that it doesn’t work. There will always be bridges between protocols. That’s how viruses get from a PC to a SCADA system. Just look at the bridge devices being sold to consumers today, linking legacy X10, Zigbee, Z-wave, Bluetooth and TCP/IP.

  22. I am dismayed that in my career of designing, integrating, and maintaining SCADA and DCS/PLC-ish systems for decades, that we keep seeing people make the same damned mistakes over and over again.

    IoT offers NOTHING that conventional industrial protocols didn’t already have. What it does have a massive marketing campaign around it so that people who had never seen these concepts before would think they understand them and could then build shoddy systems around them.

    It has been a disaster in the making. And now, lo and behold, we discover that the S in Iot stands for security (I stole that tweet from several months ago). In other words, it was designed for a trusted environment and, like most real time systems, should never have been exposed to the internet.

    I wish these moguls who perpetrated IoT had done a little bit more basic research. Those of us who have been designing with these concepts since before the ARPA-net existed (!) might have been able to ward off some of the larger mistakes they made.

    But the mess is everyone’s now. It’s part of the Internet. And now they’re looking for a band-aid to patch a sucking chest wound. Good luck with that.

  23. Honestly, the only REAL solution to the IOT mess is at the SOHO router level.

    The first component is a separate IOT VLAN with all internet access blocked by default.

    The second is a standard JSON API for IOT devices to request internet access, limited to specific addresses and ports only. This would then pop-up on the router UI, and the user would need to affirmatively accept the request.

    That’s how I have my home IOT devices routing today. I configured a separate VLAN and only granted access when absolutely necessary. For example, one of my wifi power switches needs NTP access to turn on/off my lights on a timer. I specifically granted that one power switch access to a single NTP server on port 123, and everything else is blocked by default.

    Implementing my idea is tough, though. There are just so many devices out there, and so many router firmwares, and getting them all to agree on a standard seems a herculean task. I just can’t think of any other solution that has a chance of _working_.

  24. Well thought-out standards are the best bet.

    I am still chafed by the contest that aimed at fixing the spam phone call problem. It resulted in NoMoRobo for cell phone users but absolutely nothing for landline users.

  25. If the FTC follows the same judging as the Robocall Challenge, the submitted ideas will be judged on three parts:

    Does it work? (50 percent); Is it easy to use? (25 percent); and Can it be rolled out? (25 percent).

  26. IMO most of these comments makes me wonder if anybody actually went to the FTC website.

    They (FTC) are asking for someone to design a vulnerability scanner for IoT that consumers can easily use.

  27. Make a IoT device to check for updates on other IoT devices and becomes compromised itself…

    So what about products like Nest cam. It has no web interface that I can tell. Would it be a possibility of being hacked?

  28. You know what I could totally win that contest but I won’t enter because I’ve really no use for that kind of money. Oh well hopefully there’s someone out there could do at least half as decent a job as I could.

  29. In fact, it is a bit less bad if it was a website you can go for free, maintained by the FTC, that anybody can use to know which of their devices are problematic. It could just scan the network for vulnerabilities and report the problems to the user. Then, the users could call the company that sold this piece of crap and try to have them fix them. It would probably end up in lots of frustrated consumers and some that would just give up, but at least, they would be aware that their expensive tv with integrated webcam is insecure and maybe they would think twice before connecting it.

    The tool would have to be maintained but there are so many devices it could also give a false sense of security if your device is not identified as problematic, but it is just because it is not known enough.

    The tool would also have to check so many things like has the default admin password been changed on your router to prevent access from the internal network on a compromised device, is the encryption used by the device good enough, does it accepts insecure certificates, etc.

    The problem with that solution is that it would be quite intense and costly to maintain and the cost would be carried by the government and not the companies that produces the crap. Some countries have this idea that if a company produce a cost, they need to embed this social cost in their product when they sell it. When you think about it, it helps prevent a lot of waste because the cost is not carried by the customer and the government (so ultimately the customer) instead of the company. Of course, costs end up being paid at least in parts by the customer, but the playing field is leveled for competition and the social costs are reduced for those who don’t buy the problematic product.

  30. some internet product requirements:

    all manufacturers selling internet facing devices to change all access credentials where access can be achieved over the network enabled 8nterfaces.

    alll devices will ship with a means(cd or link) to download and restore the device c9nfiguration to factory default via consumer device data interfaces…over enet or usb vs a port on the pcb.

    after thats its on the user..

    with that…on forst power firmware shall require the user to configure a password/login.

    even then you cant fix stupid with camera/camera type selections but not sure you can do more then that with incurring significant cost thatw would be passed t9 the user.

Leave a comment