The FTC has decided that IoT security is in such bad shape that the best alternative is to to offer the public a $25,000 reward for help fixing it. The commission is sponsoring a new contest that asks people to submit innovative ideas for improving the update process for IoT devices, which is virtually non-existent for many devices right now.
The IoT Home Inspector Challenge is the FTC’s way of soliciting new ideas from the general public, who are the ones using these devices, after all. Rather than asking for any kind of new security technology for IoT devices, the FTC is looking specifically for ways to make the software update process better. That’s a pretty low bar, given that many embedded devices either don’t allow for software updates or the manufacturers just don’t send them out.
That lack of security fixes has made life much easier for attackers building botnets such as Mirai and Leet that are made up of compromised IoT devices. Many times, the malware used in these attacks targets old vulnerabilities or default credentials, issues that could be fixed by software updates. The FTC’s contest will consider any kind of mechanism that addresses the software update problem, including a separate hardware device, an app, or some kind of dashboard.
“An ideal tool might be a physical device that the consumer can add to his or her home network.”
“Every day American consumers are offered innovative new products and services to make their homes smarter,” said Jessica Rich, director of the FTC’s Bureau of Consumer Protection. “Consumers want these devices to be secure, so we’re asking for creativity from the public – the tinkerers, thinkers and entrepreneurs – to help them keep device software up-to-date.”
The top prize for the contest is $25,000, with up to three honorable mentions getting lower cash awards. The deadline for entries is May 22 and in the first round, a maximum of 20 contestants will be selected for the second round. The entries will be assessed by a panel of five judges, including two computer science professors, two security researchers, and a deputy director from NIST.
“An ideal tool might be a physical device that the consumer can add to his or her home network that would check and install updates for other IoT devices on that home network, or it might be an app or cloud-based service, or a dashboard or other user interface. Contestants also have the option of adding features such as those that would address hard-coded, factory default or easy-to-guess passwords,” the FTC said.
Image: Rojer, CC By license.