The Federal Trade Commission (FTC) wants the public to take a crack at developing tools to improve security around Internet of Things (IoT) devices.
Specifically, the FTC is hosting a competition challenging the public to create a technical solution that would, at a minimum, help protect consumers from security vulnerabilities caused by out-of-date software. Contestants have the option of adding features, such as those that would address hard-coded, factory default or easy-to-guess passwords.
The prize for the competition is up to $25,000, with $3,000 available for each honorable mention winner(s). Winners will be announced on or about July 27. The submission deadline is May 22 at noon eastern time.
Security experts have long predicted threats targeting everyday home devices connected to the internet. The threat was made plain last fall when Mirai malware was used to hijack internet-facing webcams and other devices into massive botnets that were then used to launch a coordinated assault against Dyn, one of several companies hosting the the Domain Name System (DNS). That attack crippled such major sites as Twitter, Paypal, Netflix and Reddit.
For 2017, Sophos predicts a rise in threats against devices that are part of the IoT. James Lyne, global head of security research for Sophos, discussed the threat in a recent interview that aired on CNBC’s On the Money.
“The sharks have smelled the blood in the water and they’re now circling to use your IoT device for further attacks,” Lyne said.
Mirai’s attacks exploited only a small number of devices and vulnerabilities and used basic password-guessing techniques, Lyne said. But bad actors will find it easy to extend their reach because there are several IoT devices containing outdated code based on poorly-maintained operating systems and applications with well-known vulnerabilities.
That being the case, he said to expect many more IoT exploits, better password guessing and more compromised IoT devices being used for DDoS or perhaps to target other devices hooked to larger networks.
If the FTC contest is any indication, the threat is now firmly on the mainstream radar.
Alan Robertson
Hmm, let me guess, an “IoT thingy” connected to a “mega-super-cyber-cloud-protector-malware-squishing-anti-spyware-majig”. Which effectively does a great job at spying on your every activity for the Feds when subpoenaed / sold for profit to advertisers, but hey, “Your Protected!”
All you need to do is look back at history: Ballmer said Windows XP was really secure and your average hacker laughed. Then along came all the av vendors and proclaimed “we’ll protect you” only to fail spectacularly at the first zero day…. AV vendors made a fortune at Microsoft’s failure to protect the OS properly in the first place.
Why do we always look at devices that need protecting retrospectively, when we should be protecting the device properly in the first place? How about:
a) Unique login credentials per device.
b) Restrict what the device can and cannot do over the network – simple Firewall rules.
c) Rate limit data requests – do you really need to send excessive pings on any network?
d) Build the base OS on something that will be automatically updated – Linux springs to mind.
e) Make sure the device runs with reduced admin rights.
f) No back doors.
I’m sure most of your readers could add to this, but the bottom line is raise the bar with security with regard to the internet of things rather than trying to polish a turd that was cheap to make and has poor security. Perhaps we need a standard which the device has been tested against – independently audit them and accredit accordingly. Additionally, fine companies when they are negligent with security – if you are going to make a device that is front facing to the internet and it is involved in a DDos attack then send them the bill to mitigate the attack.