Admittedly, patching existing connected devices in the wild is easier said than done. But that’s not deterring the Federal Trade Commission from soliciting help in finding a solution.
The U.S. government agency today announced the kickoff of the FTC IoT Home Inspector Challenge, a prize contest open to the public with the goal of coming up with a patching solution fit for consumer-grade connected devices used in the home.
For some devices, any solution coming out of this contest is an instant upgrade since automated update systems are largely non-existent. Entrants have until May 22 to submit a detailed paper explaining a tool that consumers can use to protect devices running vulnerable software. Winners will be announced around July 27, and the FTC said it will award a top prize of $25,000; honorable mention submissions will earn $3,000.
Ruth Yodaiken, data protection attorney with the FTC’s division of privacy and identity protection, said the agency as far back as 2013 has been concerned with the security homebound Internet of Things devices. In the past, it has taken action against some companies for a lack of security mechanisms and protection in devices. This contest, the fourth to be held under the America COMPETES Act of 2007, represents a shift toward bringing tangible protection to consumers.
“We’re looking for really detailed paper where you spell out development of the tool and explain to our experts how you would address this problem,” Yodaiken said. “This is open to all sorts of people. What’s nice about these challenges is that sometimes we get a person who is not focused this area, but has got skills and turns their sights toward protecting consumers in the home and can come up with something exciting and innovative.”
Yodaiken said the challenge was in the works prior to last October’s massive IoT-botnet fueled DDoS attacks against Dyn and other web-based services. Those attacks, she said, reinforced the importance of securing connected devices.
“There was a lot of talk beforehand about how these devices are vulnerable to attack,” Yodaiken said. “After the attacks in October, this was elevated because devices in consumers’ homes were involved.
“I would characterize this as a challenging environment and we have to bite off just a corner of it for now,” Yodaiken said. “The genie is out of the bottle and we now see what can happen when you add connectivity to devices. We are hoping this spurs new thoughts.”
The FTC today published extensive rules and details on the submission process. Entries should focus on patching, and the agency also singled out the problem posed by hard-coded default or weak passwords such as those guarding devices exploited by the Mirai malware.
Contestants will be asked to also produce a short video demonstrating how the tool works, along with a detailed paper.
“Such a tool might be a physical device that the consumer adds to his or her home network that checks and installs updates for other IoT devices on that home network. It might be an app or cloud-based service that allows consumers to submit IoT device model numbers, and, based on that input, provides information on how the consumer can install updates,” the FTC said. “A dashboard or other user interface might inform the consumer about which devices were up-to-date already, those that had unpatched software vulnerabilities, and even those that the manufacturer no longer supported.”