Vulnerabilities / Threats

1/4/2017
04:18 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

FTC Launches Contest For Technology Tool To Protect Home IoT Devices

IoT Home Inspector Challenge will award $25,000 for best proposal

The massive denial-of-service attacks on DNS provider Dyn and other organizations late last year hammered home the danger posed to businesses and the Internet as a whole from poorly protected consumer IoT devices. Now, the US government wants the public’s help in addressing the problem.

The Federal Trade Commission (FTC) on Wednesday said it would award up to $25,000 to any individual or group of individuals who propose a way to properly protect home devices that connect to the Internet of Things, against security threats.

The FTC’s IoT Home Inspector Challenge is designed to encourage development of a technology tool that, at a minimum, would be capable of addressing security vulnerabilities caused by out-of-date software in consumer IoT devices.

An ideal tool, according to the FTC, would be something—either hardware or software—that consumers could add to their home network to check for and install updates on any connected IoT device that might require it. Contestants have the option of adding other features to their tool if they want to, including those that would address problems stemming from the use of hardcoded or default passwords in IoT products.

The competition is not restricted to physical devices. Cloud-based applications and services that help consumers manage security vulnerabilities in IoT products will also be eligible for the FTC’s $25,000 reward. Similarly, any user interface or dashboard that informs consumers about IoT devices on their home network that are properly patched, require updates, or are no longer vendor-supported will also be considered for the award.

“Every day, American consumers use Internet-connected devices to make their homes ‘smarter,’" said the FTC in a document describing eligibility requirements and the rules of the contest.

“While these smart devices enable enormous convenience and safety benefits, they can also create security risks,” it said, pointing to last year’s attacks. “With this Contest, the FTC seeks to encourage the development of a technical tool to assist consumers with ensuring that IoT devices in the home are running up-to-date software.”

The FTC's initiative comes amid heightening concerns over security vulnerabilities in many of the home products that people have begun connecting to the Internet, such as smart fridges, webcams, printers, and home entertainment and security systems.

The Mirai distributed denial-of-service attacks on Dyn and others last year demonstrated how easily threat actors could take advantage of these vulnerabilities to assemble massive botnets for attacking large enterprises, including those in critical industries.

Concerns over the trend prompted the Secretary of the Department of Homeland Security Jeh Johnson to recently describe IoT security vulnerabilities as posing a national security threat and requiring an immediate response from all stakeholders.

“The recent botnet attacks have raised the profile and risk visibility,” of the IoT, says Lancen LaChance, vice president of product management, IoT for GlobalSign. The initiative shows how agencies like the FTC have realized that fines and guidance for companies alone aren’t the only way to address the security risks of home automation, he says. “A successful outcome from this initiative will help move the consumer away from being a victim and provide them with tools to protect themselves.”

Several products already exist or are quickly becoming available for securing new IoT devices in the enterprise. Many of them fall under an emerging category of so-called IoT connection security tools that are designed to help organizations detect and monitor IoT devices for security issues. But few similar tools are available to consumers currently.

When security patches and firmware updates are available for a home IoT device, few consumers know where to find them or install them says T. Roy, CEO of IoT Defense Inc. a company that sells a product designed to protect routers against Mirai-like threats. Often, the only real recourse for consumers is to discard a vulnerable IoT device and purchase a new one instead, he says.

The FTC’s new initiative reflects the concern in Washington over the potential for insecure home devices to cause widespread disruption on the Internet and critical infrastructure, he adds.

Related stories:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
New Free Tool Scans for Chrome Extension Safety
Dark Reading Staff 2/21/2019
Making the Case for a Cybersecurity Moon Shot
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  2/19/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-6485
PUBLISHED: 2019-02-22
Citrix NetScaler Gateway 12.1 before build 50.31, 12.0 before build 60.9, 11.1 before build 60.14, 11.0 before build 72.17, and 10.5 before build 69.5 and Application Delivery Controller (ADC) 12.1 before build 50.31, 12.0 before build 60.9, 11.1 before build 60.14, 11.0 before build 72.17, and 10.5...
CVE-2019-9020
PUBLISHED: 2019-02-22
An issue was discovered in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1. Invalid input to the function xmlrpc_decode() can lead to an invalid memory access (heap out of bounds read or read after free). This is related to xml_elem_parse_buf in ext/xmlrpc/libxmlrpc...
CVE-2019-9021
PUBLISHED: 2019-02-22
An issue was discovered in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1. A heap-based buffer over-read in PHAR reading functions in the PHAR extension may allow an attacker to read allocated or unallocated memory past the actual data when trying to parse the file...
CVE-2019-9022
PUBLISHED: 2019-02-22
An issue was discovered in PHP 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.2. dns_get_record misparses a DNS response, which can allow a hostile DNS server to cause PHP to misuse memcpy, leading to read operations going past the buffer allocated for DNS data. This affects php_parser...
CVE-2019-9023
PUBLISHED: 2019-02-22
An issue was discovered in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1. A number of heap-based buffer over-read instances are present in mbstring regular expression functions when supplied with invalid multibyte data. These occur in ext/mbstring/oniguruma/regcom...