Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

1/4/2017
04:18 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

FTC Launches Contest For Technology Tool To Protect Home IoT Devices

IoT Home Inspector Challenge will award $25,000 for best proposal

The massive denial-of-service attacks on DNS provider Dyn and other organizations late last year hammered home the danger posed to businesses and the Internet as a whole from poorly protected consumer IoT devices. Now, the US government wants the public’s help in addressing the problem.

The Federal Trade Commission (FTC) on Wednesday said it would award up to $25,000 to any individual or group of individuals who propose a way to properly protect home devices that connect to the Internet of Things, against security threats.

The FTC’s IoT Home Inspector Challenge is designed to encourage development of a technology tool that, at a minimum, would be capable of addressing security vulnerabilities caused by out-of-date software in consumer IoT devices.

An ideal tool, according to the FTC, would be something—either hardware or software—that consumers could add to their home network to check for and install updates on any connected IoT device that might require it. Contestants have the option of adding other features to their tool if they want to, including those that would address problems stemming from the use of hardcoded or default passwords in IoT products.

The competition is not restricted to physical devices. Cloud-based applications and services that help consumers manage security vulnerabilities in IoT products will also be eligible for the FTC’s $25,000 reward. Similarly, any user interface or dashboard that informs consumers about IoT devices on their home network that are properly patched, require updates, or are no longer vendor-supported will also be considered for the award.

“Every day, American consumers use Internet-connected devices to make their homes ‘smarter,’" said the FTC in a document describing eligibility requirements and the rules of the contest.

“While these smart devices enable enormous convenience and safety benefits, they can also create security risks,” it said, pointing to last year’s attacks. “With this Contest, the FTC seeks to encourage the development of a technical tool to assist consumers with ensuring that IoT devices in the home are running up-to-date software.”

The FTC's initiative comes amid heightening concerns over security vulnerabilities in many of the home products that people have begun connecting to the Internet, such as smart fridges, webcams, printers, and home entertainment and security systems.

The Mirai distributed denial-of-service attacks on Dyn and others last year demonstrated how easily threat actors could take advantage of these vulnerabilities to assemble massive botnets for attacking large enterprises, including those in critical industries.

Concerns over the trend prompted the Secretary of the Department of Homeland Security Jeh Johnson to recently describe IoT security vulnerabilities as posing a national security threat and requiring an immediate response from all stakeholders.

“The recent botnet attacks have raised the profile and risk visibility,” of the IoT, says Lancen LaChance, vice president of product management, IoT for GlobalSign. The initiative shows how agencies like the FTC have realized that fines and guidance for companies alone aren’t the only way to address the security risks of home automation, he says. “A successful outcome from this initiative will help move the consumer away from being a victim and provide them with tools to protect themselves.”

Several products already exist or are quickly becoming available for securing new IoT devices in the enterprise. Many of them fall under an emerging category of so-called IoT connection security tools that are designed to help organizations detect and monitor IoT devices for security issues. But few similar tools are available to consumers currently.

When security patches and firmware updates are available for a home IoT device, few consumers know where to find them or install them says T. Roy, CEO of IoT Defense Inc. a company that sells a product designed to protect routers against Mirai-like threats. Often, the only real recourse for consumers is to discard a vulnerable IoT device and purchase a new one instead, he says.

The FTC’s new initiative reflects the concern in Washington over the potential for insecure home devices to cause widespread disruption on the Internet and critical infrastructure, he adds.

Related stories:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Unreasonable Security Best Practices vs. Good Risk Management
Jack Freund, Director, Risk Science at RiskLens,  11/13/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19012
PUBLISHED: 2019-11-17
An integer overflow in the search_in_range function in regexec.c in Oniguruma 6.x before 6.9.4_rc2 leads to an out-of-bounds read, in which the offset of this read is under the control of an attacker. (This only affects the 32-bit compiled version). Remote attackers can cause a denial-of-service or ...
CVE-2019-19022
PUBLISHED: 2019-11-17
iTerm2 through 3.3.6 has potentially insufficient documentation about the presence of search history in com.googlecode.iterm2.plist, which might allow remote attackers to obtain sensitive information, as demonstrated by searching for the NoSyncSearchHistory string in .plist files within public Git r...
CVE-2019-19035
PUBLISHED: 2019-11-17
jhead 3.03 is affected by: heap-based buffer over-read. The impact is: Denial of service. The component is: ReadJpegSections and process_SOFn in jpgfile.c. The attack vector is: Open a specially crafted JPEG file.
CVE-2019-19011
PUBLISHED: 2019-11-17
MiniUPnP ngiflib 0.4 has a NULL pointer dereference in GifIndexToTrueColor in ngiflib.c via a file that lacks a palette.
CVE-2019-19010
PUBLISHED: 2019-11-16
Eval injection in the Math plugin of Limnoria (before 2019.11.09) and Supybot (through 2018-05-09) allows remote unprivileged attackers to disclose information or possibly have unspecified other impact via the calc and icalc IRC commands.