Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

1/4/2017
04:18 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

FTC Launches Contest For Technology Tool To Protect Home IoT Devices

IoT Home Inspector Challenge will award $25,000 for best proposal

The massive denial-of-service attacks on DNS provider Dyn and other organizations late last year hammered home the danger posed to businesses and the Internet as a whole from poorly protected consumer IoT devices. Now, the US government wants the public’s help in addressing the problem.

The Federal Trade Commission (FTC) on Wednesday said it would award up to $25,000 to any individual or group of individuals who propose a way to properly protect home devices that connect to the Internet of Things, against security threats.

The FTC’s IoT Home Inspector Challenge is designed to encourage development of a technology tool that, at a minimum, would be capable of addressing security vulnerabilities caused by out-of-date software in consumer IoT devices.

An ideal tool, according to the FTC, would be something—either hardware or software—that consumers could add to their home network to check for and install updates on any connected IoT device that might require it. Contestants have the option of adding other features to their tool if they want to, including those that would address problems stemming from the use of hardcoded or default passwords in IoT products.

The competition is not restricted to physical devices. Cloud-based applications and services that help consumers manage security vulnerabilities in IoT products will also be eligible for the FTC’s $25,000 reward. Similarly, any user interface or dashboard that informs consumers about IoT devices on their home network that are properly patched, require updates, or are no longer vendor-supported will also be considered for the award.

“Every day, American consumers use Internet-connected devices to make their homes ‘smarter,’" said the FTC in a document describing eligibility requirements and the rules of the contest.

“While these smart devices enable enormous convenience and safety benefits, they can also create security risks,” it said, pointing to last year’s attacks. “With this Contest, the FTC seeks to encourage the development of a technical tool to assist consumers with ensuring that IoT devices in the home are running up-to-date software.”

The FTC's initiative comes amid heightening concerns over security vulnerabilities in many of the home products that people have begun connecting to the Internet, such as smart fridges, webcams, printers, and home entertainment and security systems.

The Mirai distributed denial-of-service attacks on Dyn and others last year demonstrated how easily threat actors could take advantage of these vulnerabilities to assemble massive botnets for attacking large enterprises, including those in critical industries.

Concerns over the trend prompted the Secretary of the Department of Homeland Security Jeh Johnson to recently describe IoT security vulnerabilities as posing a national security threat and requiring an immediate response from all stakeholders.

“The recent botnet attacks have raised the profile and risk visibility,” of the IoT, says Lancen LaChance, vice president of product management, IoT for GlobalSign. The initiative shows how agencies like the FTC have realized that fines and guidance for companies alone aren’t the only way to address the security risks of home automation, he says. “A successful outcome from this initiative will help move the consumer away from being a victim and provide them with tools to protect themselves.”

Several products already exist or are quickly becoming available for securing new IoT devices in the enterprise. Many of them fall under an emerging category of so-called IoT connection security tools that are designed to help organizations detect and monitor IoT devices for security issues. But few similar tools are available to consumers currently.

When security patches and firmware updates are available for a home IoT device, few consumers know where to find them or install them says T. Roy, CEO of IoT Defense Inc. a company that sells a product designed to protect routers against Mirai-like threats. Often, the only real recourse for consumers is to discard a vulnerable IoT device and purchase a new one instead, he says.

The FTC’s new initiative reflects the concern in Washington over the potential for insecure home devices to cause widespread disruption on the Internet and critical infrastructure, he adds.

Related stories:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Where Businesses Waste Endpoint Security Budgets
Kelly Sheridan, Staff Editor, Dark Reading,  7/15/2019
US Mayors Commit to Just Saying No to Ransomware
Robert Lemos, Contributing Writer,  7/16/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-14230
PUBLISHED: 2019-07-21
An issue was discovered in the Viral Quiz Maker - OnionBuzz plugin before 1.2.7 for WordPress. One could exploit the id parameter in the set_count ajax nopriv handler due to there being no sanitization prior to use in a SQL query in saveQuestionVote. This allows an unauthenticated/unprivileged user ...
CVE-2019-14231
PUBLISHED: 2019-07-21
An issue was discovered in the Viral Quiz Maker - OnionBuzz plugin before 1.2.2 for WordPress. One could exploit the points parameter in the ob_get_results ajax nopriv handler due to there being no sanitization prior to use in a SQL query in getResultByPointsTrivia. This allows an unauthenticated/un...
CVE-2019-14207
PUBLISHED: 2019-07-21
An issue was discovered in Foxit PhantomPDF before 8.3.11. The application could crash when calling the clone function due to an endless loop resulting from confusing relationships between a child and parent object (caused by an append error).
CVE-2019-14208
PUBLISHED: 2019-07-21
An issue was discovered in Foxit PhantomPDF before 8.3.10. The application could be exposed to a NULL pointer dereference and crash when getting a PDF object from a document, or parsing a certain portfolio that contains a null dictionary.
CVE-2019-14209
PUBLISHED: 2019-07-21
An issue was discovered in Foxit PhantomPDF before 8.3.10. The application could be exposed to Heap Corruption due to data desynchrony when adding AcroForm.