Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

1/4/2017
04:18 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

FTC Launches Contest For Technology Tool To Protect Home IoT Devices

IoT Home Inspector Challenge will award $25,000 for best proposal

The massive denial-of-service attacks on DNS provider Dyn and other organizations late last year hammered home the danger posed to businesses and the Internet as a whole from poorly protected consumer IoT devices. Now, the US government wants the public’s help in addressing the problem.

The Federal Trade Commission (FTC) on Wednesday said it would award up to $25,000 to any individual or group of individuals who propose a way to properly protect home devices that connect to the Internet of Things, against security threats.

The FTC’s IoT Home Inspector Challenge is designed to encourage development of a technology tool that, at a minimum, would be capable of addressing security vulnerabilities caused by out-of-date software in consumer IoT devices.

An ideal tool, according to the FTC, would be something—either hardware or software—that consumers could add to their home network to check for and install updates on any connected IoT device that might require it. Contestants have the option of adding other features to their tool if they want to, including those that would address problems stemming from the use of hardcoded or default passwords in IoT products.

The competition is not restricted to physical devices. Cloud-based applications and services that help consumers manage security vulnerabilities in IoT products will also be eligible for the FTC’s $25,000 reward. Similarly, any user interface or dashboard that informs consumers about IoT devices on their home network that are properly patched, require updates, or are no longer vendor-supported will also be considered for the award.

“Every day, American consumers use Internet-connected devices to make their homes ‘smarter,’" said the FTC in a document describing eligibility requirements and the rules of the contest.

“While these smart devices enable enormous convenience and safety benefits, they can also create security risks,” it said, pointing to last year’s attacks. “With this Contest, the FTC seeks to encourage the development of a technical tool to assist consumers with ensuring that IoT devices in the home are running up-to-date software.”

The FTC's initiative comes amid heightening concerns over security vulnerabilities in many of the home products that people have begun connecting to the Internet, such as smart fridges, webcams, printers, and home entertainment and security systems.

The Mirai distributed denial-of-service attacks on Dyn and others last year demonstrated how easily threat actors could take advantage of these vulnerabilities to assemble massive botnets for attacking large enterprises, including those in critical industries.

Concerns over the trend prompted the Secretary of the Department of Homeland Security Jeh Johnson to recently describe IoT security vulnerabilities as posing a national security threat and requiring an immediate response from all stakeholders.

“The recent botnet attacks have raised the profile and risk visibility,” of the IoT, says Lancen LaChance, vice president of product management, IoT for GlobalSign. The initiative shows how agencies like the FTC have realized that fines and guidance for companies alone aren’t the only way to address the security risks of home automation, he says. “A successful outcome from this initiative will help move the consumer away from being a victim and provide them with tools to protect themselves.”

Several products already exist or are quickly becoming available for securing new IoT devices in the enterprise. Many of them fall under an emerging category of so-called IoT connection security tools that are designed to help organizations detect and monitor IoT devices for security issues. But few similar tools are available to consumers currently.

When security patches and firmware updates are available for a home IoT device, few consumers know where to find them or install them says T. Roy, CEO of IoT Defense Inc. a company that sells a product designed to protect routers against Mirai-like threats. Often, the only real recourse for consumers is to discard a vulnerable IoT device and purchase a new one instead, he says.

The FTC’s new initiative reflects the concern in Washington over the potential for insecure home devices to cause widespread disruption on the Internet and critical infrastructure, he adds.

Related stories:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/6/2020
Introducing 'Secure Access Service Edge'
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  7/3/2020
Russian Cyber Gang 'Cosmic Lynx' Focuses on Email Fraud
Kelly Sheridan, Staff Editor, Dark Reading,  7/7/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-5604
PUBLISHED: 2020-07-09
Android App 'Mercari' (Japan version) prior to version 3.52.0 allows arbitrary method execution of a Java object by a remoto attacker via a Man-In-The-Middle attack by using Java Reflection API of JavaScript code on WebView.
CVE-2020-5974
PUBLISHED: 2020-07-08
NVIDIA JetPack SDK, version 4.2 and 4.3, contains a vulnerability in its installation scripts in which permissions are incorrectly set on certain directories, which can lead to escalation of privileges.
CVE-2020-15072
PUBLISHED: 2020-07-08
An issue was discovered in phpList through 3.5.4. An error-based SQL Injection vulnerability exists via the Import Administrators section.
CVE-2020-15073
PUBLISHED: 2020-07-08
An issue was discovered in phpList through 3.5.4. An XSS vulnerability occurs within the Import Administrators section via upload of an edited text document. This also affects the Subscriber Lists section.
CVE-2020-2034
PUBLISHED: 2020-07-08
An OS Command Injection vulnerability in the PAN-OS GlobalProtect portal allows an unauthenticated network based attacker to execute arbitrary OS commands with root privileges. An attacker requires some knowledge of the firewall to exploit this issue. This issue can not be exploited if GlobalProtect...