The massive denial-of-service attacks on DNS provider Dyn and other organizations late last year hammered home the danger posed to businesses and the Internet as a whole from poorly protected consumer IoT devices. Now, the US government wants the public’s help in addressing the problem.
The Federal Trade Commission (FTC) on Wednesday said it would award up to $25,000 to any individual or group of individuals who propose a way to properly protect home devices that connect to the Internet of Things, against security threats.
The FTC’s IoT Home Inspector Challenge is designed to encourage development of a technology tool that, at a minimum, would be capable of addressing security vulnerabilities caused by out-of-date software in consumer IoT devices.
An ideal tool, according to the FTC, would be something—either hardware or software—that consumers could add to their home network to check for and install updates on any connected IoT device that might require it. Contestants have the option of adding other features to their tool if they want to, including those that would address problems stemming from the use of hardcoded or default passwords in IoT products.
The competition is not restricted to physical devices. Cloud-based applications and services that help consumers manage security vulnerabilities in IoT products will also be eligible for the FTC’s $25,000 reward. Similarly, any user interface or dashboard that informs consumers about IoT devices on their home network that are properly patched, require updates, or are no longer vendor-supported will also be considered for the award.
“Every day, American consumers use Internet-connected devices to make their homes ‘smarter,’" said the FTC in a document describing eligibility requirements and the rules of the contest.
“While these smart devices enable enormous convenience and safety benefits, they can also create security risks,” it said, pointing to last year’s attacks. “With this Contest, the FTC seeks to encourage the development of a technical tool to assist consumers with ensuring that IoT devices in the home are running up-to-date software.”
The FTC's initiative comes amid heightening concerns over security vulnerabilities in many of the home products that people have begun connecting to the Internet, such as smart fridges, webcams, printers, and home entertainment and security systems.
The Mirai distributed denial-of-service attacks on Dyn and others last year demonstrated how easily threat actors could take advantage of these vulnerabilities to assemble massive botnets for attacking large enterprises, including those in critical industries.
Concerns over the trend prompted the Secretary of the Department of Homeland Security Jeh Johnson to recently describe IoT security vulnerabilities as posing a national security threat and requiring an immediate response from all stakeholders.
“The recent botnet attacks have raised the profile and risk visibility,” of the IoT, says Lancen LaChance, vice president of product management, IoT for GlobalSign. The initiative shows how agencies like the FTC have realized that fines and guidance for companies alone aren’t the only way to address the security risks of home automation, he says. “A successful outcome from this initiative will help move the consumer away from being a victim and provide them with tools to protect themselves.”
Several products already exist or are quickly becoming available for securing new IoT devices in the enterprise. Many of them fall under an emerging category of so-called IoT connection security tools that are designed to help organizations detect and monitor IoT devices for security issues. But few similar tools are available to consumers currently.
When security patches and firmware updates are available for a home IoT device, few consumers know where to find them or install them says T. Roy, CEO of IoT Defense Inc. a company that sells a product designed to protect routers against Mirai-like threats. Often, the only real recourse for consumers is to discard a vulnerable IoT device and purchase a new one instead, he says.
The FTC’s new initiative reflects the concern in Washington over the potential for insecure home devices to cause widespread disruption on the Internet and critical infrastructure, he adds.
Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio