It appears as if the Federal Trade Commission is getting serious about Internet of Things security issues -- and it wants the public to help find a solution. The FTC has announced a contest it's calling the "IoT Home Inspector Challenge." What's more, there's a big payoff for the winners, with the Top Prize Winner receiving up to $25,000 and each of a possible three "honorable Mentions" getting $3,000. Better yet, winners don't have to fork over their intellectual property rights, and will retain right to their submissions.
Of course, the FTC is a federal agency, and with a change of administrations coming up in a couple of weeks, it hedges its bet a bit with a caveat: "The Sponsor retains the right to make a Prize substitution (including a non-monetary award) in the event that funding for the Prize or any portion thereof becomes unavailable." In other words, Obama has evidently given the go-ahead, but they're not sure how Trump will follow through.
Caveat aside, this is a good move by the FTC, if for no other reason because it shows that some in Washington understand that with the IoT we have a serious security issue brewing that needs to be addressed now, before it gets more out of hand than it's already become. With this contest, the agency can both raise public awareness that people's "things" are not always their friends, as well as get people to work finding a solution.
In short, FTC is looking for "a technical solution ('tool') that consumers can deploy to guard against security vulnerabilities in software on the Internet of Things ('IoT') devices in their homes. The tool would, at a minimum, help protect consumers from security vulnerabilities caused by out-of-date software."
The FTC shows a surprisingly accurate grasp of the situation for an arm of the federal government -- which doesn't always have a clear understanding of technical issues.
"While these smart devices enable enormous convenience and safety benefits, they can also create security risks. For example, press reports from October 2016 demonstrated how smart devices could be used in 'botnets' to disrupt the Internet. This incident demonstrated that lax IoT device security can threaten not just device owners, but the entire Internet. In another incident, a group of hackers allegedly gained unauthorized access to routers manufactured by the tech company ASUS and left a text file warning stating, 'Your Asus router (and your documents) can be accessed by anyone in the world with an Internet connection. ... Further, there have been numerous reported incidents where the live feeds from consumers' smart cameras have been available on the Internet."
The agency also seems to have heard what security experts have been saying for the last year or so -- that software on IoT devices needs to be secure, with a method in place for updating software whenever new vulnerabilities are discovered.
"One important component of IoT security is updating and providing security patches. If products do not have the latest security updates, they can be vulnerable to outside threats. Today, although some devices are updated automatically, many devices require consumers to take steps in order to install the update or make necessary adjustments. To be able to take these steps, consumers must have a certain level of technical expertise. In particular, consumers must know how to check for security updates and install them. The problem of how to simplify this task is compounded by the thriving market in this area: There are many different types of software (even within a single device), ways to configure devices, and approaches to updating. As devices within the home multiply, the task of updating devices could become increasingly daunting."
The competition is open to pretty much anybody 18 or older, although those in a financial relationship with any of the judges are disqualified. The contest deadline is 12:00 p.m. EDT May 22, 2017. Rules and registration information are available on the FTC's website.