IoT security—or the relative lack thereof—was a big story in 2016, with vulnerabilities in connected devices leading to major cyberattacks, such as the Mirai botnet that crippled some of the world's busiest websites.
During the year, some progress was made on IoT security standards and best practices, but they are far from mature and the Gold Rush mentality among IoT consumer device makers worldwide means 2017 will surely see more high-profile IoT hacks that stand to damage both consumers and enterprises.
Now the U.S. Federal Trade Commission is hoping to enlist the public's help in hardening IoT security, and not through engaging in more mindful security practices, but by actually creating a security tool. It's offering a $25,000 prize plus $3,000 runner-up prizes. Here are the details from the FTC's announcement:
The FTC is asking IoT Home Inspector Challenge contestants to develop a tool that would address security vulnerabilities caused by out-of-date software in IoT devices. An ideal tool might be a physical device that the consumer can add to his or her home network that would check and install updates for other IoT devices on that home network, or it might be an app or cloud-based service, or a dashboard or other user interface. Contestants also have the option of adding features such as those that would address hard-coded, factory default or easy-to-guess passwords.
“Every day American consumers are offered innovative new products and services to make their homes smarter,” said [FTC Bureau of Consumer Protection head] Jessica Rich. “Consumers want these devices to be secure, so we’re asking for creativity from the public – the tinkerers, thinkers and entrepreneurs – to help them keep device software up-to-date.”
Submissions can be entered March 1 with a deadline of May 22. The FTC plans to announce winners in July.
The FTC contest's goals represent just a small piece of the overall IoT security puzzle, as they focus on device patching. Its real intent seems aimed more at sparking new thinking about IoT security.
A fully working prototype isn't required but participants must include a detailed formal paper. Submissions must provide a technical solution, not a policy or legal one; the solution must work on existing devices; and it must protect information it collects both in transit and at rest, according to the official rules. Submissions should also describe how the tool mitigates or avoids introducing any security threats on its own.
Analysis: It's All About the Youth Movement
The FTC's contest is a welcome idea, says Constellation Research VP and principal analyst Andy Mulholland.
"The Internet of Things poses new challenges, as one major part of the value proposition lies in increasing consumer connectivity to offer high-value interactive smart services," he says, noting that a slew of new offerings are being showcased this week at the Consumer Electronics Show in Las Vegas.
"But who manages the resulting Internet of Consumers, or more correctly, the Internet of a consumer and their family? This represents a very different challenge from either the extension of enterprise security to cover IoT, or the even the home support of one or more PCs," Mulholland adds. "The average family is well on the way to having more networked technology than a small business had 20 years ago, and even more challenging is the fact that the devices are all different in function and manufacturer, and don't sit safely behind a firewall as external connectivity is invariably required."
The sheer scale of the IoT security challenge makes the FTC's prize of a mere $25,000 seem almost derisory, but there's a likely reason for this, Mulholland says. "My guess is that its a deliberate attempt to get those most skilled with this new generation of technology motivated to think outside the box in how to tackle the issue," he says. "Expect some pretty smart teenagers with hacking experience to whom $25,000 is a worthwhile prize to step forward with some very alternative thinking."
But there's still the question of how IoT security tools should be deployed and overseen, says Constellation Research VP and principal analyst Steve Wilson.
"The FTC competition is great for awareness—we need that," Wilson says. "But he approach to quality is wrong. You can't have consumers running around testing the safety of appliances. I guess around 1890, when electricity was coming to homes here would have been entrepreneurs selling DIY safety testers. But then society recognized how important safety is and we regulated. The practical problem with after market test tools is that they would require all IoT to run on standard operating systems. As far as I know, we are al long way from that."
24/7 Access to Constellation Insights
Subscribe today for unrestricted access to expert analyst views on breaking news.