back to article Put walls around home Things, win $25k from US government

America's Federal Trade Commission has kicked off a challenge to see who can come up with good ideas for securing the Internet of Things. While the US$25,000 top prize will probably end up in the pocket of an infosec pro, the FTC interestingly says it's interested in hearing from “tinkerers” and “thinkers” as well as from …

  1. Brian Miller

    Didn't Norton just secure world+dog from IDIoT devices?

    Strangely, there's no sarcasm alert icon.

    The Norton Core router supposedly scans incoming traffic for malware, etc., and can even put IDIoT devices on their own network segments. I have a router that supposedly does the scanning, and never once has it flagged any traffic as malicious. It has stopped at least a few non-infected sites from functioning, though.

    I can see how a sophisticated home WiFi router could keep traffic from different SSIDs away from each other. However, the device itself isn't running a vulnerability scanner, which would be an asset. If the IDIoT device can't pass the vulnerability scan from the router, then it definitely shouldn't be allowed to access world+dog, or anything else on the local network.

    1. Anonymous Coward
      Holmes

      Re: Didn't Norton just secure world+dog from IDIoT devices?

      Strangely, there's no sarcasm alert icon.

      oh there is...

      1. bombastic bob Silver badge
        Trollface

        Re: Didn't Norton just secure world+dog from IDIoT devices?

        "Strangely, there's no sarcasm alert icon"

        how about this one?

        (or maybe just 'all of them', depending)

  2. redpawn

    Leave them...

    in their respective boxes and don't plug them in. Most of them do not come with batteries. A Faraday cage combined with their original boxes would be nearly safe enough for most households.

    1. Mark 85

      Re: Leave them...

      I would just toss them all in the trash along with the marketing and corporate types who come up with this stuff.

      1. Steve Davies 3 Silver badge

        Re: Leave them...

        I would just toss them all in the trash compactor/furnace along with the marketing and corporate types who come up with this stuff.

        There fixed it for you. Even that is not enough though.

        CES is a great CES{spit} for crap. Every few years something actually useful manages to emerge from the slime.

        1. Dave 15

          Re: Leave them...

          Something useful... sorry, either I missed the sarcasm or I missed it... can you tell me what?

    2. bombastic bob Silver badge
      Joke

      Re: Leave them...

      I was hoping to invent some 'wireless cutters'

      Muntzing to the max!

    3. VinceH
      Pint

      Re: Leave them...

      in their respective boxes and don't plug them in.

      Damn it! That was my idea, but you got there first! If you get the prize, make sure you buy a round.

      1. Dave 126 Silver badge

        Re: Leave them...

        ”Anything invented after you've reached the age of thirty is new fangled rubbish and you should have nothing to do with it” to roughly quote DNA.

        However, we in the UK are living amongst an aging population. Devices that will reduce the labour of caring for older people will be required. Therefore, it would be sensible to engage with this topic in a more constructive manner whilst you still have your marbles - otherwise you'll just have to take what you're given.

    4. Doctor Syntax Silver badge

      Re: Leave them...

      I don't suppose there are prizes for simply stating the obvious.

  3. Anonymous Coward
    Happy

    As I understand it.

    I was going to write an essay but I want the money instead.

  4. Jeroen Braamhaar
    Angel

    I'm all for walls around IoT devices

    And please, do dispense with doors, ducts, windows and other unnecessary openings.

  5. simmondp

    US thinking olny permitted!

    "may be awarded only to individuals and teams of individuals who are citizens or permanent residents of the United States"

    1. Anonymous Coward
      Anonymous Coward

      Re: US thinking olny permitted!

      Cannot have any of that foreign designed logic, maths or facts...

  6. Anonymous Coward
    Anonymous Coward

    Simple option...

    Introduce a law making the vendor of the product criminally liable for:

    1) Use of default credentials;

    2) Exploits (may be kind and add "that can't be patched";

    3) ...

    1. Bob Dole (tm)

      Re: Simple option...

      In my mind, this is the only sane way to proceed.

      A set of standards should be agreed on like "don't hard code back doors" then force all the manufacturers to comply. Failure to do so results in a dead company and, possibly, imprisonment/fines of it's directors.

      Then just let the legal system sort it out.

      1. Vic

        Re: Simple option...

        A set of standards should be agreed on like "don't hard code back doors" then force all the manufacturers to comply

        If manufacturers could be forced to comply, we wouldn't have the problem in the first place...

        Vic.

  7. DropBear

    Why, what's wrong with a plain firewall without uPnP...?

    1. Doctor Syntax Silver badge

      "Why, what's wrong with a plain firewall without uPnP...?"

      It would stop all those shiny gadgets working. Must have shiny.

    2. Andrew Commons

      A good start

      A good start if you are talking about filtering outbound as well as inbound. Then you get tunnelling and encrypted traffic which is probably going to be beyond the capabilities of consumer devices to inspect (are you listening Google?). This is on top of the bizarre connectivity requirements some devices seem to require.

      Throw it all away and start again in a universe far far away...

      1. Cloggie

        Re: A good start

        I'd like my fridge to be able to import my CA certificates, so I can inspect its SSL traffic to and from the supermarket.

        1. Andrew Commons

          Re: I'd like my fridge to be able to import my CA certificates

          That would certainly be a step in the right direction. The consumer environment is not going to be able to cope with a 'trust nothing' model for quite a while. Migrating 'old school' corporate technology into this space would be a viable alternative in the short term. Consumer edge devices become UTM by default.

  8. Anonymous Coward
    Anonymous Coward

    Encrypted end to end traffic and 2FA + 1TP for management tools / interfaces

    ...and IMEI verification for phone apps.

    Eliminates sniffing, bruteforcing and unauthorised logins.

    Can I have my money now?

    But seriously...

    The problem with securing IoT is if someone manages it, governments will immediately want to ban it due to the pedo-terror-money launderism threat both at home and overseas.

    Remember kids, carrying guns is fine but encryption and digital security immediately makes you a criminal.

  9. Dave 15

    Simple

    Two options...

    get of your lardy arse and switch the light on yourself?

    an explosive charge that detects the date of the software and blows up the item if its software is older than today

    Of course option 1 will prevent NSA spying on your home so they know when you take a dump... after all the time you visit the loo might mark you down as a terrorist suspect.

    1. Anonymous Coward
      Anonymous Coward

      Re: Simple

      All this NSA spying...

      Just because nobody will add them as a friend on facebook. Is the NSA not aware that they could just come to the pub, buy a round and listen to people talk about mundane crap all night.

      I can't believe the NSA looks at so many profiles without watering anyones crops. Bastards.

    2. YetAnotherLocksmith Silver badge

      Re: Simple

      >an explosive charge that detects the date of the software and blows up the item if its software is older than yesterday.

      Fixed that for you. Just because the product is new, £1 will get you 50p that the code is re-used.

  10. John H Woods Silver badge

    Two ideas

    1) Default / hardcoded credentials: Fines or other sanctions against manufacturers who produce devices, any two of which share credentials.

    2) Support: all devices must be supported by the manufacturer for at least X months (perhaps depending on price?) When support ceases, devices must be open to user-customisation.

  11. druck Silver badge

    One idea

    IOT shouldn't mean send data to the cloud.

    1. Dave 126 Silver badge

      Re: One idea

      That's more like it.

      The only hurdle is the use of propriety algorithms to crunch through the raw data collected by these sensors, and then act upon them. This won't be an issue if open source algorithms are used on user-owned kit.

      For there to be open source algorithms, hobbyists need to get involved. Cheap sensors, a cheap hub (could be Raspberry-Pi based, more advanced machine-vision system could be based on that silicon nVidia is developing for the automotive industry), cheap actuators (thermostats, blinds, locks, power states etc). It's all available.

      A quick search shows:

      http://www.openhab.org/ Vendor and technology agnostic open source automation software for your home.

      https://home-assistant.io/ Home Assistant is an open-source home automation platform running on Python 3.

      http://freedomotic.com/ Freedomotic is an open source, flexible, secure Internet of Things (IoT) development framework, useful to build and manage modern smart spaces

    2. Dave 126 Silver badge

      Re: One idea

      >IOT shouldn't mean send data to the cloud.

      To parse your sentence: "The internet of things shouldn't involve the internet", or rather "I want an *intranet* of things". Fair enough, it's a common point of view. For an Intranet of Things, you can roll your own, maybe starting with the links in my above comment.

      However, it is possible to avoid throwing out the baby with the bathwater, but to understand how involves hard maths; that is, there is a way to offer your data for the betterment of mankind (think: medical data cross-referenced with empirical lifestyle data) without identifying yourself, or allowing your identity to be inferred. Differential Privacy:

      Differential Privacy (DP) was originally proposed by Dwork in [6]. It refers to a privacy

      goal requirement that must be satisfied by algorithms (or mechanisms) that describe

      a given data set using disturbed statistical values like an average or the count of

      elements in the data set. This goal is basically set by the epsilon (ε) value, that is the

      difference between the probabilities of receiving the same result from a randomized

      algorithm against two different data sets that differ in just one record, so it can be

      guaranteed that a re-identification was not caused by the participation in a data set. A

      smaller value of ε represents stronger privacy, and values are usually set between 0

      and 1, like 0.1 or ln(2), for instance.

      It soon gets into brain-hurt territory, but I do believe that it will be worth it.

      1. druck Silver badge
        Thumb Up

        Re: One idea

        "I want an *intranet* of things"

        Couldn't have put it better myself.

      2. YetAnotherLocksmith Silver badge

        Re: One idea

        But even that won't work.

        Look at that guy fingered by the smart water meter - nothing useful there, except the extra 300 litres of water apparently used that early morning, which police believe was used to both wash the blood away and fill the bath.

        Like the way advertisers can work out who you are by looking at the exact battery level and a few other things, multiple pathways leave the data easily extracted. Likewise VPN uncloaking using open port forwarding - only 7 people in the world have that set of fingerprints across those ports, and all are coming from the same VPN network, but different termination points? That's you busted, despite your 7 proxies!

        Without a home AI firewall (A Icewall) to run it all for you, you're stuffed.

  12. Tikimon

    Will. Never. Happen.

    Companies don't give a crap about security, and they never will. They don't even care about making a good product anymore! The product is merely bait to make us bring a spy device into our lives. As long as they get some data to whore out for cash, it's Mission Accomplished.

    The best we could expect from this initiative is some kind of one-size-fits-all "tool" that manufacturers will be forced to build in. They won't go a single step beyond what they're forced to, so they'll use the "tool" without modification. This single (juicy and lucrative) target will be eventually hacked or bypassed and we're back where we started. Punitive laws won't matter. By them time a company is found out and given a token fine, they're already made their cash and are on to the next thing. Yah, I'm a paranoid old curmudgeon...

    1. Dave 126 Silver badge

      Re: Will. Never. Happen.

      >Companies don't give a crap about security, and they never will.

      By being so general, you're missing an opportunity to exercise your power. A company will care about your privacy if it allows them to differentiate themselves on the market. That was the motivation behind Apple's spat with the FBI over unlocking an iPhone, and their adoption of Differential Privacy in their Health Kit and Home Kit. Apple make lots of money by giving you a reason to buy their pricey hardware, not from advertising.

      DP is not Apple's invention - that'd be Cynthia Dwork* - but it is in their own business interests to promote it in their products. This is an option not available to Google, who make their money from advertising.

      Apple isn't alone in using privacy to promote their products - you may have heard of Silent Circle, Jolla, Sailfish, Blackberry... or maybe you haven't, no would blame you!

      *https://www.quantamagazine.org/20161123-privacy-and-fairness-an-interview-with-cynthia-dwork/

  13. Mike 16

    Sign up here

    To get on "the list" of people who will have to be "neutralized" when Phase 27 of Surveillance R Us kicks in (we are currently on about phase 19).

    What person who has actually looked at the trends of closed hardware and mandatory updates to software (Secure today, maybe. Compromised tomorrow, definitely) would want to raise their visibility? "Question Authority, and surely Authorities will Question you"

  14. Vic

    The prize is mine.

    I have a simple but effective solution.

    All IoT devices should be soaked in a bucket of petrol immediately prior to use.

    Job done.

    Vic.

    1. Dave 126 Silver badge

      Re: The prize is mine.

      You'd still plug them in after soaking them in petrol? Hmmm, negate the need for home automation by destroying your home with fire... that's a solution of a sort, I suppose ;)

      Anyway, have you consulted your offspring about the tools that will aid in your care when you are old, infirm and possibly demented? No? Well, they might send you to a home before your time.

      Let's not fuck about here: demographics and economics. Strains on our health and care services are showing right now. Sensors that communicate data to the outside world (temperature, pulse, blood sugar levels, medication doses etc etc) are going to happen whether we like it or not. We might as well play a role in steering them into something good. Methods exist to greatly mitigate the downsides, but you won't find them in 1st gen consumer IoT toys, I grant you.

      1. Vic

        Re: The prize is mine.

        You'd still plug them in after soaking them in petrol?

        Look straight up. Squint a bit - maybe use binoculars.

        That thing, up there - that's the joke.

        Vic.

  15. YetAnotherLocksmith Silver badge

    Good luck even finding the manufacturer, who is likely based in China.Talking to my Chinese friend who helps run one of the more legit manufacturers of lock tools, he was saying that a lot of the factories literally move daily to avoid being found by the Chinese state authorities. Which is insane, but apparently true.

    You call them and they bring you the stuff, or you go to the market and get the stuff there. Even the manufacturers using the parts often don't know who actually made the part (which really is just like the UK! You buy a bag of nuts meeting a spec, you don't care where or who made the steel nor cut the thread. That's why aerospace stuff is so expensive - extreme traceability from the mine to the machined part)

    Adding an unenforceable penalty to the manufacturers will do nothing - loads already sell stuff that literally doesn't work. The wholesalers don't care either - they know that no-one sends anything back because the postage costs more than the widget! (Which is another issue entirely - how can ChinaPost send a thing across the world for less than I can send a second class postcard to the next town? Oh yes, state postage subsidies!)

    But it is a hiding to nothing. You can't even figure out who made the thing, there are that many clones of the clones going around. The reason we are in this mess is because they just rip the firmware, or download a bit of source code from a website, and use that, default passwords and all.

    How to change that? Good luck!

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like