Friday, January 20, 2017

The Feds wants to give you $25k to figure out IoT security; because the IoT is becoming synonmous with insecurity

In 2017 Its hard to find an IoT story that doesn't mention security and that means its infiltrated our psyche; IoT means insecurity or why mention it?

This worries me and has overtones of the Y2K problem in the wayback machine.  Think I'm exaggerating?  Here's what Google search trends says:

IoT security spiked in October 2016 around news of the Mirai IoT botnet which I wrote about then and noted it was a tipping point. The search trend seems to be on the upswing again after the holiday break (and the CES madness).  So with predictions of billions of connected devices coming our way (or a trillion by 2030 if you believe #Softbank CEO, Masayoshi Son) the concept of them all being hacked, disabled or generally used for malfeasance is getting everyones attention.  The US government in the form of the FTC has got involved with a creative solution; a contest with cash prizes called the:

All the details are here but the bottom line is a $25,000 prize (and a few $3,000 honorable mentions) for:

The Federal Trade Commission (FTC) is hosting a prize competition that challenges the public to create a technical solution (“tool”) that consumers can use to guard against security vulnerabilities in software found on the Internet of Things (IoT) devices in their homes.
The tool would, at a minimum, help protect consumers from security vulnerabilities caused by out-of-date software. Contestants have the option of adding features, such as those that would address hard-coded, factory default or easy-to-guess passwords.
The prize for the competition is up to $25,000, with $3,000 available for each honorable mention winner(s). Winners will be announced on or about July 27, 2017.
Sounds pretty cool so here is my quick thought experiment on how this might play out.  The Feds want a tool that the average homeowner can run on their favorite device (guessing it has to be a multi platform mobile App) and find unprotected IoT devices lurking on their home network.  For a quick sanity check I decided to look at how many devices are or have been connected to my home network and I should know better but was surprised how many devices I have connected and this isn't meant to be a brag but a cautionary tale.  I'm also a little leery about too much description here because I don't want to get hacked!  

We are a family of 4 and I admit to a tech addiction but we probably aren't that different from many families today; here's our list:
    1. 4 iPhones
    2. Tivo DVR 
    3. Roku
    4. Apple TV
    5. 4 laptops 
    6. 2 wireless printers
    7. TV with direct Netflix connection
    8. Video doorbell
    9. Smart irrigation controller
    10. Temperature sensor
    11. Alexa by Amazon
    12. Dog tracker
    13. 3 iPads of various vintages
    14. Desktop PC's (3)
That's 25 devices with IP addresses on the network and I haven't indulged in a NEST or lighting controllers yet so its easy to see how we can get to billions of connected devices and this is just wifi on a single home network.  Interestingly the wifi routers console showed that 47 devices have been connected to the router at some point.      

So my thinking is the App is available on iTunes and Google Play (as you might imagine there are already some network apps available but none seem to focus on security) and after downloading it does this:

  1. The user logs onto their router (could be their office/home; side benefit is they must change their password from the default) and they identify the devices connected to the router.
  2. This is the moment of revelation!  The user sees all the devices connected to their network.  When looking at my device list in the router console though many of the names used are less than explanatory.  Apple TV was obvious but dp-452xxxKM turned out to be the Amazon Echo which identified itself just as "LINUX".
  3. This is the key step in the process; identifying which devices are vulnerable and then how to secure them.  There is a search engine for Internet connected devices called Shodan which has an API so that might be one step to take.
  4. Finally the App could lock the network so new devices couldn't be added unless there was security enabled.  

So that's my take on the contest,  if anyone wants to write the App I will help submit for the prize.  If you have other ideas please comment below.