FTC contest seeks to crowdsource IoT security tools

Dubbed the IoT Home Inspector Challenge, the FTC said it is asking participants to develop a tool to address vulnerabilities from out-of-date software in connected devices.

“An ideal tool might be a physical device that the consumer can add to his or her home network that would check and install updates for other IoT devices on that home network or it might be an app or cloud-based service or a dashboard or other user interface,” the FTC said in the announcement. “Contestants also have the option of adding features such as those that would address hard-coded, factory default or easy-to-guess passwords.”

Submissions will be accepted March 1 to May 22. Winners will be announced “on or about July 27, 2017.”

“Every day, American consumers are offered innovative new products and services to make their homes smarter,” said Jessica Rich, director of the Bureau of Consumer Protection, in a statement. “Consumers want these devices to be secure, so we’re asking for creativity from the public – the tinkerers, thinkers and entrepreneurs – to help them keep device software up-to-date.”

Among the criteria to be considered includes a tool that works with devices currently on the market and that protects information both in transit and at rest. What’s more, the FTC said scoring will be based in part on tools that recognize existing IoT devices in the home and determine what software is already on those devices as well as the latest versions of software that should be on them and assist in facilitating upgrades, the FTC said.

There is also a wildcard option for submissions that don’t address those components, “but [offer] a technical solution to address vulnerabilities caused by unpatched or out-of-date software of IoT devices in the home [if] the Contestant [demonstrates] how that tool would work and [argues] for the superiority of the tool based on its level of innovation and impact on IoT security in the home.”

Judging criteria also includes how easy the tool is for the average consumer to use, how it communicates the risk mitigation it provides and how it allows consumers to control information sent to third parties.

Up to 20 contestants will be selected in the first round, where judges will only assess videos and abstracts, the FTC said. Qualifying contestants will move on to the final round where more detailed explanations will be considered.

Judges include Georgia Weidman, chief technology officer of mobile security firm Shevirah; L. Jean Camp, professor at the School of Informatics and Computing at Indiana University; Tadayoshi Kohno, Short-Dooley Professor of Computer Science and Engineering at the University of Washington; David Wollman, deputy director of the Smart Grid and Cyber-Physical Systems Program Office of the US Department of Commerce’s National Institute of Standards and Technology; and Dan Klinedinst, a vulnerability researcher at Carnegie Mellon University’s CERT Coordination Center, which says its mission is to “[anticipate] and [solve] the nation’s cybersecurity challenges.”

Further, the FTC said this is the fourth government contest under the America Competes Act and the first one addressing the Internet of Things.

And while Shiva Vannavada, CTO of digital marketing company iCrossing, said it’s good the FTC is taking action, he was nevertheless skeptical this particular contest would result in real security solutions.

“You’ll likely see security firms and product companies like Symantec, Cisco, Intel, Microsoft, Amazon etc. be first to introduce security that is lasting and truly valuable,” he said. “Entities like the FTC would be wise to work more closely with these larger companies, who have the resources to be ahead in this game, to develop a set of [standardized] guidelines that can help bring clarity and comfort to all of the audiences impacted by these technologies.”