bluebay2014 - Fotolia
FTC launches competition to improve IoT device security
News roundup: FTC starts a contest to create a better IoT device security tool. Plus, ransomware is now illegal in California; Google patches 29 critical Android flaws; and more.
Internet-of-things device security tool developers, make it work.
The U.S. Federal Trade Commission has issued a challenge to the public to create a tool consumers can use to protect home IoT devices from software vulnerabilities, with a special focus on distributing bug patches.
The FTC has taken steps in recent years to improve IoT device security.
"Unfortunately, there are still plenty of IoT devices with fundamental security problems, including the issue we highlight in this contest: successfully updating security protections," Ruth Yodaiken, senior attorney for the division of privacy and identity protection at the FTC, told SearchSecurity. "We thought it [was] time to encourage the innovators to try [to] address those issues in a new way and empower the consumer."
The grand-prize winner of the IoT Home Inspector Challenge will receive up to $25,000, and as many as three honorable-mention winners will receive up to $3,000. Contestants don't need to submit a fully functional prototype to the competition, but they do need to submit an abstract, a video demonstration of how the tool would work and a detailed explanation. Contestants must also provide their own strategy for actual development and deployment of their tool, should they win.
The five competition judges will grade submissions on how well the submitted IoT device security tools work and how user-friendly and scalable they are. The tool should focus on vulnerabilities in IoT device software specifically caused by out-of-date software or firmware, though additional features -- such as default password settings -- are acceptable, as well. The competition focuses the development of a tool to help with IoT device security, rather than policy or legislation.
This competition is a response to an increase in IoT device security issues in 2016. The emergence of Mirai botnet malware, in particular, has plagued IoT devices, leading to multiple instances of distributed denial-of-service attacks and botnets -- the most recent of which targeted 5 million routers.
The multitude of operating systems flooding the IoT device market doesn't help security matters, either. Almost every IoT device on the market has its own OS, and as IoT devices continue to be released, the more OSes there are likely to be. And the more OSes there are, the tougher they are to secure.
"Unlike PCs and other computing hardware, these devices are not being controlled by just a few standardized operating systems," wrote Hemant Jain, vice president of engineering at Fortinet Inc., in Sunnyvale, Calif., in a blog post.
"In fact, they are being manufactured without any standards at all, except that they allow internet connectivity. To fit into the small footprints of the devices they are providing connectivity for, many of the operating systems installed on these devices are cutting down on security, if it is being considered at all," Jain continued. "And to make things worse, most of these devices are running their own proprietary versions of Linux, Android or, increasingly, some other operating system cobbled together with poorly written code embedded with hardcoded backdoors."
Many of these IoT devices cannot be patched, Jain noted, adding that this is where the FTC's IoT Home Inspector Challenge may make its greatest impact. Winners of the competition will be announced on or around July 27, 2017.
In other news:
- It is now illegal to deliver ransomware in California. Senate Bill 1137 went into effect on Jan. 1, but was signed in as law in September 2016. Now, once a suspect is identified and located, he can be charged and sentenced to up to four years in state prison. "This legislation provides prosecutors the clarity they need to charge and convict perpetrators of ransomware," Sen. Bob Hertzberg (D-Calif.) said in a statement. "Unfortunately, we've seen a dramatic increase in the use of ransomware. This bill treats this crime, which is essentially an electronic stickup, with the seriousness it deserves." SB 1137 follows a ransomware attack on Hollywood Presbyterian Medical Center in Los Angeles that knocked the hospital's systems offline for over a week and cost $17,000 worth of bitcoin to pay off the ransom.
- A hacker claims to have breached the FBI's content management system and dumped 155 supposed logins of FBI employees. The hacker, who uses the handle cyberzeist2, claimed to have used a zero-day flaw from a vendor to breach the Plone CMS. Cyberzeist2 said in a statement on Pastebin he has been hacking for the group Anonymous since 2011, and he didn't actually discover the zero-day vulnerability himself. "I was contacted by a [zero-day] vendor with handle 'lo4fer' over Tor network who asked me to test out the [zero-day on active websites using Plone and its DERIVATIVES," wrote cyberzeist2. "The FBI hack was done to test out the vulnerability." The Plone security team has identified the hacker's claims as a hoax. "I can say for sure that at least some of the data posted as proof is 100% fake," said Alexandru Ghica of Eau de Web, maintainer of EU websites that were claimed to be vulnerable. "The hoax was a bit elaborate, indeed, but that's it."
- After a request from Chinese authorities, Apple has removed The New York Times' app from its app store in China. The request came from the Cyberspace Administration of China, which is China's main internet regulatory group. The Chinese government has blocked The New York Times' websites since 2012, when the publication ran articles about the wealth of then-Prime Minister Wen Jiabao. Apple removed both the English-language and Chinese-language apps from the iTunes store in December 2016. This move is the latest by the CAC in an attempt to garner stricter media scrutiny in China.
- Google patched 29 critical Android vulnerabilities in its January Android Security Bulletin. According to the bulletin, the most severe flaw was a remote code execution vulnerability in Mediaserver. "A remote code execution vulnerability in Mediaserver could enable an attacker using a specially crafted file to cause memory corruption during media file and data processing," the bulletin reads. "This issue is rated as critical due to the possibility of remote code execution within the context of the Mediaserver process." Mediaserver, in particular, has had numerous vulnerabilities since the Stagefright vulnerability in October 2015. The Android Security Bulletin patched three other Mediaserver vulnerabilities, two of which were high severity, and the last was moderate.