Featured Article from Software Licensing

The FTC's Infeasible IoT Software Security Challenge

January 25, 2017

As more “smart” devices show up in our households and workplaces, there’s no question that things are getting smarter. There’s also no question that these devices are a prime opportunity for hackers looking for financial gain or simply to cause mayhem.

In an effort to find a solution, the Federal Trade Commission (FTC (News - Alert)) recently announced a crowdsourced challenge for developers to create a security tool – either a physical device or a cloud-based solution -- that can detect known vulnerabilities in devices. The IoT Home Inspector Challenge will award a cash prize of up to $25,000 for the best technical solution, with up to $3,000 available for three honorable mentions. (Recall that the FTC did the same thing in 2013 to encourage the development of solutions to block unwanted robocalls. The winning solution, NoMoRobo, has been quite successful and to date has blocked 187 million unwanted automated marketing calls.)

Whether the new challenge will be as successful as NoMoRobo, however, is unknown. Experts have weighed in on the challenge and noted that it’s going to be difficult for developers to meet the challenge and find one solution that will work across all device vendors. Flexera’s vice president of product management, Mathieu Baissac, told Software Development Times that it should be up to the IoT device or solution makers to let users know when there are defects, since buyers may have neither the time or knowledge to know when their devices need to be updated. Instead, IoT providers should be sending users automated and secure patches.

“They need to, or they should, consider penetration testing,” he said. “You say, ‘I’ll hire a hacker or a hacker-like person who will try to attack my device and make sure it’s bulletproof.’ The other thing that we want to do is if there are any open-source components, [you need to] make sure you know what the components are and make sure you stay on top of any security vulnerabilities in those components.”

It's also the responsibility of device and solution makers to ensure they are securing their products properly. Often, software vendors don’t write their own communication package, so many vendors have OpenSSL or something equivalent, said Baissac.

“It’s important that they keep track of those components so they are not hacked,” he told SD Times’ Madison Moore.

Consumers and businesses should avoid buying IoT devices that cannot “call home” to determine if they have the latest security update, and vendors need to ensure there are no security holes in their products by pushing updates from devices remotely. 

Edited by Maurice Nagle
Article comments powered by Disqus