Cisco Offers $300,000 Prize For Internet of Things Security Apps

alphadogg writes "Cisco today kicked off a contest with $300,000 in prize money that challenges security experts around the world to put together ways to secure what's now called the 'Internet of Things,' the wide range of non-traditional computing devices used on the electric grid, in healthcare and many other industries. A Cisco SVP concluded his keynote at this week's RSA Conference by announcing what he called the 'Internet of Things Security Grand Challenge.' Christopher Young said the idea is 'a contest of experts around the world to submit blueprints' for how security issues created by the Internet of Things could be addressed. It's expected that up to six winning entries would be selected and the prize money awarded at the Internet of Things Forum in the fall."

I have the solution right here:

[Anonymous Coward]

give up on the whole "internet of things" idea as it's a loser from the get-go.

You can donate my 300 large to the EFF.

Re:

[pla]

This.

I don't want my fridge online. I don't want my toaster online. I don't want my lights online. I don't want my toothbrush online. And dear Zeus but I sure as hell don't want my HVAC or oven or even my car online!

The "Internet of Things" doesn't even rate as a solution in need of a problem - More like a marketing gimmick in need of a thin excuse to get ever more personal data from us.

Dear Cisco - Go home, you've had too much to drink. Don't worry, your fridge says it has leftover mac&chees

Re:

[Anonymous Coward]

I sure don't want my home online, but as someone who supports IT at a school I can tell you that my cafeteria people want to be able to get alerts on temperature variations in their fridge. The building & grounds people want to be able to set light and heat schedules from a central location, and don't want two computers on their desk to do it.

Re:

[NapalmV]

Getting alerts is one thing and controlling from a central location is a pretty much different beast.

You can implement the first as an electrically isolated box with a temperature sensor. It does not need to be connected in any other way to the fridge controls. The box can be connected to the internet and send e-mail alerts. An attacker breaking into the box could reprogram it to send false alerts or not send alerts at all. But he won't be able to take control over the fridge itself and reprogram the ther

Re:

[JaredOfEuropa]

There are plenty of good reasons to connect appliances to the Internet, or at least to a local home automation controller.
- HVAC? Hell yes. Having heating and AC automated and remotely controllable adds comfort (turning the heating on before we arrive home), convenience (no need to manage schedules, remote control from anywhere in the home), and saves money (by turning off heating automatically in unoccupied rooms).
- The toaster? Maybe not. I did connect a few other appliances like the fryer, which I

Re:

[bjwest]

None of this crap needs to be directly connected to the internet with it's own IP address. None of it! Every house with internet access already has an address and all that's needed is a good router to route things where they need to go. Most homes with more than one device, be it multiple computers, DVD/Blu-Ray players, TV's, game systems or whatever, already use this system. My frigging refrigerator, whether it's intelligent or not, does not need it's own IP any more than each room in my house needs it

Re:

[plover]

The problem with this idea is that it still implies that you trust firewalls to keep your stuff safe. But firewalls have really proven only to be hurdles, not barriers - an unpatched browser, an infected web page, a bot client that can surf around behind your firewall, and suddenly your thermostat, washing machine, and refrigerator can be abused to send spam.

Another security problem is many of those home things are service based (for both good and bad reasons). But things that reach out across the network c

Re:

[K. S. Kyosuke]

None of this crap needs to be directly connected to the internet with it's own IP address.

The devices don't need to be accessible to everyone, but what's the harm in devices having addresses? Just because I know that Obama lives in the White House doesn't allow me to casually stroll into his bedroom.

and all that's needed is a good router to route things where they need to go

And guess what, that requires some kind of address that you can route to. Sounds familiar?

Now, instead of one single point of entry to secure, we have to worry about each devise.

Only because of crappy protocols and implementations, I assume, not as a matter of principle.

Re:

[chihowa]

None of this crap needs to be directly connected to the internet with it's own IP address.

This isn't where the problem is. A decent enough firewall can take care of the security as well as it would through NAT and your router. The biggest issue is that none of this crap needs to be connected to creepy Peeping Tom companies and their "analytics". I would love to check my house temperature from work or see what's in my fridge while I'm at the grocery store, but I don't need some creepy company cataloging everything I do for their own sociopathic purposes.

"The Internet of Things" has less and less

Re:

[plover]

Not necessarily. Sure, some devices, like the Nest thermostat, only work with a data-grubbing service. Others allow you direct control. Some offer remote control via a service because people can't figure out how to safely poke a hole in their firewall, but offer unsecured local control from within your network.

Fortunately, not every thing is sold as a service. You can still exert control with your wallet. Support good companies that don't require a service, and shun those that do.

Re:

[K. S. Kyosuke]

The "Internet of Things" doesn't even rate as a solution in need of a problem

Hmph. Solutions in the shape of "everything should be/have X" seem to be frowned upon by many people (Smalltalk - everything should be an object!), but they seem to have proponents and detractors that without fault keep aligning themselves into two camps ("the unifying principle is more flexible!" vs. "I'm never going to need that"). On one hand, you may argue that you're never going to use that. On the other hand, if you had it, and you were installing a new alarm system, you wouldn't need to separately in

Re:

[NapalmV]

Someone that haven't yet commented on a certain beta (and thus is still receiving mod points), please mod the parent up. The worst thing to do to security is to interconnect everything and, on top of it, have some "central" authority to manage all the stuff. Unfortunately this is the thinking of most CIOs today. While autonomous, distributed, locally managed subsystems have always proved to be more resilient to attacks.

Re:

[K. S. Kyosuke]

give up on the whole "internet of things" idea as it's a loser from the get-go

That depends. I actually sense an opportunity here. Since the IoT is going to involve small devices, one obvious option is to write your software along the lines of Oberon and you should be safe by virtue of using the minimum code possible - you're not expected to pack a web browser with it, are you? Then again, aside from these mundane issues, it all hinges on the security of the protocols involved, not just their implementations, and the protocols themselves appear to be less than optimal in many places.

the one answer they won't find acceptable

[Anonymous Coward]

I want to keep my devices secure. This means: Let me control them. Don't require them to phone home, or to be connected beyond my local network if I don't want. If they need to talk to a server, let me run that server on my own locked down box in my own house. Let me replace the OS on the "thing", if I want, because I won't be able to trust yours, because you have every incentive to sell me down the river.

Unless I control what software is run, and what it talks to, then there can be no security for my "internet of things".

But you won't, will you? You didn't really want to know I can keep my "internet of things" secure. What you really wanted to know was: how to present a facade of broken security while data-mining me to hell.

Re:

[JaredOfEuropa]

A lot of people were none too pleased by the acquisition of Nest by Google. Companies like Nest who are in the business of making shiny thermostats and selling those to us, can be trusted to some degree having no interest in our data for anything other than quality control purposes. Even so, I would prefer to have a choice to not have the device phone home, or the option to run my own server in case I am worried about the level of security at that company... or in case the company gets bought by the likes

Re:

[mounthood]

I want to keep my devices secure. This means: Let me control them.

DRM / Remote Control are hard to defend, but *I* don't want to manage the milk carton chip which tells the refrigerator it's empty. I could manage it, being a technical person, but the majority of people don't even have that option.

So what are we going to do?

Don't require them to phone home, or to be connected beyond my local network if I don't want.

The milk carton will be restricted to talking to the refrigerator, but *I* don't want to manage a refrigerator. You want "things" to only talk locally and any external communication to go through a server you manage? That sounds reasonable at first, but

The monetizers demand data

[swb]

The whole drive behind IOT isn't convenience, it's monetization of information.

The marginal cost of a "smart" device is much more than the marginal return selling such a device on its own merits. Either you jack up the price of the device to cover the gee-whiz features or you don't, but the only reason they don't is because they have figured out how to sell this info to someone else.

The Nest is a great example. I think the last 7 day programmable thermostat I bought might have been $50; the Nest is $249 from their online store. What, exactly, does the Nest do that my Honeywell model not do for $200? It may be able to vaguely predict occupancy and make adjustments, but the "dumb" Honeywell model pretty much covers this -- we get up, we leave the house, we come home, we go to bed at about the same time. There's so few use cases where automagic adjustment would make any sense (and many where it wouldn't work).

A smart fridge is one where there's almost no use cases that don't involve product/marketing tie-ins -- selling my use of tagged products to marketers.

The only way you're going to get IOT is if you either pay the freight for the intelligence or let the device sell your info.

Re:

[Tom]

A smart fridge is one where there's almost no use cases that don't involve product/marketing tie-ins -- selling my use of tagged products to marketers.

Uh, actually that's one of the very few examples I can think of that does have a use. How often have you been in the supermarket and wondered "do I have any X at home or not?"

Re:

[swb]

And the shopping cart in the grocery store will happily announce you don't have any Megacorp Brand Product X at home. It won't tell you that you have a competitor's product at home.

Re:

[Tom]

Bullshit paranoia reply. Sure, it could happen, but seriously, would you buy this crap? Now ignorant Joe may - but when he comes home from the shop with his Brand X in hand only to find that he does, in fact, have Brand Y in the fridge, he'll consider it broken.

One way or the other, this kind of blatant abuse is not going to happen. The marketing parasites are smarter than that. They'll datamine the hell out of you, and they'll manipulate you, but they won't be caught lying to you outright in a way that you

Re:

[coofercat]

Actually, I'd like a way to remotely control my heating, and so that dumb thermostat isn't going to cut it. I used to have a home-brew thermostat that I could control from the Internet - it meant I could turn the heating on as I landed at the airport so it was warm when I got home. I travelled a fair bit, so used this facility a fair bit. It's not too terrible to come home to a cold house and wait 1-2 hours for it to warm through, but why not use all this new technology to make things a bit nicer?

FWIW, I've

Only one sure way

[petes_PoV]

Do not allow them to connect to anything. I know it sounds trivial, but sometimes the only remedy for "Doctor, when I do <this> it hurts" is to stop doing <this>

Cisco is looking for a few good genius morons

[Zero__Kelvin]

What kind of combination of genius and moron do you have to be to solve a major security issue like this and then give it to Cisco in exchange for virtually nothing?

me. I have to write the paper anyway.

[raymorris]

I may submit a paper. I have to spend a couple of months writing the paper anyway, for school. I see no reason that I wouldn't send the already-written paper to Cisco and see if they send me back $70,000 and the recognition from the conference.

Re:

[Zero__Kelvin]

So you are planning on submitting the schools paper? What do you think is going to happen when Cisco pays you money for submitting a paper that wasn't yours to submit? I'm guessing the school, which owns the rights to your work, is not going to be very happy when they find out you submitted their paper to Cisco.

citation? 80% I checked didn't claim copyright

[raymorris]

Thanks for mentioning that. I'll check my school's policy.

I just looked at the policies for five universities. Four of the five explicitly acknowledged that students own their work. The fifth had a "copyright assignment" form that I didn't read, so that school may have tried to get copyright assigned for student works, or it may be like Yale, where SOME works be employees, done as part of their employment, is owned by the university.

Re:

[Zero__Kelvin]

So you are saying that you still haven't checked your schools policy?

I have not found any objectionable claim at my sch

[raymorris]

For my school, I have not found any policy by which they attempt to claim copyright, or a copyright assignment form I would have signed.

I also have not found any document in which they explicitly acknowledge that under law, copyright belongs to the (student) author.

Re:

[Zero__Kelvin]

Whatever I'm smoking, I managed to figure out how to create a Slashdot account and log in.

Wild Things

[daedlanth]

Great, we are on the verge of finding out where all the Wild Things are! Right?

When you win the prize...

[istartedi]

When you win the prize, be sure to go downtown and flash the cash in front of everybody. When you get beat up and robbed, use your leftover money to post a prize for "flashing your cash around town without getting beat up and robbed". If anybody says you shouldn't do that, casually dismiss them. They are not part of "the club".

Re:

[50000BTU_barbecue]

Your sig would be even more intensely painful with some apostrophe s thrown in.

Re:

[marcroelofs]

And correct use of the phrase "for all intents and purposes"

Re:

[marcroelofs]

I just saw you already covered that :-)

Powerline networking firewall

[Anonymous Coward]

I've always been suspicious of new appliances having powerline networking chips built-in to communicate with smart meters, or possibly beyond that. I'd really like to be able to install something on the lines leaving my breaker panel that acts like a firewall and blocks any kind of network communication over powerline.

Re:

[hax4bux]

Isolation transformers have existed as long as there has been TEMPEST.

Re:

[Ungrounded Lightning]

I'd really like to be able to install something on the lines leaving my breaker panel that acts like a firewall and blocks any kind of network communication over powerline.

1. Get some electrical-noise suppression ferrite toroids and some ceramic capacitors at your local electronics store. (.005 microfarad at a minimum of 600V would be good for the caps. 1000V or higher on cap used for 240V circuits.)

2. In your fusebox connect a cap from each breaker's hot output to the nearest ground bus, keeping the wire

IOT Security NOT

[jraff2]

Most devices that one would connect to the Internet of Things - IOT are mundane data, not peeps into ones life.
Temperature, humidity, wind, sun, rain, etc. None of these need security, so why bother?
Only the things that indicate some personal action, absence, presents like open/close door, walk down hall, would one want to be secret, use HTTPS.
Since most of the reporting will be mundane statistics the security is NOT needed, just us HTTP.

Re:

[Zero__Kelvin]

You may not care if you wake up in the middle of the night freezing only to find out that you have no hot water because your pipes are frozen, but I personally do care if my temperature controlled environment is being controlled by someone with nefarious intent.

How will they support 20+ year old IoT devices???

[BUL2294]

Let's see... I'm going to trust that an appliance vendor, some of whom have yet to add an OS (Linux, Android, etc.) to their devices, will properly create the security for said IoT device? Cisco is clearly looking to become such a vendor, and I don't think they're prepared to deal with the consequences & unbelievably protracted support schedules--way longer than Microsoft's ~10 year lifecycle for Windows and Office. Ultimately, will my IoT fridge that I buy today continue to work properly 20+ years dow

Re:

[petes_PoV]

Support? Why would they care?

We know from the pattern of "upgrades" that smart TVs get (i.e. none, or maybe one if there's a major bug) that once a manufacturer has your money any relationship has ended. We should expect no less from smart devices. They will work with whatever software/firmware they were released with and when that dies, gets corrupted, becomes obsolete or a hard-wired IP address disappears, you will basically have a brick. Or, if you're lucky. a brick that still has some manually selectab

SOOO simple

[slashmydots]

This is really simple. If you have a smartfridge, don't install Android or Windows on it. Make it a device that would barely qualify as an ASIC that only does what it does. When was the last time someone said their handheld calculator got hacked? If all you need to do is list an inventory of things in your fridge and set temperatures of drawers, make an electronic device that does that and only that. DO NOT just use a pre-existing platform because it's easier. It's a guaranteed way to get hacked.

Re:

[tapspace]

Embedded and security are my things. I do automotive, so I am used to an industry that will happily incur half a million dollars of engineering cost to save ten cents in per part cost. The thing is, an ASIC is expensive. A microcontroller is cheap. Unfortunately, an ASIC does, by definition one thing and a micro does everything. If you get "root" on the micro, you can run whatever software you want. The people that make these decisions mostly care about per part cost, regardless of security implicatio

An Internet of Everything - NZCI000201690

[Jimekai]

The particular Cisco forum gives an error notice, so I don't take them too seriously. I told them I intend to make an entry, not for a single thing, but for everything. I cobbled together a submission using paragraphs from my missives. With a hundred day effort I could launch a full proposal for Ingrid. If it would be better then, that I relocate back to Canada, I'm prepared to go. This interim challenge involves Artificial Economic Modelling not built on Capitalism but on a completely different mode altog

as all security contests...

[Tom]

...this is a publicity stunt. 300k is the total price money, the highest an individual entry can win is 75k. Sorry, but the real experts expect amounts like that as payment, not as maybe-couldbe-whoknows price money.

So you'll have participants largely being the B class who need the exposure and publicity. That's fine. Maybe not for a general concept, though.

More importantly: What's so different about the "Internet of Things"? That's just the latest buzzword. It's still network-connected devices. Sure, they'