MITRE Dangles $50,000 Prize For Spotting Rogue Internet of Things Devices (securityledger.com) 51
Long-time Slashdot reader chicksdaddy quotes Security Ledger:
MITRE Corporation, the non-profit corporation that helps tackle some of the trickiest technical and security challenges out there, is dangling a $50,000 prize for anyone who can develop a solution for spotting rogue devices within an Internet of Things network...saying that it's looking for ground breaking new approaches to securing diverse Internet of Things networks like those in connected homes.
"Network administrators need to know exactly what is in the environment, or the network -- including when an adversary has switched out one device for another. In other words, is the smart thermostat we see today the same one that was there yesterday? We are looking for a unique identifier or fingerprint to enable administrators to enumerate the IoT devices while passively observing the network... " Their registration form will be open through October, and the challenge will end after four weeks in November, or "whenever someone wins."
"Network administrators need to know exactly what is in the environment, or the network -- including when an adversary has switched out one device for another. In other words, is the smart thermostat we see today the same one that was there yesterday? We are looking for a unique identifier or fingerprint to enable administrators to enumerate the IoT devices while passively observing the network... " Their registration form will be open through October, and the challenge will end after four weeks in November, or "whenever someone wins."
Select *.* (Score:1)
So where do I collect my prize?
Re: (Score:2)
So where do I collect my prize?
That's pretty much it. IoT devices have to be cheap to be even remotely attractive, to make up for the obvious uselessness of many of them, Most of these devices have no real justification, or the hazards outweigh the benefits.
Re: (Score:2)
IoT devices have to be cheap to be even remotely attractive
It is not an issue of cheapness. Security is can be done in a few kilobytes of firmware, which is a negligible additional cost. It is about convenience. When a customer plugs in a smart lightbulb, they want it to "just work" and they don't want to spend five minutes configuring it.
Disclaimer: I have a Amazon Echo, a Wink Hub, and several connected IoT devices (lightbulbs, door locks, motion sensor, garage opener). Some features are useful, like opening the garage door with my cellphone, and using voice
Re: (Score:2)
Opening a garage door with your smartphone is stupid and dangerous when you're pulling into your driveway. Unlike a regular garage door remote, you can't do the smartphone purely by feel. Also, pretty much impossible when riding your bike, whereas again, it can be done by feel from 100 feet away, no problem. AND no internet needed.
A regular remote, you have to be within range. An IoT remote, you can open someone's door from anywhere in the world. Really stupid. Your insurance is going to bitch about coveri
Re: (Score:1)
Dont put your garage door on the internet, just need to get to it off my x509 WiFi then setup a GeoFence task that if its paired with my car and just entered the fence, open the door.. and vice versa.. hands free, and considerably more secure than the garage door opener I was using with strong end-to-end crypto.
Just pretend the I in IoT is a lowercase L and setup a Lan of Things.. then run a VPN Server on your router for remote access and dont buy anything thats 'Cloud' enabled or requires a subscription fe
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
If it comes from China and is a brand you never heard of. It's going to be a problem.
Or a famous quality brand name which you see sold new on Ebay for $3.50 from China with free shipping.
Solution (Score:1)
$50k? (Score:2)
I'll build as many rogue devices as they need for that price!
Halting Problem (Score:2)
Is the smart thermostat we see today the same one that was there yesterday?
I bet this can be demonstrated to be equivalent to the halting problem. The question should be really: here are the spcifications of a certain device (whether dictated by the manufacturer, or determined empirically): does the present device match them? With every query from here to eternity? Under all circumstances? That smells like the halting problem.
So, in other words, you can never be completely certain of the answer, only confident up to specific bounds. Maybe that's good enough, but $50K for that
Re: (Score:2)
Re: (Score:2)
Is the smart thermostat we see today the same one that was there yesterday?
I bet this can be demonstrated to be equivalent to the halting problem. The question should be really: here are the spcifications of a certain device (whether dictated by the manufacturer, or determined empirically): does the present device match them? With every query from here to eternity? Under all circumstances? That smells like the halting problem.
So, in other words, you can never be completely certain of the answer, only confident up to specific bounds. Maybe that's good enough, but $50K for that kind of work is not, and the amount of effort involved for the general case, is not. A good solution for the problem is going to be the sort of thing that would take a startup into a medium-to-large corporation.
But there are really much better ways to avoid the problem in the first place. I mean, to paraphrase a processor of mine, we don't need a microprocessor in every doorknob. Just don't use the damned things. Your fridge does not need to be on the net. Nor do your chairs. Nor each door in your house. Your washing machine works perfectly well without being on the net. So does your garage door. The risks of putting highly insecure interfaces on such items just does not justify the potential benefit.
That used to be a cartoon: "In a fit of manic brilliance, network engineer Joe Blow wires the shredder into the office network".
Highest Respect for MITRE (Score:2)
MITRE. These people I hold the highest respect for.
One of my former classmates from Worcester Polytechnic Institute (Who got FAR better grades that I ever did; and who was near the top of the Engineering class of 1976) is working for them.
I also met some former MITRE folks here in Bellingham whom I immediately knew were very smart in the security field.
If these folks are offering the prize; I know they will be very diligent in assessing the applications.
What exactly ... (Score:2)
that we expect to be present being hijacked for nefarious purposes. And even if I don't plug my TV set into my home network, what's to stop it from turning on its WiFi and establishing a mesh network through the neighbors' TV sets until it can reach some remote command server?
Re: (Score:2)
I suppose it would be your neighbors choosing not to buy TVs that run open access points.
My neighbors aren't that smart, and neither are yours.
Re: (Score:2)
So, something like this [boxcarcabin.com]?
I'm going to depend on my neighbors knowledge of secure IT systems to protect my privacy? Yeah, right. He works for Microsoft.
Re: (Score:2)
that we expect to be present being hijacked for nefarious purposes. And even if I don't plug my TV set into my home network, what's to stop it from turning on its WiFi and establishing a mesh network through the neighbors' TV sets until it can reach some remote command server?
Like my Comcast wifi which now routinely offers unsecured Xfinity wifi to all passers by in the neighborhood (by design); and as a bonus, occasionally drops my secure wifi so that my devices switch over to the public Xfinity network, silently?
Watch the lights? (Score:1)
Just watch the router and cable modem lights when they should be idle and make sure they aren't blinking away.
Re: (Score:2)
if you ask me all IOT devices are "rogue" (Score:2)
From what I've seen all IOT (more like IOSS "Internet Of Shit Security") devices are insecure.
So if you detect an IOT device it's pretty much guaranteed to be "rogue".
It's a compelte joke how piss poor the security is on these devices. It's 2016 and we've had decades of devices beign hacked over the internet. Adn the complete morons making this crap are *STILL* shipping them with default username and passwords, back doors, etc.
Personally I think the best way to get some focus on this shiot fest will be fo
Raspberry Pi (Score:2)
Re: (Score:2)
Dumb User Answer: My PC is Windows, not MAC
Competent User Answer: My MAC address is blah-blah-blah...
l33t h@x0r d00d answer: My MAC adress? What do you want it to be?