Smart home technology is intended to make our homes more more convenient to control and better protected. An unwanted side-effect is that the devices used introduce an easy way for hackers to take over. Recognizing this danger, the US Federal Trade Commission (FTC) has launched the IoT Home Inspector Challenge.
This competition, asks participants to create a technical solution that consumers can use to guard against security vulnerabilities inherent in the software of the current generation of domestic Internet of Things (IoT) devices.
It is open to those aged 18 and over, either as individuals or in teams of any size but is prizes, a main prize of $25,000 plus up to three honorable mention prizes of $3,000 each, can only be awarded to citizens or permanent residents of the United States.
The rubric states:
The tool would, at a minimum, help protect consumers from security vulnerabilities caused by out-of-date software. Contestants have the option of adding features, such as those that would address hard-coded, factory default or easy-to-guess passwords.
It also explains what has led to the contest:
Every day, American consumers use Internet-connected devices to make their homes “smarter.” Consumers can remotely program their smart home devices to turn on their lights, start the oven, and turn on soft music so they return to a comfortable environment when they get home from work. Smart video monitors enable consumers to remotely view their homes, pets, or children. Smart fire and burglar alarms address safety issues through sensors and alerts. And smart thermostats can automatically adjust temperature settings depending on the time of day and presence of people in the house. To tie all these devices together, smart home platforms are also beginning to proliferate across the marketplace.
While these smart devices enable enormous convenience and safety benefits, they can also create security risks.
It proceeds with a reference to the DDoS (Distributed Denial of Service) attack that affected Twitter, Spotify and other sites reliant on the Dyn DNS server in which smart devices, used in “botnets”, were involved.
The FTC comments:
This incident demonstrated that lax IoT device security can threaten not just device owners, but the entire Internet.
It also refers to incidents where live feeds from smart cameras have been publicly available on the Internet.
With this background in mind the FTC is looking for a “tool” that consumers can deploy to guard against security vulnerabilities in software on the Internet of Things (“IoT”) devices in their homes.
The deadline for registering and submitting entries is May 22, 2017 at 12:00pm EDT and what is required is:
- An abstract (a title and a brief text description) explaining how the tool functions, which will be made public and should be easy for the public to understand.
- A link to your short video that must be publicly available on YouTube.com or Vimeo.com and demonstrate how the tool works.
- A detailed explanation (written description) of the tool that enables judges to evaluate how well it works, how user-friendly it is, and how scalable it is, including how the tool will avoid or mitigate any additional security risks that it itself might introduce into the consumer’s home.
The judges will award points as follows:
(i) Functionality (60 points out of 100 total score)
- Recognizing what IoT devices are operating in the consumer’s home. A tool may automatically recognize devices or provide instructions for consumer input.
- Determining what software version is already on those IoT devices. A tool may automatically recognize the software version or provide instructions for consumer input.
- Determining the latest versions of the software that should be on those devices.
- Assisting in facilitating updates, to the extent possible.
(ii) User-friendliness (20 points out of 100 total score)
How easy is your tool for the average consumer, without technical expertise, to set up and use?
Judges will also take into consideration how well the tool:
- Displays or conveys information about which devices it has assessed.
- Accurately communicates the risk mitigation provided by the tool (e.g., it should not give the impression that it solves all security problems).
- Allows consumers to control any information being sent to a third party, to the extent that any such information is being sent. This includes making short, but accurate, disclosures about the information flow.
(iii) Scalabilty (20 points out of 100 total score)
The Submission must explain how the tool could be used for products other than those addressed specifically in the Submission.
Up to 10 bonus points will be awarded for other ways in which the tool helps consumers guard against broader security vulnerabilities in IoT device software in their homes.