The Federal Trade Commission (FTC) recently announced a new competition that challenges the public to create a tool that consumers can use to protect their homes from Internet of Things devices. While contestants can use this opportunity to show off their skills, Flexera Software said this challenge is a “no-win situation,” and that it shouldn’t be up to the public to create something that would safeguard their homes from attacks.
Although the challenge would, “at minimum, help protect consumers from security vulnerabilities caused by out-of-date software,” according to the FTC’s IoT Home Inspector challenge homepage, Flexera’s vice president of product management Mathieu Baissac said that he thinks it is going to be difficult for developers to meet that challenge and find one solution that will work across all vendors.
(Related: IoT spending to surpass $1 trillion by 2020)
The government taking action raises awareness of consumer safety when using IoT devices, but Baissac said it’s up to the makers of the device or software to let the user know when there are defects, especially because users cannot spend all of their time researching when their devices need to be updated. Instead of having consumers responsible for looking up security patches and fixes for their own devices, the IoT providers should just send out automated and secure patches, he added.
Baissac also said makers should consider protecting their users by creating penetration tests, and they should look at open-source components to make sure there are no security vulnerabilities.
“They need to, or they should, consider penetration testing,” he said. “You say, ‘I’ll hire a hacker or a hacker-like person who will try to attack my device and make sure it’s bulletproof.’ The other thing that we want to do is if there are any open-source components, [you need to] make sure you know what the components are and make sure you stay on top of any security vulnerabilities in those components.”
Baissac added that a lot of times, software vendors don’t write their own communication package, so a lot of the vendors have OpenSSL or something equivalent. “It’s important that they keep track of those components so they are not hacked,” he said.
Also, vendors need to track devices to make sure it can “call home,” or call the back end to see if the device has the newest version.
While it might be impossible for end users to protect themselves from a security perspective, said Baissac, vendors can take issues into their own hands and make sure there are no security holes in their products by pushing updates from devices remotely.