MITRE will give you $50,000 to 'fingerprint' rogue, dangerous IoT devices
MITRE has launched a competition in the hopes of finding new, innovative solutions to issues for IoT security.
The Internet of Things (IoT) is an industry which has now spread from industrial applications to our homes. The smart grid and city monitoring systems to Wi-Fi and connected fridges now all exist, and while IoT can make urban living more efficient and bring our core services into the modern age, the moment you connect a device to the web you create a path for cyberattackers to potentially exploit.
While security researchers and vendors alike grapple to meet this emerging threat, MITRE's Unique Identification of IoT Devices Challenge aims to provide a way to separate malicious "things" from legitimate devices which are functioning properly -- a small but important step in tackling IoT security.
The non-profit research group says that if network administrators know exactly what devices are connected to an environment -- including if an attacker is switching devices in and out -- through "unique identifiers" or "fingerprints," then this will give them enhanced control over a network and security as a whole.
This can be especially important for businesses which often have little knowledge of which devices are connected and what they are -- from Wi-Fi-enabled printers to smart fax machines and air conditioning systems.
As strange as it sounds, any of these seemingly trivial products could open the door of corporate networks to threat actors.
MITRE's competition is seeking new approaches to this problem. While vendors in the future may embed digital signatures into their products, the non-profit says we need a solution for devices already in use today.
If you are interested in competing, you need to come up with a solution which does not need any changes in IoT protocols or manufacturing processes. The solution must also be simple and affordable.
MITRE has provided a model home network for the challenge and will give winning participants up to $50,000 for their work.
"We believe that the identification techniques that prove effective in a home system will translate to industrial, healthcare, military, smart city, and other IoT networks," the organization says.
In recent weeks, a severe 620 Gbps distributed denial-of-service (DDoS) attack levied against the Krebs on Security blog highlighted this emerging issue.
The botnet capable of flooding the website with such a powerful torrent of malicious traffic with the overall aim of disrupting legitimate operations used a network of IoT and connected devices with poor or no security. Once compromised, these products were added to the botnet and commanded to send requests to the domain.
The attack did not successfully take down Krebs on Security but the hosting provider, Akamai, had to take the business decision to withdraw its support due to the costs involved in fending off such attacks.
Google parent company Alphabet's Project Shield has now offered the website refuge, but to make matters worse, the source code of the IoT device-enslaving botnet responsible for the attack, Mirai, has now been released to the public.
MITRE's competition will run from early November for roughly six weeks, but participants need to sign up this month.