FTC sets $25,000 prize for automatic IoT patching

The U.S. Federal Trade Commission is scheduled to announce Wednesday a “prize competition” for a tool that can be used against security vulnerabilities in internet of things systems.

The prize pot is up to $25,000, with $3,000 available for each honorable mention. The winners will be announced in July. The announcement is scheduled to be published Wednesday in the Federal Register.

The tool, at a minimum, will “help protect consumers from security vulnerabilities caused by out-of-date software,” said the FTC.

The government’s call for help cites the use of internet-enabled cameras as a platform for a distributed denial of service (DDoS) attack last October. Weak default passwords were blamed.

The FTC wants automatic software updates for IoT devices and up-to-date physical devices. Some devices will automatically update, but many require consumers to adjust one or more settings before they will do so, the FTC said. The winning entry could be a physical device, an app or a cloud-based service.

This isn’t the first time the FTC has offered cash for software tools. In 2015, it awarded $10,500 to developers of an app that could block robocalls.

The winners of that contest were Ethan Garr and Bryan Moyles, the co-inventors of the RoboKiller app, both of whom work for TelTech Systems, a communications technology startup. Their winning app was initially developed as a side project.

“It gave us something to work toward,” said Garr, of the FTC contest, in an interview. “It gave us a deadline, which in technology is really valuable because software projects can go on forever without one.”

Their contest submission included an iPhone with the installed app. They also had to pay their own expenses to attend a DefCon conference in Las Vegas for the FTC’s final judging.

“I don’t think they get enough credit for how passionate they are in solving the problem,” said Garr, the vice president of product TelTech, of the people involved in the FTC’s effort.

The initial version of RoboKiller forwarded all calls to the app’s servers for analysis. It used an “audio-fingerprinting algorithm” to quickly determine whether it was a robocall or not.

A new version incorporates Apple’s new CallKit technology to identify robocalls. Users can also set up conditional call forwarding to TelTech’s servers for those calls that are declined, for instance. The service will check multiple databases for information about the call, and the developers plan to soon roll out an additional feature that will show a photo of the caller from social media. It charges $1/month for the service.

The FTC’s IoT patching plan may have limits. One issue with IoT security is embedded devices that may continue to operate long after their last patch, and may even survive the companies that created the systems.