 Hi everybody. I'm Mark Eichhorn. I'm with the Federal Trade Commission. I wanted to speak to you with my colleague Aaron Alva today about our IoT Home Inspector Challenge. We actually have the winner of the challenge on the phone who's going to chime in later about his project. But before we dig in I just wanted to let you know I'm in the Bureau of Consumer Protection at the Federal Trade Commission and I work in a division that does privacy and data security work. I'm Aaron Alva. I'm a technologist at the FTC. I'm in our relatively new security and our new research group OTECH. So we do security and privacy research, a whole host of research, anything from network traffic analysis of smart TVs to ransomware and so forth. And so here we also need to give our general disclaimer. We both work for the FTC but the views are here our own and not necessarily those of the commission or anyone commissioner. But we want to talk to you about what the FTC has done when it comes to IoT security over the last year and a half or so as well as the challenge that we announced this week. Okay. So just to worry about the FTC, our big boss was here actually. She was at DEF CON and she was here. We have two commissioners who are sort of in charge of our agency at the moment and one of them was here. And so what we do is in my division and with support from our friends in OTECH, we do privacy and data security work. So this challenge was related to sort of updating IoT devices. So just to give you some background about what led us to do this challenge, we had done some workshops, there's sort of like conferences essentially on issues relating to like mobile security. So the question of well, you know, how often our device is updated if the device manufacturer releases an update, how and when does that actually get to consumers? We also held a workshop on the Internet of Things and part of that was learning that, yeah, consumers don't actually do that great a job of like finding and downloading patches or updates often because they don't know that they're out there. And we recently did last month a workshop on connected cars, privacy and security concerns. So we also do enforcement work, so case enforcement. So in that context we had a case called ASIS involving ASIS routers. We resolved it through a consent agreement with the company. But we, in the course of that we alleged several things. And one was that the company actually had received, security researchers had reached out to the company over time to alert them to vulnerabilities. And they just didn't have a good process for handling and processing those. So they didn't necessarily sort of act on certain tips that they got from researchers. They also, when they did fix things, at one point they'd fixed the problem and released a patch. But it was eight months before they actually sort of let people know like if a consumer had registered with them. It was eight months before they let them know, hey, a patch is available. And then finally they had a tool that would allow you to find out whether there was an update available to the firmware. And that tool didn't work. So it didn't, sometimes there was a patch available but the tool would tell you that there wasn't. So among the relief in that case, that we required them to provide notice to users if there's a vulnerability patch available or an upgrade available. A couple of other cases that we brought, both again consent agreements. But one was the HTC matter involving basically some software that HTC had put on top of the Android smartphone system. And they introduced some vulnerabilities in doing that. So as part of our relief in that order, we required them to release patches for about a couple million HTC smartphones. And then finally in the Oracle matter, Oracle was releasing updated software to address vulnerabilities but then they weren't necessarily replacing the outdated software. So sometimes the newer updated software would just be installed alongside the old still vulnerable software. So those were a few of the things that sort of led us to think about a challenge related to consumer updates. And we sort of realized obviously companies don't always update the software when maybe they should but particularly when they do release updates we wanted to make sure consumers had an easier way to sort of find out about those updates and download them. Erin? So the HTC has authority under what's called the America competes act and we could bring challenges that help come up with some sort of technical solution out there that consumers can use. In the past, the HTC has done challenges at DEF CON related to robo calls. We had NOMO robo and Zapping Rachel here, DEF CON's 22 and 23 and we're interested in challenges such as the home inspector challenge that really answer these questions that are difficult questions to do with from a policy standpoint sometimes but actually scream out for a technical solution. So in particular with the IoT security challenge the scope of this challenge was around being able to equip consumers with understanding what devices are on their network and whether those devices were up to date and potentially what common vulnerabilities were in those devices and then have some way to help facilitate updates to those devices on the network. So a lot of what happens when it comes to a consumer and consumers understanding of IoT security is we want to be able to equip these consumers with better understanding the potential attack surfaces on their home networks and ways that they can actually help facilitate updates so that updates actually happen to devices and one of the discussions that we had here in terms of the scoping of this particular challenge was around facilitating updates. There was a recognition that and the HTC has said through other processes including NTIA comments around IoT upgrades and patching that automatic updates would be the preferable way to go but for the devices that don't have automatic updates how are there ways that we can still help protect consumers and facilitate updates and so this particular challenge ran through the from January through May this year and we the acting chairman of the HTC announced the winner this week. The criteria around the challenge was we asked people to submit a abstract video as well as a detailed paper that would talk about what they had built and what they had built had gone around certain criteria that was crafted to help address and kind of tease out the things that the challenge was trying to accomplish. This criteria was in three large parts the biggest part was how well does your submission work and the idea around that was how do we kind of address the technical feasibility of device identification on a home network so can you automatically recognize devices or provide instructions for input to help facilitate that too if needed. Can you actually profile the devices to determine the software level that is currently on the device so you could imagine in some context this would be easy maybe it's broadcast maybe it's made known in some way and in other cases with devices maybe particularly devices that are potentially older it may actually be technically more difficult to identify at what level what level what software level or firm level is on the device at a particular point and so being able to do this in an automated fashion is one of the things that we wanted to help facilitate so that consumers without having to do anything technical could actually see this information in their homes and have a better sense of all the devices that were on their network and what they were and crucially whether they were up to date. Another part was of the overall criteria around how well does the submission work was around assisting and facilitating updates and that's something that you'll see addressed as our winner will kind of briefly talk about his approach and something that we are continue to be interested in. There was also a wild card approach which the honorable mention made use of to kind of take a step out of the criteria and show us kind of a blue sky approach. So that's that was the first criteria how well does it work what are the technical feasibilities that we need to help facilitate consumers better knowing what's in their network and whether those devices were up to date. The second part was around how user friendly your tool is. So when we talk about the reasonable consumer and we talk about consumers we talk about our friends and family members that are not in IT that may not know what even what antivirus does or may not know you know the difference between you know WPA2 or any other sort of encryption on Wi-Fi. We want to talk about the consumers that can use this in an easy user friendly way and can understand information that's being provided to them through this particular tool. So things like how easy is this tool to use for the average consumer without technical expertise. How easy is it to set up. We don't want a substantial effort in setting this up. We want this something that anyone can roll out on their home networks. And then also you know does it display or convey information about the devices it assessed and does it accurately communicate in a way that's understandable to the users. Does it allow consumers also to control aspects of information in case there needs to be analysis done off the particular device or solution that is being submitted. So if you need to hit back your servers or cloud or however you want to call it do you give that type of control to the users for that particular information. So that was the second criteria. So how user friendly your tool is to the reasonable person. So the reasonable consumer. The third was how scalable your tool is. The key criteria was explaining how the tool could be used for products other than those specifically addressed in the challenge itself. So is your tool extendable into other areas or can it be extended in other ways. There were also other and then there was also an optional aspect of the criteria that dealt with vulnerabilities. The main focus of the of the challenge was around facilitating updates where the manufacturer had an update available. But we also wanted to address as part of the criteria other ways that that would help consumers guard against broader security vulnerabilities. And so that was provided as points that you could get as part of your criteria. So that was kind of the overall criteria. How well does it work. Does it profile device and understand the level that it's at. Facilitate updates. Usability friend user friendliness for the for the common user the non-IT user. The consumers that are out there that have never heard of DEF CON have don't know anything about security. And how scalable your tool is. So we addressed those in we had a panel of five independent judges that were outside the FTC that came together and evaluated all of the submissions that came in and led to our winner. So before we talked to our winner who is on the phone with us there was also an honorable mention that was announced. And I wanted to just briefly talk about the honorable mention because the honorable mention made use of what we call the wild card option. And that was essentially kind of a blue sky approach for a technical solution that would help consumers in this area. And it was the team pink PINC persistent internal network containment. Their honorable mention made use of sandboxing so that each device would have its own configuration baseline and reporting so that you isolated each device on the network in a very user friendly way. And that consumers would understand how to do. So it would limit the attack surface. And if a device was compromised it would limit the risk of the rest of your home network being potentially vulnerable. So that was the honorable mention. And then do you want to address the winner? Yeah, let's get him on the phone. Steve is muted right now. Let's get him on. This is Steve Castle who's the winner of our 25,000 dollar top prize. And Steve, are you on? Yes, I am. All right. Do you want to talk a little bit about your your winning idea? Yeah, absolutely. So what I did was the wash log mobile application. What it does is it takes a holistic look at your network. And what it does asks you to log into it. It clearly states that the location credentials are going to be sent anywhere out. And does that a background web view? And what does that week station for the application, the steps of the agent. We take steps. Steve, we can't quite hear you. Sorry about that. So I will try my best to summarize what your tool has done as much as I can understand it right now. So Steve Castle was our winner. And he came up with an app called the IoT watchdog that enables simple secure management of IoT devices on the home network. And through his app, it facilitates kind of what we talked about in the criteria, which is an app that has the devices that have been identified on the network and the type of device it is. And for devices that can't be identified, there's actually a user flow that can go by quite easily that starts at kind of company name and walks the consumer through identifying which device it is in particular so that you have a better inventory or the consumer has a better inventory of devices on the network. And it helps then scan the local network for things such as default or weak passwords. And users can use an app to know about the device's inventory and their known implementations and configurations. And also has a sent a part that helps facilitate updates and notify the consumers and give them a really user friendly way to describe what's on the network and what might need to be done to help facilitate updates. Right. So what excited us about this was again, we're looking for some way, you know, where a company is released an update, you know, like Mirai obviously happened at the time that we were planning this workshop. But to the extent that these IoT devices might be out there for a long time, it's great if companies release the updates, but then consumers, if they don't know where they are, how to get to them, whether there's been an update for their device, you know, that's not a great situation for our overall security. So Steve's IoT watchdog sort of helps surface the availability of updates for the consumer and helps find, you know, which devices they have and helps alert the consumer that there's the vulnerability update available. Yep. So in summary, we're right up against our time. So in summary, we wanted this challenge to help equip a consumer's non-IT consumers that know nothing about security or anything technical to help have them understand what is on their network and for devices that don't do automatic updates, help facilitate those updates in a way that is easy for the consumer and helps get those devices up to the level at which is updated based on the manufacturer and then also takes a step further in going and addressing vulnerabilities and common design flaws. So we're around here at Def Con if you want to talk to us or have other questions about the FTC, but thank you so much for your time. Thank you. Yeah, so the question was, like, wouldn't the product just fail if it wasn't easy to use? And I think that was, you know, if we're giving away a pot of money like $25,000, we want to make sure that it is easy to use. So we made that part of our criteria. Yeah. So for the challenge where we've crafted the criteria, we wanted a component that was easy to use to emphasize and try to really make sure that whatever comes out of this challenge does get adopted. I think your question is separate, like, out in the marketplace, is FTC going to require ease of use? And if the market doesn't, if a product's not easy to use, it's just going to fail? That's an area where I don't, you know, there's no, I don't know personally of any requirements along those lines. No, we're a law enforcement agency in general and we leave the legislation for the most part to Congress. Yes. Yeah, question. Yeah, let's say we have authority to do reports under our statute and that that report is underway. I think that the deadline is this fall sometime for announcing that. Appreciate it. And the report just so everyone here is around. FTC has an authority called 6B that says we can go and ask different companies to provide us information for the basis of overall report of what is happening around a particular area and that report that we've asked for is around mobile updates and mobile security and and as part of that, we asked a number of, was it OEMs? OEMs in conjunction with FTC or with the FCC about what they do for mobile security updates and what their process is and so forth so that we can help understand what's going on in that marketplace. I believe there is an automatic component to it and there's also a way to add individual devices to it. It's my understanding. I believe so. I believe so. But Steve is on the phone but I can also follow up with you or point you to the winner too. Well, thank you, everyone.