Ask HN: I’m an FCC Commissioner proposing regulation of IoT security updates

3387 points by SimingtonFCC ↗ HN
Hi everyone, I’m FCC Commissioner Nathan Simington, and I’m here to discuss security updates for IoT devices and how you can make a difference by filing comments with the FCC.

As you know, serious vulnerabilities are common in IoT, and it often takes too long for these to be patched on end-user devices—if the manufacturer even bothers to release an update, and if the device was even designed to receive them. Companies may stop supporting a device well before consumers have stopped using it. The support period is often not communicated at the time of sale. And sometimes the end of support is not even announced, leaving even informed users unsure whether their devices are still safe.

I’ve advocated for the FCC to require device manufacturers to support their devices with security updates for a reasonable amount of time [1]. I can't bring such a proposal to a vote since I’m not the chairman of the agency. But I was able to convince my colleagues to tentatively support something a little more moderate addressing this problem.

The FCC recently issued a Notice of Proposed Rulemaking [2] for a cybersecurity labeling program for connected devices. If they meet certain criteria for the security of their product, manufacturers can put an FCC cybersecurity label on it. I fought hard for one of these criteria to be the disclosure of how long the product will receive security updates. I hope that, besides arming consumers with better information, the commitments on this label (including the support period) will be legally enforceable in contract and tort lawsuits and under other laws. You can see my full statement here [3].

But it’s too early to declare victory. Many manufacturers oppose making any commitments about security updates, even voluntary ones. These manufacturers are heavily engaged at the FCC and represented by sophisticated regulatory lawyers. The FCC and White House are not likely to take a strong stand if they only hear the device manufacturer's side of the story.

In short, they need to hear from you. You have experienced insecure protocols, exposed private keys, and other atrocious security. You have seen these problems persist despite ample warning. People ask, ‘why aren’t there rules about these things?’ This is your chance to get on the record and tell us what you think the rules should be. If infosec doesn’t make this an issue, the general public will continue falsely assuming that everything is fine. But if you get on the record and the government fails to act, the evidence of this failure will be all over the Internet forever.

If you want to influence the process, you have until September 25th, 2023 (midnight ET) to file comments in the rulemaking proceeding.[4] Filing is easy: go to https://www.fcc.gov/ecfs/search/docket-detail/23-239 and click to file either an ‘express’ comment (type into a textbox) or a ‘standard’ comment (upload a PDF). Either way, the FCC is required to consider your arguments. All options are on the table, so don’t hold back, but do make your arguments as clear as possible, so even lawyers can understand them. If you have a qualification (line of work, special degree, years of experience, etc.) that would bolster the credibility of your official comment, be sure to mention that, but the only necessary qualification is being an interested member of the public.

I’m here to listen and learn. AMA. Feel free to ask any questions about this or related issues, and I’ll answer as many as I can. I just ask that we try to stay on the topic of security. My legal advisor, Marco Peraza, a security-focused software engineer turned cybersecurity lawyer, will be answering questions too. I’m open to incorporating your ideas (and even being convinced I’m wrong), and I hope that my colleagues at the FCC are as well. Thank you!

Edit: The Q&A is over now, but please keep this great disc...

942 comments

[ 2.5 ms ] story [ 370 ms ] thread
Hopefully automatic updates by default gets in there, because no one is going to manually update nay of this
commitments on this label (including the support period) will be legally enforceable in contract and tort lawsuits and under other laws.

When it comes to U.S. laws that touch technology, enforceability is a mess. Spyware, spam, fraud, misleading labels, etc. are already governed by various state and federal laws, yet enforcement efforts are whack-a-mole at best.

For IoT devices, having the proposed requirements sounds good in theory but I fear it is practically unenforceable, particularly for consumer-grade devices manufactured overseas.

However, if powerful IoT platforms are also tied into the new regs - with Google, Amazon, Apple, Microsoft, PTC, HPE, etc. required to audit supposedly qualified devices and ban those that don't meet the standards, with escalating penalties for failing to do so - that might shift the needle.

My 2 cents.

Hmm, yeah. Just as fraud telemarketers set up a new shell run by the same principals when the legal bills come due for their old one, so we're likely to see new labels for a new shell company slapped on the same old insecure IoT box.

So I'm not sure "escalating penalties" is going to cut it. It's still whack-a-mole. You need a way to kill the mole, not just drive it to pop up a new hole.

You need a way to get to the principals. They're the mole.

You need to either make them personally liable financially, or you need to jail them. Nothing else is going to stop serial fraud-behind-a-shell-company.

I'm not sure I have an answer. But whatever answer there is needs to be applied not only to fraud telemarketers (please), but also to fraud IoT manufacturers/resellers.

If there’s a private right of action you can bet the class action lawyers will do the enforcing.
Fair enough, but against whom?

Fly-by-night foreign manufacturers or exporters would be difficult to prosecute. Unless the domestic importer, reseller, or transportation provider can be held liable, even class action lacks teeth.

Your point about buyers at scale is really important. The current effort is focused on sellers, but we think that if sellers have to define their security commitments, buyers will pay attention and their risk management people will insist on high standards.

I fear it is practically unenforceable, particularly for consumer-grade devices manufactured overseas

Also a good point. The way we handle this for RF interference is to look at distributors and importers, not just manufacturers, but there will probably always be an untrustworthy product tier out there.

They're proposing an opt-in labeling program that essentially amounts for to the FCC underwriting certain attestations that vendors are choosing to make about their products.

This means that someone applying the label without meeting the standards the label indicates would be guilty of exactly the sort of fraudulent advertising you're describing, and contract and tort law are the relevant mechanisms of enforcement for this.

I'm not sure what you mean by enforcement efforts being "whack-a-mole at best", but if you're expecting some sort of preemptive regulatory barrier to be enforced by a bureaucratic agency in advance, that's just not the way this sort of thing works or is intended to work, and the FCC certainly wouldn't have the legal authority to implement such a regime.

Legal actions for fraud, false advertising, trademark infringement (in the case of trademarked standards certification badges, e.g. UL) are frequently used mechanisms for this sort of thing, and seem to work well enough to ensure that vendors are deterred from fraudulently applying certification labels to their products.

What’s your approach wrt. open source, and generally preventing security through obscurity?
How about requiring devices to accept alternate, Free Software firmware, from the upstream provider?

At the very least, it should be possible after some time period of no updates or insecurity, but a blanket requirement is less susceptible to games.

Probably the best thing to happen to wireless routers is OpenWRT and the other descendents of the WRT firmware.

As far as I remember FCC about 8 years ago didn't liked OpenWRT, and even enforced on TP Link to lock it.
IIRC the main objection was that it could be used to do something with the radio (boost power?) that caused the device to exceed FCC limits for a consumer radio? Something along those lines?
For those out of the loop these documents have a good introduction to how free software interacts with radio regulations

https://wireless.wiki.kernel.org/en/developers/regulatory/st... https://wireless.wiki.kernel.org/en/developers/regulatory

TLDR manufacturers and "serious" companies won't touch anything that could potentially be configured to emit signals that your local government doesn't like. So Linux has to pretend it doesn't allow to do that (even though anyone with 2 braincells can patch it)

It was about the radio and being able to modify the radio firmware.

As many modifications would void the FCC certifications of the device, due to changed parameters (more power, disabled anti-interface mitigations, out-of-band channels, etc.). This was avoided by making the radio firmware separate blobs, but there was a real danger of the whole device having to have signed firmware.

The main issue these days is the 5GHz band that might interfere with radar. That's mostly an issue outside near an airport, that is, it affects practically nobody, so the solution is to snoop the problematic bands and disable them when detecting radar signals, and use them otherwise for a bandwidth boost.

These days this seems to be mostly done in wifi chip firmware (that is then signed and under lock and wrap to make it tamper proof), but back in the day it was too easy to circumvent the mechanism.

There was no requirement that firmware be locked down.

The requirement was that consumer radio transmitters could be too easily made to use frequencies and power levels that violate FCC regulations.

If a device had a transmitter where firmware could control those things, and the firmware for the device was one blob that contained everything so letting the user replace firmware meant letting the user control those restricted parameters, then the manufacturer might have to lock the firmware.

There were other possible approaches. One would be to split the firmware into two parts. One part for the radio hardware and the other for everything else. Make it so the firmware update process only allows the manufacturer to supply the first part.

Isn't that a bit overreaching? I can make you a device the spews garbage on any wavelength you fancy, so they're really only preventing accidental radio pollution. Even in that case it's pretty unusual to prevent a consumer device (other than a radio) from being used in an unlawful way, Part 15 notwithstanding.
I believe the regulation applies to such a device you make as well, not specifically consumer Wi-Fi products. I.e. if you make a transmitting SDR it's not supposed to allow certain things.

The prevention all comes down to enforcement though, the law doesn't physically stop you from making a device it just means you could get in trouble for intentionally ignoring it and selling a lot of those devices.

You're totally right. I'm trying to make a moral argument, I think if it were unfeasible for an individual to make something (e.g. modern CPU) then you could make an argument for producers limiting them on the basis that it would effectively prevent anyone from doing the banned thing. The fact that it's roughly as easy to reflash an IoT device with custom firmware as it is to make an antenna that produces noise in a forbidden frequency means that you are adding a technical measure to prevent just some of that illegal action and not stopping a determined hacker.

I'm not claiming it wouldn't be an overall social good, but other areas of law and regulation don't seem to function like this (with notable exceptions like photocopying banknotes).

The (particular) law isn't actually aimed at stopping those who just want to go into their garage and produce illegal interference out of malice. E.g. people can create 200 Watt space heaters in their garage easily but it'd be odd to then conclude CPU regulations wouldn't stop people from doing bad things with CPUs.

That is to say, it's infeasible the average someone will make a working Wi-Fi radio which uses the Japanese channel 14 (involves changing what is sent by the radio, not just raising the frequency... unless you want to accurately re-adjust the frequency inside of your smartphone too) but it is reasonable to expect the average someone might just load some open firmware from the internet which allows them to set the channel to 14.

I will say I agree it's different than a lot of regulation. On the other thing I think that has more to do with radio space itself being very different than most things (i.e. a shared public resource) than inconsistency.

People were asking online for help dealing with WiFi interference, and were getting answers telling them how to install open source firmware on their WiFi routers, and giving them exact commands and configuration changes that would set the power higher than was legally allowed or stop them from avoiding channels that were being used by active weather radar (5 GHz WiFi shares channels with weather radar and is supposed to monitor and only use those channels when the radar is not in use).

I suppose you could call that accidental radio pollution, because most of the people doing it probably didn't realize that they were causing interference, but regardless it was becoming a problem.

Hence regulations to address it.

That's the world we're in now. You have a problem, you do a search online for help, and among the answers you often will find some that really should only be used by people with more experience or expertise than you but do not make that clear.

Vint Cerf and I shot that proposed anti-dd-wrt regulation down thoroughly: filing here:

http://www.taht.net/~d/fcc_saner_software_practices.pdf

Substitute IoT for router in everything we wrote there on page 12-13 and that seems to be a starting point everyone around here has come to think is necessary. I would prefer not to summarize such a large filing here.

Also Dan Geer wrote extensively on these topics at the time.

Of late I have been strongly suggesting that software be at least "built in america": https://blog.cerowrt.org/post/an_upgrade_in_place/

I care most deeply first - that the front doors to our houses, the home gateways, are properly secured, kept up to date, and have ipv6 and bufferbloat fixes on them.

IoT devices belong on their own vlan...

I am all for alternative free software firmware. But I don't think it adresses IoT security in any meaningful way.
Why? The person you are replying to outlined one major example where IoT security was improved: wireless routers. Not allowing users to update the software on the hardware they own is just a botnet waiting to happen.
99% of users don't know their iot devices have firmware nor that it can be updated.
Maybe that figure would change if the firmware could indeed be updated.
It would change, but again -- it wouldn't be appreciable.

Security policy is needed that accounts for the behaviors of the vast majority of users.

Users update their phones, there's no reason they can't be educated to update their other devices
Most non-technical users that I know don't actively update their phones and push back when I tell them that they need to do so faster than the automatic process because of an actively exploited vulnerability.
They may have trusted family members, friends, or neighbors who they feel comfortable allowing the management of their internet connected devices.
No. As long as their iot device is still working consumers could care less about security updates.
What do you mean by "no"? Are you denying the existence of my grandparents who trust me to manage their devices?
This approach may function effectively with your close family members. However, it can sometimes fail when your cousins won't let you near their IoT devices because they view you as the hacker or tech enthusiast who might tamper with their gadgets.
So what? Just because there are some atypical people doesn't make it a "no".
I am saying that people like you are not enough to help the 99% of people who have an iot product.
Apart from Smart TVs, most people don't have an IoT device to begin with.
Smart speakers, printers, thermostats, light bulbs, security cameras, door bells, locks, smartwatches, TV sticks...
I don't count a watch as an IoT device. And most on the market are Apple devices.

Apart from printers and smart TVs, less than half of US households have any of those other devices.

https://www.statista.com/statistics/1124290/smart-home-devic...

Anecdotally, most people I know who own those devices are the more technically inclined. Especially the thermostats and light bulbs. Even the doorbell surveillance networks have low penetration.

Free software firmware would be great for free software lovers and tech experts, no doubt. But sophisticated users who'll take advantage of things like that are only 1% of the market.

But if the aim is to stop DDOSes from botnets of poorly secured IOT devices, we need something to help the other 99% of the market.

> But sophisticated users who'll take advantage of things like that are only 1% of the market.

Most folks can't or won't do lots of things in their lives (e.g. plumbing, electrical, construction, lawn services, Automotive).

The main thing blocking routers and IoT devices is the control every vendor wants to hold over their customers' devices after sale.

Even if you give control to the users, it's up to them to use it.

I'd argue that the main blocker to IoT security is the lack of culpability on the part of device manufacturers. I don't want to go so far as to suggest that companies should be wholly liable for software bugs, but vulnerabilities that are brought to the attention of the company privately or disclosed publicly absolutely should be their responsibility to address.

For you or me (or most of the folks here I suspect) we feel better if we had the ability to decide what software our fridge runs, but for 99% of people they're better off if their fridge's manufacturer provides them with regular security updates for the life of their product.

That being said, these aren't mutually exclusive. In a perfect world we'd have laws compelling fridge companies to allow 3rd party software if they don't keep their firmware up to date.

I'd argue that in an ideal world, a fridge wouldn't have networking capabilities!

Even if I don't buy one, I dread to think of what might happen if enough fridges across the world stopped working all at once (demand for non-perishable food and fridges would skyrocket).

For the sake of consumer safety in our imperfect world, there should be a safe-mode hard switch fallback for any life-critical and/or high wattage device that gets networked.

I'm sure the number of routers running OpenWRT is dwarfed by the number of OpenWRT-compatible routers running vulnerable, stock firmware.

Allowing people to install software on their hardware isn't a cure for vulnerabilities. It's a step in the right direction for sure, but it's a very small one from the perspective of something as huge as "IoT security".

We have worked very hard in the OpenWrt and Linux projects to make it easy to update them in the field. Linux distros, android, apple, openwrt, etc have this facility built in now. IoT should also.
Devices should have the ability to run whatever software the user chooses. My point is that simply allowing this isn't enough to ensure those devices are secure.
but that's just because manufacturers desperately hide the fact that their own firmaware is based on OSS, and that there are alternate stacks available.

imagine instead that vendors had to acknowlege the structure of their firmware, and make the (usually obvious) hardware interface documented from sale. that would automatically solve the issue of out-of-support(-by-vendor) hw.

replacing the firmware can allow knowledgeable users who want to secure their devices to improve the security. it can also allow malicious actors to replace the firmware (or trick users into replacing the firmware) with something less secure. allowing users to replace the software on the hardware they own is also a botnet waiting to happen.
The solution without free firmware (and I don’t like this) is that the device bricks itself at the end of its scheduled lifetime.

Which is to say, you are buying a multi-year lease up front. And the manufacturer should send you a recycling return box.

This is a more honest way to sell these devices.

Consumers that would not care about length of security updates will suddenly very much care how long their “lease” is… and manufacturers would compete on the length of that lease (which is where the FCC could require security updates for the length of the lease period).

That just forces e-waste. Aftermarket firmware lets a device stay useful indefinitely.
It allows users to replace insecure software with secure software. And it allows updates long after the company drops official support of the device.
That's great for the 0,1% of users who will do that. As said: I'm all for it. But the problem is the other 99,9%.
Seriously. I'm a SWE and I would throw out a TV and get a new one before spending hours minimum figuring out how to switch the firmware to a open source version.
Because right now we have to actually perform some exploit to run custom firmware most of the time. What if there were just a toggle in the settings menu for which repo to look at?
Probably not, honestly. I get paid to do things like manage dependencies, and I'm not trying to do it at home. If this was one and done, just click a button and forget about it again, then maybe, but if I have to do things like think about what model number I have, and is it compatible with this version of the firmware, then no way.
(comment deleted)
This is kind of adjunct to the right-to-repair question. "Smart" features are being added to things that a person would expect to have a long usable lifetime--like cars, kitchen appliances, and so on. If the manufacturer is saying, we'll only support the "smart" features for five years, one would be inclined to opt out on that unless there is a way to ensure the appliance remains useful.
This is also a key point to fighting ewaste and making devices last longer. I have appliances from the 70s including a rotary telephone, that I still use regularly. If you combined mandatory OSS support with repair cafes, you would have a model for sustainable reuse and better security. You may even start a commercial aftermarket in reflashing older devices!
Yeah if companies that make IoT hardware complain about the costs to keep old devices updated then they should be required to make them more user-modifiable and release source code / signing keys when they're abandoned by their manufacturer so that they can be picked up by the communities and development can be continued (also requires some policing to determine when hardware is functionally abandoned, as releasing a minor update once a year that doesn't fix real bugs should still be considered abandoned). Repair cafes would be fantastic for helping support small businesses keeping people's old hardware running.

Of course, manufacturers don't want that either because they make money off of planned obsolescence and consumers keeping old hardware running makes them less likely to buy old hardware.

Releasing Signing keys seems a potentially dangerous one. Someone could produce malicious firmware, sign it, and convince your device to auto-update with it.

I think (and I'm a security know-nothing, so could very well be off in the weeds), the firmware should accept updates signed with two keys. The manufacturer key, which can allow automatic updates, and a post-service key that cannot be automatic. Either a user has to initiate the firmware update manually, or consent via some other means.

This post-service firmware may very well enable a third key for automatic updates of its own, so there's just a manual step on the transition from manufacturer to some community project you support, not each revision afterwards.

Presumably they'd remove the auto-update functionality before releasing signing keys and require that it be physically loaded by a user at that point.
That's assuming they make a final firmware update. Having the 2nd manual key available from day 1 ensures the device is unlockable with just a release of the key. Having a 2nd key or a signed unlock firmware update I guess are two ways to achieve the same goal, but the 2nd key would be better. The 2nd key likely stay in place forever, in each update, while the unlock firmware would likely end up remaining as the original firmware, because why would most vendors build two firmwares for each release. It would sit forgotten on a drive somewhere. The use of original unlock firmware could mean making a device vulnerable between loading the unlock firmware and the community firmware, so the 2nd key is preferred. It's always ready.

Ideally, the key would also be pre-registered somewhere to ensure they can't skip out on releasing it, but I'm not sure how you do that without it potentially leaking before the device reaches end of support. I guess a code sitting in a lawyer's vault somewhere. Again, nobody is paying the lawyer to refresh his vault's firmware image after each patch, so 2nd key wins over unlock firmware again.

Why a lawyer's vault? I know lots of people would love to take ownership of the device immediately, but from the device creator's perspective, they tend not to like that... especially if a device is a source of subscription revenue. So I'm not sure how you'd get vendor buy in to early release unless it becomes mandatory... which I can't see.

At rotary phones still compatible with todays standards? If that’s the case I might get one too.
It's been years since I've seen a landline, but as of a ~decade ago you could still dial "rotary" by tapping the receiver hook with the correct spacing. (1 click to dial a "1," 2 clicks to dial a "2," etc. with a pause between digits.)
In my case I use a small gadget to convert the pulses to DTMF tones, which feed into a voip connection. The point is that the device itself still works, unlike much iot crap which can't be made to work once the server goes down.
I'm a big supporter of the idea of applying right to repair principles to software, but I don't think it should (or legally can) be implemented by fiat of unelected bureaucrats at the FCC. Labeling requirements like what the OP is proposing seem much more palatable to me.
Openwrt is not the best example. Community sucks, some routers are full of bugs and the security is not great either.

In general even if I like open devices and having the option to use my own software, this is not a solution for most of the consumers.

It is not a solution even for the enthusiast that know how to flash their own firmware. Because even if they may do it a few times initially, eventually they stop doing it.

You need a system that can update automatically even when you are busy in another project.

openwrt is surely lacking in many aspects, but all the points you brought forward also apply to the manufacturer firmware but those are even less user friendly and cannot be modified.

there are a lot of open and closed firmware projects building upon openwrt

I am not clear how "all the points you brought forward also apply to the manufacturer firmware"
> but all the points you brought forward also apply to the manufacturer firmware but those are even less user friendly and cannot be modified.

That's more than a reach of a claim. All manufacturer firmware are buggy with poor security? That's very obviously false. With closed manufacturers the history is that it's a mixed bag, not a blanket. Some are excellent, some are very poor.

Openwrt has been mediocre and all the negatives about it do not equally apply to all closed manufacturer firmware.

> All manufacturer firmware are buggy with poor security? That's very obviously false.

guess we have a difference of opinion then

There is absolutely no scenario where I want the firmware of any of my infrastructure devices updating without my say so. Even if there are dire security consequences of not updating.

If a firmware update on my smart watch bricks it, who cares? But if my entire house/office is without internet connection because of a bug in the router update, then I don't want to waste time determining if its my ISP, my physical connection, my local hardware, or the firmware update that just occurred silently. I want to send the "update" command, note that network response did not resume within 5 minutes, and revert from there.

A lot of folks tend to think of firmware updates as identical in complexity and risk to any other software update. I submit that if it can't go wrong in such a way that it requires an in-system-programmer to fix, its a software update, not a firmware update.

In that sense, I think true firmware updates (e.g. BIOS updates and the like) require a different set of regulations than your standard IoT security updates.

I see two essential points (that might have been addressed in another comment somewhere else in the thread, but I can't read everything) regarding pushed firmware updates:

• It happens, especially if the update has been a "quick fix" to a security issue, that the update introduces unexpected behaviours, or incompatibilities. Supposing this was just a "security-only" update that doesn't change any features, I would approve it, and then discover it breaks something in my installation (e.g., compatibility with a specific device or software I'm using). In that case, I need to be able to rollback the update and run the previous firmware version (possibly mitigating the security issue in another way, if it's properly documented) to avoid serious issues that, depending on the device, might prevent important equipment from being operated.

• For firmware updates that include more than security fixed, approval and the possibility of rolling back is even more important. It's quite common that updates remove seldom-used features a minority of users depend on. It even happens that some features get removed and replaced by subscription-only services, which is even worse.

Maybe the presence or absence of this capability could be something disclosed on the label? It's an idea worth thinking about. I encourage you to file a comment with your thoughts on the matter. You probably want to focus on how this information could help a security-concerned consumer/business make a better purchasing decision. Or if you're arguing that this be a hard-requirement for the label, why a device should not be considered secure without this capability.
Also, one of the single most important parts of security is human manageability. Having to go into a proprietary app for each manufacturer.

There's this level of management at the google/amazom/apple level, and in some cases google even lets me push firmware updates (sennheiser ambeo is an example), BUT there should be a requirement that security settings in firmware be exposed in a way that they can be manipulated in a rolled up dashboard. I shouldn't have to depend on a first party app to stay maintained to get to the settings for a device.

Possibly weird idea: federal firmware escrow. The OEM gets to put a stamp on their product after submitting firmware source/keys to the FCC. When the OEM either declares the product not supported or provides no updates for X length of time, the files are automatically published to a public repository. Perhaps there is an appropriate license which says essentially that it is almost public domain, with an exception (or fee?) to use it for any purpose other than supporting the lifetime of an existing product.

As others have stated, free software is one way of giving the public ability to keep things up to date but that's almost like the government saying people are allowed to clean up pollution. It doesn't put any pressure on companies to behave better.

Another issue is build-ability of open source code. If an OEM submits firmware source and keys to a third party, even regularly, who really knows whether it is actually functional and complete. Automated tests or sample hardware are possible ideas but have their own failure modes and could be difficult for to implement solely for this purpose.

Another weird idea for the above. If one requirement was deterministic builds, then in addition to source/keys, a suitable toolchain to build could also be required such that the repository stewards would only need to run exactly what the OEM provides, and if the checksums don't match then it means they are not in compliance.

I like this idea! A code&keys escrow org, yes please
This is an amazing idea and I would only buy a product that has this stamp on them. I would put some additional triggers into the publication of source code as well, notably if the company goes out of business. I would also put some kind of timer and renewal process on it, like a company needs to recertify every 1-5 years (pros and cons to different time lengths) and that they have indeed been providing actual updates (and not just fake ones) and actual support.
The OEM could be allowed to choose their recertification period, perhaps with slight differences in requirements. Perhaps even different options offered by company size. For example 1-5 employee companies might get a "no recertification, provided as-is" option which releases automatically 3 years after filing. Vendors who re-certify every 6 months could get an extra mark on their stamp or whatever. There are tons of possibilities honestly, and though I've been thinking about it for a long time writing it is much easier to come up with more.
Agree this approach seems to be worth investigating further, but as a citizen of a non-US country, I'd like to see a solution that wasn't based on a US-centric set of controls and governance bodies.

These days, with nationalism and populism rampant across the world, I think we need a solution where no one country (or country's leader) can simply decide to turn off critical infrastructure for the rest of the world and/or hold the rest of the world to ransom. Then you run into questions of "do we really want (insert bad country) to be able to expose IOT source code to their evil hackers?".

This is a really difficult problem to solve, but ultimately I think ownership of the "keys" to unlock escrowed code needs to reside with (winging it here...) a body such as IEEE or ISO. Or possibly something like a global council where e.g. any 5 countries out of 7 can collaborate via a sharing of keys to release source code, but no one country is able to do so.

I completely agree that such a thing should not be US-only. There would need to be a clear distinction between one-gov't backdoor and voluntary regulatory certification, because ultimately the goal would be for other countries to follow suit and provide similar/identical certifications. You could look to standards bodies to provide standard implementation details on what "firmware escrow" is, what exact formats and files must be included, etc. IEEE, ISO, JIS, DIN, and all of them could write or adopt the document. But actually running the service and providing the certification is a little closer to a patent office than organizing standards which is why I propose doing it federally. Think Energy Star (which is a US gov't program based on EPA standards) which has been implemented successfully outside of the US.
Classic tech to think of technical solutions to a regulatory problem, but I like it.

Could have the code run in a sandbox where people can apply “external” network traffic trying to hack it (or apply vulnerabilities), inspired by how you can run ML models on kaggle.org on Kaggle servers to validate models.

Have end-points as honney-pots, so if you can access these endpoint you prove you have compromised the code.

If there is no new code with patches the keys are released.

This way FCC/gov don’t need to maintain a technical system. Just build this once.

So this feels like an amazing idea...but do we really want to give the federal government the keys to update your equipment remotely and to be able to pinpoint weaknesses of the source? This feels like Edward Snowden's grimmest nightmare.
As I understand that's not what's being proposed. The "keys" in this case would decrypt the encrypted source code that's available in a public repository, and there's some logical mechanism(and actual use for smart contracts) that would key the key in escrow until certain conditions are met(company doesn't renew, goes out of business, etc.) After which it will be publicly released so anyone can decrypt the already available encrypted source code
And what happens if the server holding the keys gets compromised? I guess most manufacturers won’t care, but the more reputable ones would have things in their source they consider proprietary and would definitely not want to have to submit it.

Verification that it is, in fact, the actual shipped source might not be trivial either.

What happens when someone hacks GitHub and gains access to private repositories? That slim possibility doesn't stop the vast majority of companies from hosting their source in a private repo.
Framed like that, it sounds terrible. However, consider this:

[1] This discussion is about a federal agency providing certification of products essentially in the form of a stamp (on a device, website, etc.). Nothing is stopping a vendor from committing to and offering the same thing but without government involvement. This could easily be a selling point for the paranoid. Something something blockchain and smart contracts...

[2] Even though we're discussing IoT devices, it's not necessary that they be capable of updating over the air 24/7. Creative engineers could probably devise a method to prevent complete remote takeover by anyone holding the keys– physical switches, additional authentication required during the support period, etc.

[3] Personally, I think the federal government getting access to keys for any IoT device made/sold in the US is the only part of this idea that could already be happening. They can knock on doors or mail subpoenas, plant moles, etc. I would be much more comfortable with a technical solution on the physical device than any presumption of privacy in the current state.

A challenge to this sort of suggestion is that the device OEM rarely controls all the software which goes into a device. There are third-party modules, hardware drivers, and more, which are also components. Then there are patents.

Either the escrow would have to apply to all software on the device, regardless of whether owned by the OEM or third parties, or OEMs would be required to vouch for all the included software.

I'd prefer the former myself: multiple software and patent assets can be combined, but on support EOL, all those become public domain.

Build / release / update toolchains must also be included.

I have been thinking that something along these lines should apply to most embedded systems, from mobile phones to game consoles to IoT devices. And more, for cases when companies go under: industrial control automation, etc.

However, it's very hard to police: what if the company only provides a header file or so? Or the basic OS but not the UI?

Moreover, what counts as "support"? There have been cases where companies refuse to consider remote code execution a "security issue". What's to prevent token updates that let the company claim a product is supported while it's riddled with holes?

I could also see companies fighting teeth and nails against this if their devices share a common software base. But hey, you have your support incentive right there!

The problem here is the government can’t be trusted with the signing keys. They will simply use them to deploy their botnets.
(comment deleted)
I like this angle. Require device manufacturers to actually comply with OSS licenses and extend it to require providing the means for consumers to build upon the software as you mention.

Furthermore, if the concern is national security, then I think some of the onus should be on the corporate consumers of such devices. Holding them responsible for doing due diligence on their vendors seems easier to regulate and enforce than trying to regulate supply side.

Of course, this leaves the general population without a clear solution to updates if the process of updating using alternate channels has any amount of friction whatsoever. I'm clueless as to what to do about that. Regulating it entrenches established companies. Not regulating it maintains the status quo.

Anecdotally, it feels like software has gotten far more secure in the past decade without regulation but security theater and concerns around national security have grown considerably faster. This isn't easy to measure of course, but that's how I see it.

The best alternative firmware example for true IOT devices is Tasmota [1]. Erase manufacturer firmware for every ESP devices the day after purchase to avoid those careless manufacturer firmwares.

[1] https://tasmota.github.io/docs/

I guess the one thing I can hope you consider is that not everyone or everything is a for-profit company and you should leave open source and individual human developers out of these coercing regulations and only apply them to incorporated entities that exchange products for money.

The idea of a random human being forced to keep writing software via the threat of being sued is incompatible with human freedom and in that context would be far worse than the problem it "fixes".

How can we define a security vulnerability meeting this "serious" requirement? There are a wide variety of vulnerabilities, so it seems difficult to define this strictly.
I think you're right that it would be difficult for the FCC to precisely define exactly when security updates are required. This is a problem in law generally, one that is usually resolved by imposing a reasonableness standard. Maybe here, a vulnerability needs to be patched if it might reasonably be expected to allow an attacker to take control of a device, or to do so when combined with other known or unknown vulnerabilities. Or maybe a different standard. Then when enforcement/lawsuits come around, the judge/jury/regulator has to evaluate the reasonableness of the manufacturer's actions in light of that standard. We'd love to see commentary on the record as to what the right legal standard might be. (originally posted at https://news.ycombinator.com/item?id=37394188)
Hurrah, more red tape!

Please let customers opt out of your proposed protection, if they want to.

(And it sounds like that's already the status quo. So perhaps you could use your time to figure out where you can cut obsolete and cumbersome regulations instead of adding more mandatory bureaucracy that customers evidently don't want enough to pay for voluntarily?)

There might be an argument to be made about negative externalities. The economic standard answer is either let the Coase Theorem sort it out, or to tax the externalities. Not to ban what you don't like.

https://en.wikipedia.org/wiki/Coase_theorem

What's stopping hobby/micro-developers from saying 'Not FCC approved, use at own risk'? I hack on ESP32 devices, I certainly have different expectations as a hobbyist and as a consumer or consultant.
> What's stopping hobby/micro-developers from saying 'Not FCC approved, use at own risk'?

OP is. Or rather, he wants to make it impossible to opt out. At least that's how I interpret these two paragraphs:

> The FCC recently issued a Notice of Proposed Rulemaking [2] for a cybersecurity labeling program for connected devices. If they meet certain criteria for the security of their product, manufacturers can put an FCC cybersecurity label on it. I fought hard for one of these criteria to be the disclosure of how long the product will receive security updates. I hope that, besides arming consumers with better information, the commitments on this label (including the support period) will be legally enforceable in contract and tort lawsuits and under other laws. You can see my full statement here [3].

> But it’s too early to declare victory. Many manufacturers oppose making any commitments about security updates, even voluntary ones. These manufacturers are heavily engaged at the FCC and represented by sophisticated regulatory lawyers. The FCC and White House are not likely to take a strong stand if they only hear the device manufacturer's side of the story.

Sorry for any confusion. The relevant language:

If they meet certain criteria for the security of their product, manufacturers can put an FCC cybersecurity label on it.

So if they don't, they can't put the label. That's all.

Well, making a voluntary sticker to opt-in to certain legal obligations is fine.

But you are saying already that manufacturers don't really want to commit to anything? What makes you think the sticker would change that?

(In principle, I'm all for manufacturers offering more warranties. But when it comes to spending money, privately I almost never opt for the enterprise grad hardware that does come with warranties like long term guaranteed support.

Instead I rely on reputation, eg that Google will keep providing security updates for their Pixel phones for a few years as they have done in the past, even if there's no legal obligation for them.

And I wouldn't want any regulation to take that choice away from me. I'm glad to have escaped the EU where appliances are more expensive, partially because manufacturers are forced to include a two year warranty with each device.)

The labeling program provides a signal to consumers that the device meets a certain standard. The incentive to the manufacturer is that it allows them to borrow the FCC's reputation and advertise a security that is well defined. The consumer can see that the device has that certification, and know that product has legal obligations, and

It's a pretty reasonable first step. No manufacturer is being punished, there's no warranty requirement, and the gov isn't taking away choice. Instead the FCC gives manufacturers a way to reliably signal to consumers that their product meets a security standard. Google can do that because they're Google and have a reputation - this approach would let joe-schmo IOT device manufacturer do the same.

Sure, that's why I am saying that it's not too objectionable.

But that kind of reputation borrowing/lending already regularly happens with private entities. Both companies and foundations etc.

The free market hasn’t figured it out, as evidenced by the decade of half-working devices consumers are left with. There is no way for people to know if products will still work in 2-5 years if it depends on some server staying up.
> There is no way for people to know if products will still work in 2-5 years if it depends on some server staying up.

If customers want it, there is a way: use contract law to commit the manufacturer.

That's already the norm for enterprise grade equipment. Companies often pay more for their hardware to get guaranteed long term support.

So the market is willing and able to provide this kind of service, when people vote with their wallets.

> The free market hasn’t figured it out, as evidenced by the decade of half-working devices consumers are left with.

The free market hasn't provided me with a flying car either. But that doesn't mean the market has failed. And I don't think using bureaucracy to ban any company that doesn't want to sell me a flying car would be an improvement on the status quo.

(To be more explicit: many people, including me, think a flying car would be fun. But we don't want it badly enough to be willing to pay what it would take. And that's why suppliers only offer normal cars, not the flying kind.)

Contract law actually is pretty universally used the other way around, to prevent you from updating. I have several old Android phones with locked bootloaders that I couldn't legally update even if the manufacturer hadn't locked the bootloader. I don't have access to the source code or the signing keys. I'm not sure the signing keys even exist anymore.

And I can't buy a phone with the contract terms I want, they simply don't exist and can't exist unless the government forces companies to offer such terms. (They exist if you're buying thousands, maybe, but I just want one for personal use.)

Yes, contract law only works for contracts that parties agree to.

Contract law can't force companies (nor consumers) to enter into contracts they don't want to be in. That's the whole point.

Have a look at eg https://www.apple.com/sg/support/professional/enterprise/ or the equivalent for Dell or Microsoft etc. All those companies already have programs where you can give them money in return for long term support and contractually guaranteed updates etc. I'm sure you can find similar programs for IoT suppliers.

Some people decide to pay for those programmes, many people don't. I don't see why we should force everyone into buying the equivalent of extended warranties, that they evidently don't want. This kind of stuff isn't free for companies to provide, you know.

Have you ever used contract law in that manner? Did you call up Apple and negotiate a contract for your new iPhone, imposing requirements on them?

Give it a try and report back.

So have you tried it? Has anyone done it? Upthread it was suggested for consumers. (And you'd have to be a pretty big enterprise to have any leverage with Apple!)
You can try it. I don't think Apple will want to talk to you.

That's fine. They have just as much freedom as you do.

We’ve seen manufacturers abuse ongoing access to devices to turn off features the device came with at the time of purchase or convert one-time-fee features into subscriptions. One of my concerns is that security updates are strictly defined in a way that prevents this type of regulation from being used as cover for these shenanigans.
I just want to reaffirm the importance of this point. I've used an open source solution named Home Assistant[0] to manage my own network of IoT devices that I don't expose to the internet. I want to stay local because of the risks involved with the internet and with trusting companies to protect such private data.

As such, I look to purchase relativity open devices. But, companies want to keep trying to inject themselves as a middleman, sometimes after the fact. In that case I'm let with a device that becomes e-waste. I don't know what other actions are being taken in regards to subscriptions, but it's a problem here.

[0] https://www.home-assistant.io/

I'm not a US citizen, but I too would cosign the idea of not using security updates as a vector for pushing monetization "features".
> One of my concerns is that security updates are strictly defined in a way that prevents this type of regulation from being used as cover for these shenanigans.

And then as a manufacturer you need to pay someone to certify that, or otherwise risk a class action lawsuit?

What about hardware that uses third party software? (Either because it's a genuine third party, eg when you put open source on your router, or because the manufacturer split into two companies to exploit a legal loophole?) Can open source software only make releases that update automatically after getting certified, or risk getting sued otherwise?

> The FCC recently issued a Notice of Proposed Rulemaking [2] for a cybersecurity labeling program for connected devices.

That appears to me to be the wrong way to go about this, and it has specifically to do with how IoT security is a problem.

The most severe case of IoT security problems we have seen were things like mass botnets, where plenty of devices of the same type were hacked and then used for things like DoS attacks. Notable cases include the DoS attacks against Brian Krebs for some of his reporting.

The important thing to understand here is that the device owner is not the primary victim. That's a third party.

This is not about consumer choice, because consumers by and large do not care, because they are not the people being affected by this. An optional security label tries to adress it as a consumer choice problem, which it isn't.

That’s only one aspect of the problem.

Lots of people have been bitten by suddenly unsupported devices.

I think it could do some good.

Sure, but the question here seemed to be about security, specifically. What you're talking about is definitely a problem, but it seems like a different one.
Exactly. I don't see the situation improving until either the owner or, preferably, the manufacturer of a device that participates in a DoS attack is held partially accountable for said attack.
Well, you can't hold somebody accountable if there isn't even a label or information somewhere saying that what they are doing is dangerous.
Sure you can. For example, we have vehicle codes that hold people accountable for dangerous driving.
We don't hold people accountable for buying the wrong model of car and using it.
We do -- in a sense. For example, in CA, you can't lawfully drive a car that has failed a mandatory emissions test.

In some sense, cars are better examples for responsible ownership, because almost every state requires you possess insurance to drive it. The price of an insurance premium is (supposed to be) commensurate with the risk of driving it, and insurance premium rates do influence the market for vehicles.

Sounds like you are making an argument based on externalities.

That's fine. But economic theory also gives you standard answers for externalities:

Don't ban the behaviour you dislike. Either let people sort it out themselves (like the Coase Theorem https://en.wikipedia.org/wiki/Coase_theorem describes), or at most tax the offending behaviour.

I don't get what you're saying here. What "offending behavior" are you referring to in this case that might be taxed to disincentivize it?
Suppliers can already make binding promises about their hardware. If you open your wallet wide enough, you can already buy enterprise grade hardware that comes with guaranteed long term support.

OP says, amongst other things:

> I’ve advocated for the FCC to require device manufacturers to support their devices with security updates for a reasonable amount of time [1].

So the offending behaviour in this case would be for a manufacturer not to provide security updates.

Thanks for this great observation. I encourage you to share it in an official comment. In a final rulemaking, perhaps we could make it clear that the purpose of the label is not only to protect the purchaser of the product but also anyone who might be injured by way of a compromised device. In an FCC enforcement proceeding, we have broad discretion in assessing damages. In contract, the third-party beneficiary doctrine could allow victims of such attacks to enforce label commitments. And in tort, statutory duties apply to anyone who is within the class of people that the law seeks to protect. So the law is flexible here, but it depends on what exactly our final rules say.
In order to make it a consumer problem, we'd have to make it a criminal violation to participate in a botnet. We could make it a punishable infraction I suppose, much like a speeding ticket for automobiles, but somehow I just don't see this happening in a coordinated fashion across the world.
I think it is already illegal to participate in DDOS. Even though enforcement is .. pretty much nonexistent? And how could you enforce it? It would create an outcry if done consequently. (But maybe a neccessary one)

But it also will be a consumer problem, if they cannot access important services anymore, because their IP has been blacklisted, because their toaster participated in too many DDOS or spam attacks.

> I think it is already illegal to participate in DDOS.

While it is unlawful to knowingly or intentionally participate in a DDoS, what I'm talking about is the potential of also "criminalizing" (in the sense of a speeding ticket, not jail time - an infraction, not a misdemeanor or felony) using a vulnerable device that is then hijacked by an attacker.

Like you, I don't think it's a realistic outcome; I'm merely brainstorming how one could make this a consumer problem through economics.

Even if consumers don't necessarily care about security, required labelling gives brands an opportunity to stand out from one another. If I'm looking at two products on the shelf, where one claims to have greater security, and the other makes no such claim, I'm likely to buy the more secure one, even if I don't necessarily care much about security. If getting the secure label is relatively cheap (which it should be, since most of the issues we see are the product of laziness rather than being especially hard to fix), than we could see the market dominated by products promoting high security, even without customers ever caring that much about insecure devices.
oh man, you sound like the type of person that would fall for the intentionally misleading labels that makes it sound like one thing but is in fact absolutely not that thing. just yesterday, there was a link to an article about the lies on food packaging.

so, labeling requirements are one thing, but requiring that the information is straight forward and leaves no options for misleading would be great. I just don't think there's ever going to be a way from preventing someone from finding loopholes.

"This milk contains no <insert illegal additive>!"
Making "x years of security updates" mandatory is likely to end up in a warning disclaimer every time you turn on the TV after x years: "This device does not receive any more security updates. You may be at risk."

That will either make a large part of consumers paranoid or annoyed. So they will replace a TV that is in perfectly working conditions with a new TV.

Samsung, LG and the consumerist economy would love that!

I think you are underestimating how a well known „secure“ label (or lack thereof) could influence customer behavior. It’s not that they don’t care - they (understandably) lack deeper knowledge and therefore don’t base their purchasing decisions on how long they will get updates. „If sticker X is not on the package I will get hacked“ is much easier to grasp.
> „If sticker X is not on the package I will get hacked“ is much easier to grasp.

Hmm. In the grocery store, where this idea comes from and has the most persuasive history in govt. regulation, where manufacturers own the front of the package and regulators own the back, what is the healthiest food?

The produce and meat. Which has no nutritional label.

There's no such thing as a secure IoT device. There's absolutely no such thing as a secure connected device that is also cheap.

If you build your computer from commodity parts, it tends to be the longest lasting and most secure. It is usually the most expensive.

Anyway, what would the label for a PlayStation 5 and an iPhone 15 look like? Miles long.

Then, for the consumer buying the cheapest smart plugs off Amazon? Like one paragraph the vendor copied and pasted from the Internet, along with all the other legal shit they deal with.

Whom should be regulated? I guess Amazon and Walmart, the retailers, they are the real gatekeepers. That's what the EU does! Which doesn't fly here. The Waltons live here, not in the EU.

A big issue with botnets running on device owner equipment is the amount of bandwidth they "steal" from the device owner. Especially for device owners who are on constrained networks (such as a mobile/satellite network) this can be a really expensive issue for the device owner.

So while the device owner may not be the primary victim, they can definitely still be heavily affected.

I wonder how companies will simultaneously deal with these FCC regulations in the US, and the proposed regulation to not update anything without intelligence approval in the UK.
Awesome!

Thanks for engaging, where the rubber meets the road!

Hopefully, you are also looking into other venues, as well.

HN has a great group of folks that represent some of the most cutting-edge tech, but IT runs on Java 8[0].

[0] https://news.ycombinator.com/item?id=19877916

Pretty cool (or at least interesting) to see a government agency engage on HN like this. Never seen that before.
Thanks for participating! After this thread winds down, I and my team are going to comb through it for suggestions and take as many as we can. We're also looking into other venues to engage directly with cybersecurity professionals. But please feel free to comment on the record as well -- a robust and detailed record is worth a lot more than whatever I can do individually.
I think that you'll get a lot of feedback.

I would suggest to my peers, that the links you gave are "official channels," and are probably what you really want, as opposed to a rather rambling thread of comments.

But for me, you just get a rambling comment.

I made my career on devices. In particular digital scanners and cameras.

I worked for a company that was about as tinfoil as you could get, and they supported devices long past their sell-by date.

But I also know that my company was an outlier. They sold premium equipment, at a premium price. They were an "old-fashioned" Japanese corporation, and had a basic mindset of keeping the customer's workflow in the center of the screen.

I think IoT security is a huge issue, and I think that the solution could be that there are standard, open-source, open-license, free-to-use packages; maybe written in languages like C, that could be offered to the industry. These could enforce low-level compliance with security standards.

Oh, and keep the TLAs out of it. They would really like to put a bit of "extra spice" in something like that.

That said, I know that it will never happen. There's a gazillion issues.

I would suggest to my peers, that the links you gave are "official channels," and are probably what you really want, as opposed to a rather rambling thread of comments.

I sort of want both. Official commentary moves the needle, but selfishly, I love the thread comments. People tell you what they really think, and sometimes go into a lot of detail as to why. It's an education for me.

I think IoT security is a huge issue, and I think that the solution could be that there are standard, open-source, open-license, free-to-use packages; maybe written in languages like C, that could be offered to the industry. These could enforce low-level compliance with security standards.

"Universal basic security" would probably be a major field of policy approach if we found ourselves with some huge disaster requiring a regulatory response. It's at least worth thinking about now, even if it goes beyond the scope of what the immediate regs can do.

> Accordingly, incorporating our modifications, we propose, for purposes of the IoT labeling program, to define an IoT device as: (1) an Internet-connected device capable of intentionally emitting RF energy that has at least one transducer (sensor or actuator) for interacting directly with the physical world, coupled with (2) at least one network interface (e.g., Wi-Fi, Bluetooth) for interfacing with the digital world. We seek comment on our proposed definition.

I think this definition would apply to stuff like phones and cars, right? If so that's great.

I don't like the quoted wording. I would like it to be clearer that the RF part isn't part of the transducer, but part of the network interface.
I don't think it has to be part of the network interface. You could have an ethernet-connected device that emits RF for some non-networking purpose and I think it would still qualify.
But if I have an ethernet-connected device that doesn't emit RF for some non-networking purpose, it should still qualify. It should just need the transducer and a network connection.
I don't think it would for this specific proposal. The FCC's justification for this rule is that insecure IoT devices "could be manipulated to generate and emit RF energy to cause harmful interference". That's why they have jurisdiction here, because they regulate radio frequency use.
This makes sense to me. The definition is slightly awkward, but awkward in a way that preserves the FCC's ability to regulate the issue at all. If you clean up the definition, you can get to a more coherent definition of IoT device, but without the FCC's ability to regulate the devices.

I think the broader definition would probably just fall back to the FTC, and as far as consumer protection goes I think they've been asleep at the switch for decades.

Ah, I see.

Well, I stand by my position that the other is also a problem, but maybe this rulemaking isn't an approach that can cover that.

Don't get me wrong, this is still worth doing...

What makes IoT devices special, and warrants carve outs for security / vulnerabilities?

I guess I am not surprised there are security issues with these devices, because I think of most of them as coming from small companies, and wonder what the impact would be on the IoT space if only large players can work through more regulation.

That said, I can't decide if I am more concerned about my Wyze camera sending data where I don't want it to, than my water heater leaking it's current temperature (implicating whether I am home or not).

From the Cyber Trust Mark perspective, there's no inherent difference between a connected disposable gizmo and your example of the water heater. Personally, I would love to see a minimum cybersecurity commitment made by anyone who makes or sells anything with connectivity.
These rules sound like reasonable steps, upon first reading. Not sure what the downstream effects might be.

Is there any thought given to cloud based devices becoming paperweight when companies behind them just stop supporting it or turn off the API? I'd like some "assurances" in place that if the company either goes out of business or decides to sunset the service, it would be required to open source (or at least make available for download). If memory services, that happened to some Nest models a while back.

(comment deleted)
FWIW, seeing a security compliance label on an IoT product wouldn't mean anything to me as a consumer. There is no such thing as computer security in 2023, and there are no hints that security will exist at any point on the horizon. Even the biggest names in the field cannot put out secure products. Products from well-meaning manufacturers are going to be absolutely riddled with security problems, and putting a sticker on the box won't change that. It is literally impossible to put out a software product with anything resembling security today. It'd be like putting a "secure against bricks" sticker on a window. Our industry is a joke. Building secure software products can't be done without completely rearchitecting how our industry operates, which isn't going to happen.
> It'd be like putting a "secure against bricks" sticker on a window.

I lived in a house that had such secure windows. I even witnessed someone trying and failing to smash a window with a brick.

we installed a storm door not for protection against storms, but an intruder armed with a brick and/or hammer because our front door was 85% single pane of glass.

it seems like a bad analogy on the GP's part

> There is no such thing as computer security in 2023

This is absurd.

Even the passive basics like relying on your free email provider's filtering and running Windows Defender is going to stop a huge number of attacks.

If you're expecting perfect security, you'll be disappointed -- but we can't declare complete bankruptcy.

Scroll down: https://arstechnica.com/author/dan-goodin/ This is just a teeny tiny sampling of the security vulnerabilities disclosed every day. Our industry is just not built with security as a goal, and even if we started caring about it today, we have 50 years of not caring to patch up. Caring about security in a meaningful way (i.e. formal verification, engineer licensing & liability) is really, really expensive. No one is going to carry that burden when their competitors don't have to. The end result is the situation we find ourselves in: there is no such thing as computer security, and any networked computer should be considered compromised by default.
I'm sorry, I can't really debate with a reductionist claim that everything is 100% fucked when it's readily apparent that some threat actors are still being stopped.

For what it's worth, I'm not disagreeing with your points about needing drastic, systemic improvements in how we handle security.

Quote from one [0] of the articles at the linked Ars Technica index page:

«A ragtag bunch of amateur hackers, many of them teenagers with little technical training, have been so adept at breaching large targets, including Microsoft, Okta, Nvidia, and Globant, that the federal government is studying their methods to get a better grounding in cybersecurity.»

My opinion is that we fail completely to build secure systems in a forward thinking way and the fact that we manage to stop threat actors that exploit holes that are already known to us is insignificant.

[0]: https://arstechnica.com/security/2023/08/homeland-security-d...

This take is simply not based in reality. Compare what it took to gain root access to a computer 20 years ago to a modern iPhone and tell me again that there is absolutely no point in caring about security.
Amusingly enough, being able (or not being able) to gain root access to my own devices is one of the main reasons I can't address or verify their security - especially as official support is dropped over time.

Modern phones and other appliances have (or are) computers to which it is nigh impossible to operate as root. You might say you have to pwn them even if you supposedly own them ;)

I understand your skepticism. That's why I want to see the label functioning as something like an enforceable representation to consumers. If someone wants to sell brick-proof glass, and get a sticker from the US Government saying so, it better be brick-proof.
Well, my comment is predicated on the, apparently erroneous :), assumption that no glass is brick-proof. It is impossible to build a secure software product with our current tooling & development practices. The number of security flaws in every software product is so high as to make the label meaningless. I don't think there's a meaningful distinction to end consumers between "this product has 1,000 holes, 100 of which are publicly disclosed" (i.e. no label) and "this product has 900 holes" (i.e. with label).
A car that's safe to crash in is also impossible to build, but the NHTSA has standardized crash tests that they built up over time that has meaningfully made cars safer.
+1 for having a bare minimum requirements for IOT sellers against some standard testing criteria. Raise the bar but

Possibly another important would be NHTSA gathers and publishes numbers on accidents. Having some regularly published numbers would certainly shine more light and is probably lowest hurdle to cross from a political standpoint.

> If someone wants to sell brick-proof glass, and get a sticker from the US Government

In a free society, why would we ask government (lowercase g) for a window certification sticker? Should government also provide condom anti-breakage stickers? If we want this, maybe UL can set the standard and ask for volunteer testers to affirm the condom or window anti-breakage quality.

Or maybe we can put the Bell System back together and let them regulate what devices may connect to the network. That led to expensive monthly handset charges.

Because there's no such thing as a completely free society and those who believe there is or should be would be the first to be taken to the cleaners by unscrupulous or incompetent actors.

The condom comment is absolutely ridiculous because there are loads of regulations regarding condoms from the FDA. Unsurprisingly you aren't allowed to sell condoms that are likely to break.

Are you suggesting the stakes are the same for digital communications as for condoms? How big of an actual problem is condom breakage? How big of a problem is digital surveillance and theft? How do these two problems compare economically today?

Reasons I think we might want some government certification that has real teeth include: the freedom to protect and control our own digital data. A statistically high rate of surveillance and cyber crime with no tools to prevent it impedes the very freedom you’re defending. Absolute freedom for all cannot exist. You can’t be free to keep your money & privacy while I’m free to take it. Real certifications with enforcement teeth wouldn’t solve all problems, but it might make an actual dent. It would be nice to have national security and privacy standards, make purchasing decisions easier (actually sane), prevent some of the crime before it happens, and reduce the crime and surveillance that we know exists. That’s just from a consumer point of view. I’m sure there are many many companies and organizations who would love to be able to have some level of trust in their equipment purchasing without expensive vetting (or far more realistically for most orgs, little to no vetting at all, just hope).

Didn’t the government break the Bell system apart in the first place? When did they get back together and upcharge handsets? I don’t know what you’re referring to. Are you saying that what was needed after the Bell breakup is stronger regulatory oversight with bigger teeth?

I completely agree that it is meaningless to assert that something is "secure". Even very well secured things have been hacked, and the smallest of mistakes can have huge impact.

What would be meaningful is an assertion that some basic set of secure practices have been or are followed. For example, that there are no default passwords on a device, that security updates will be provided on some defined schedule, that network protocols meet some reasonable standard of security, etc.

Does the IoT company called "Eve" give hope to the industry? From what I understand, they take a security first approach to their IoT products. I haven't tried them out yet though.
I think this might be useful if we kind of wargame prospective regulations to follow all the ways people might abuse it, then you might get something that works. Maybe lawmakers already do that? This thread feels in that spirit too…
There is no security against all the threats you can possibly be imagine, but being free of well known, stupid simple vulnerabilities is still good.
There are too many IoT devices that want my email/phone just to perform what normal devices have been able to do for decades. No, I don’t want to download an app just so I can use my apartment stationary bike. I get enough spam already, and I don’t want to agree to a long terms and conditions just for that. In that case I couldn’t even use the bike at all without creating an account.

I think a lot of places got duped into thinking their internet connected stuff was an upgrade but in my opinion it’s a major downgrade. A device should do what other non-IoT devices do without being online, and internet capabilities should only be a value-add. A toaster should make toast without being online.

This is a great point. What are your thoughts on requiring a switch on all IoT devices so the consumer can flip a switch and their "smart Widget" just becomes a "widget"? This would be a nice for both security perspective and a consumer perspective.

An insecure e-stationary bike should just become a stationary bike rather than a 100-pound pile of trash.

My opinion is that a stationary e-bike should be a stationary bike whether or not the wifi is connected, and then I can choose whether I want to connect it online. I don’t think a switch is necessary, just don’t connect the thing.
The Bob dishwasher from DaanTech gets this right, it has Wi-Fi capabilities and a DRM scheme for its propietry dishwasher fluid modules, but those are extra features, and it works fine as a dishwasher without them. If the company drops support or goes out of business, I won't even notice in terms of impact on washing my dishes.
If a device does not violate (e.g.) RF emissions regulations, what authority does the FCC have to regulate its internals?

Thanks!

That's a great question. Devices that emit RF could be hijacked and turned into signal jammers. With smart jamming attacks, even low-power transmitters could potentially cause serious harmful interference to other devices. Botnets of compromised devices could be especially damaging. Since vulnerabilities are often chained by attackers, sometimes in very unexpected ways, to accomplish their final goal, we think that the FCC has a legitimate interest in just about any vulnerability on a wireless device. But the question of legal authority is itself open for public comment and we hope there's vigorous debate on the record to make sure we get it right.
Has there ever been an example of a consumer RF emitter being remotely hacked and turned into a jammer?
(comment deleted)
Of course not. But they don't operated based on evidence, they do based on fear. Like Apple, John Deere and pretty much any industry today.
A mechanism requiring disclosure of how long security updates are available seems like a great step.

Another great step would be a guarantee of making the firmware Open Source after no more than a certain amount of time, and having that guarantee known at compile time. Effectively, that means the device will always be supportable.

> A mechanism requiring disclosure of how long security updates are available seems like a great step.

So, as I work in this space, there needs to be realistic guidelines on this, does a security flaw need to have a CVE ? Do they need to fix every CVE ? What is the timeframe requirement ?

This kind of thing keeps me up at night.

Another great step would be a guarantee of making the firmware Open Source after no more than a certain amount of time, and having that guarantee known at compile time. Effectively, that means the device will always be supportable.

It's not inconceivable that this could be a requirement for getting a label (or some tier of label.) It depends how the advocacy comes out on the record.

The requirement can be easily bypassed by going bankrupt before the required time is up. You will soon hear advice like "if you want to get in to the IoT space, create a new C Corp for each iteration of your product..."

Whatever you require them to disclose after X years, it must be escrowed with a trusted third party in advance.

Agreed: any kind of future disclosure requirement should be backed up by a source code escrow requirement.
I don't know who those manufacturers are, but I can guess. One left-field piece of advice I would offer is looking at what they specify for their own offices/HQs.

"Smart" commercial office space has a bit of a head start in this area, and the specifiers have now had some time to find their feet.

Some prominent IoT device manufacturers have had written into the specifications for their own buildings that, for example, the end user (read: them) shall be able to manage the certificates on the devices, and so on and so forth.

A couple that come to mind would make for nice blueprints for consumer protections if you can cut through the prescriptive talk about preferred tech.

> Companies may cease supporting a device well before consumers have stopped using it

In which case all information required to create and load custom firmware should be released to the public. This information should be placed in escrow, in case the company ceases to exist. The same rule should apply to backend services, in case of a device being depended on such a service to operate.

> security updates for a reasonable amount of time

Which is 25 year or more for some classes of devices. Phone have already reached a point where they should be required to come with 10 years of security updates. I'd expect light switches to get at the very least 20 years of security updates.

Generally I believe that governments are being WAY to lenient towards manufactures of any type of electronics when it comes to updates. It's bad for security, the environment and the causes consumers to make bad investments. The companies making these devices have long since proven that they DO NOT CARE and shouldn't be trusted to deal with the issues themselves.

> I’ve advocated for the FCC to require device manufacturers to support their devices with security updates for a reasonable amount of time [1].

No offense intended, but I would be worried about this more than I would be worried about the current state of the IoT world. A blanket requirement would punish hobbyists and small companies prototyping new technologies. But big players could spend relatively minor technical and legal resources for publishing regular "security updates" without trying to find and close the biggest security holes.

I would prefer that FCC works to inform: maintain an up-to-date database of issues (reported by both the manufacturers and by third-parties), impacts and recommended fixes for those that have a fix. My 2c.

(comment deleted)
None taken, of course. Several people in this thread have made this point, and it's a very reasonable one.

The current framework is 100% voluntary for what amounts to a marketing label. There are non-FCC government databases for issue reporting, and a commitment to reporting to such DBs could be part of what earns you a higher label. Would be great to see commentary on this point from the tech public.

> I would prefer that FCC works to inform: maintain an up-to-date database of issues (reported by both the manufacturers and by third-parties), impacts and recommended fixes for those that have a fix. My 2c.

How would that help 99.99% of consumers? They are not going to look in databases, understand the issue, and apply fixes.

As someone with a libertarian bent, meaningful labels appeal to me as a decent way to address problems without overriding the judgement of the market. An informed market avoids lemons. So this proposal sounds OK in principle but here are some questions. Please be aware that I'm not a US citizen so my views don't really matter here, I'm just looking over the garden fence and asking questions.

1. Your argument for why it's under the FCC's jurisdiction doesn't seem all that strong. In your linked speech, you argue it's important because the FCC has the ability to regulate signals interference, and insecure devices could be turned into jammers. Has this ever actually happened? If not, is this not rather a large stretch of the FCC's mandate? Perhaps this sort of effort belongs in a different part of the government, or in an international standards agreement (possibly non-governmental).

2. What's the definition of security you're using? Security problems always exist in the context of a threat model, so having a label would imply standardizing a threat model. For example, smartphone security systems were originally designed to block malware, but over time have been stretched to try and solve often vaguely specified privacy goals towards non-malicious software too. If someone commits to supporting security updates for five or ten years at risk of government censure, then the definition of security is going to become a battlefield because whoever wins gets to control all the software that's got this label.

3. Modern security is layered via defense-in-depth strategies. If there's a bug in an inner layer but it's not exploitable due to mitigations or sandboxes (software firewalls) in outer layers, is that a mandatory security update or not? It could be argued either way because the device is not technically hackable still, simply the armor became weaker. Today this is left to the best judgement of engineers, who must balance efforts to patch theoretical vulns in old devices with work to e.g. build new defenses for newer devices. If it becomes mandatory, then paradoxically, new devices may become less secure than they otherwise could have been because all the effort is going into patching old devices.

4. Imagine a company commits to security updates for all devices for 10 years, but after 5 gets into financial difficulties. Maybe due to competitors who didn't make that expensive commitment. One quick way to dig themselves out of this hole is to push a 'security update' that drastically restricts the device's functionality e.g. prevents it from installing new apps released after a certain date. This can be indeed argued to make the device more secure, and you can argue that there's no expectation that the device will always be able to install new apps anyway, so no end-user expectations or promises have been violated. How would you stop this kind of perverse incentive?

> An informed market avoids lemons.

Has that been true in practice? I can think of plenty of horrible products, in IT, on the market. In terms of security (including privacy), the market has done nothing for IT consumers. And what about the people who already bought the lemons, before the market learned of it? Also, what if the lemon doesn't affect me but affects others (such as through DDoS)?

I prefer to keep it as simple as possible, but no simpler.

Nothing? Hasn't Apple built a part of their brand upon security and privacy?
You're right, that was hyperbole and I make a point of not using it. It's BS.

Security is awful, however, and I don't think that's hyperbole. Almost every consumer I know, including people in IT, have given up on privacy and security (i.e., confidentiality and integrity).

Simple. Give the manufacturers the choice: either they must provide full (FLOSS) source code and documentation (full schematics) to the user to enable them to maintain, patch and thus secure their devices (see also: right to repair), OR they are liable for all damages (direct, indirect) for a 30 year expected lifetime that arise from security issues with the device AND must have insurance to cover those damages (so that they cannot get out of that liability by bankruptcy). Most will opt for FLOSS, and none will have the excuse that it would be more secure to make it proprietary. And then users will at least be able to fix issues -- and the security community will be way more effective at finding issues as it wouldn't have to do the slow reverse engineering.
You as a customer can already give the manufacturer that choice, and simple refuse to buy from any manufacturer that doesn't comply.
Consumer's power is not the same as FCC's
Indeed. And that's good.
It's good that consumers have much less power in context of forcing manufacturers to the described choice?
What do you mean by less power? It's different.

One manufacturer can't force you to buy stuff you don't want, nor ban you from buying from a different manufacturer that does what you want.

(In contrast with the FCC, which has a lot of power over you, by banning you from buying what you want.)

What if no or very few manufacturers produce a thing, yet the thing would be very beneficial to many owners?

Why would one want specifically to buy a product not conforming to the choice described in the first-level comment?

> What if no or very few manufacturers produce a thing, yet the thing would be very beneficial to many owners?

If it's useful enough, and the existing manufacturers leave significant customer needs unfilled, competing suppliers can step in.

> Why would one want specifically to buy a product not conforming to the choice described in the first-level comment?

All kinds of reasons. It might be cheaper, for example.

So what we need is giant warning stickers on products of which their parent companies don't follow good practices. Kind of like tobacco products.

"Leaks your personal data to unknown servers" Or "Manufacturer typically does not support their products beyond 2 years after which critical features and functions may stop working"

I've been not-buying IOT trash as hard as I can for decades. But nothing's changing... please tell me how to do this correctly!
Well, lots of people have been not-buying liquorice their whole life, but nothing's changing. The market for liquorice candy is alive and well.

Less snarky: if other people still want to buy certain products, manufacturers will provide. But that's not a bad thing. Different folks have different preferences.

Why did you suggest not-buying as a better action than regulation if you acknowledge that it doesn't work? Are you a manufacturer of low-quality IoT devices? People don't prefer insecure devices, they just want convenience and manufacturers are not being upfront about how dangerous these "convenient" devices are. Ergo, regulation.
Convenience and low price are legitimate preferences, even if you disagree.
Not when the consumer doesn't know the trade off they are making. Buying a bottle of colorful poison and drinking it and dying because it looked tasty is not a legitimate preference.

You are being willfully ignorant of the power dynamics and information disparity that exist between manufacturers and consumers. The whole point of the label is to better inform consumers.

Insecure IOT has the huge externality of providing muscle to criminal botnets, though.
Tax them, then?
A relatively small group of people won't have an effect, that's why regulation plays an important role.
Perhaps we should respect the wishes of the large rest of the people who are outside that relatively small group?
Ignorance is not a wish. We're talking about users that don't know any better when buying products
Are there any that currently do comply?
Many large companies open their wallets to buy hardware (and software) that comes with guaranteed long term support.

If you are willing to pay, manufacturers are happy to comply with a lot of weird requests.

> either they must provide full (FLOSS) source code and documentation

I like the spirit of this, but one problem with this is that the software stack is likely not FLOSS, and the manufacturers don't own all the software.

A second problem is that lot of the software for production IoT-devices doesn't live in the device.

Third, there are safety concerns with a lot of devices that you'd need legal productions for.

Finally, the best IoT devices use a zero-trust architecture. You'd need to support a variation of this pattern to allow users to modify the devices.

I'm working on an IoT device for industrial use, and we're wrestling with this very problem.

The answer we're probably going to go with is that the device is 'leased' to the customer. It's part of their subscription.

This solves a ton of problems about FLOSS and support of the same. It's now a closed device, and you have no rights to the code inside. If we go out of business, you have a brick that you don't have to pay for anymore.

I think it's always better for the customer to have access to the code inside. I'll actively recommend FLOSS solutions to customers even if they're not quite as good as the competition on paper right away. Simply because a large part of the cost of industrial hardware is actually supporting it for a long time. And support is SO MUCH EASIER if you have all the source code and schematics. Of course big customers get to demand this kind of arrangement (floss, escrow, or even just "give us all the paper") while small industrial operations end up paying a premium for inferior service.
>> The answer we're probably going to go with is that the device is 'leased' to the customer. It's part of their subscription. <<

1000% wrong answer, unless you straight up front sell a service with an installer making a site visit to deploy chattels of service.

such as satellite television, or DSL internet.

when you swap handfulls over the counter before any contractual agreements i.e. clickthrough TOS , you are selling a hardware, that means user ownership.

No, we're straight up selling with a dealer/installer in the pipeline. We're not that stupid to try and sell direct to the customer these days.
i find that revealing, it seems direct enduser engagement has really stung you, is there something other than people being people, or are there onerous requirements that are not worth it?
If parts of the supply chain aren't FLOSS, then manufacturers would have to lean on those suppliers to change their licensing or find different suppliers. Same with other regulations around things like lead in consumer products. Anyone wanting to be part of consumer product software supply chains would have to start offering it as FLOSS if they want any customers, so the supply chain would adjust to the new reality.

We do need to establish common sense liability if it's not already there. If you modify your circular saw to remove the guard and injure yourself, that's your fault. If you modify some software to run outside of safe design parameters and it malfunctions/injures you, that's your fault.

I don't see why zero-trust is incompatible with user-modified devices. In fact it's in line with the spirit of zero-trust: don't assume just because something is able to talk to one of your servers (e.g. because it's on your VPN/LAN) that it's friendly. People should already always be assuming customer-owned hardware will potentially be completely controlled by a malicious actor and acting accordingly.

30 years of expected support is pretty unreasonable. Stating a requirement like this makes the discussion about competing dogmas. Rather, it's about the right way to keep devices operational as long as possible while also allowing companies to remain possible.

30 years of support expectations immediately makes the cost of any device go up to hedge against the risk of fines during the entire 30 years. It also makes it harder to disrupt an industry with hardware at its core.

I don't have a single computing device that has lasted longer than 10 years. Reasonably speaking, either performance or features start to make the device largely obsolete and unusable.

I think a better way to propose this would be the expectation that when a product is EOL, it should be supportable by the buyer for a certain period. This requires figuring out the right period of support. I'd propose something that scales period based on cost or device class. A $1200 phone should be usable for 10 years while a $10 disposable glucose sensor with a battery should not.

Sorry, but some people will run routers (and other IoT devices) for > 10 years, and long past some random 2 year EOL a manufacturer may set. We need less e-waste, and if manufacturers have to warrant security for 30 years, they may also invest enough to make the hardware itself last longer. More expensive is totally fine if the product is useful for longer! Oh, and please double-check if you really have no 1st generation Raspberry PI anywhere, or maybe some ancient Arduino? What about your washer? Modern washers are IoT devices. My (admittedly not yet IoT washer) is > 10 years old. Or take your car. Sure, you may buy a new one every 10 years, but there are plenty of cars > 10 years on the road. Do you want all of them to be vulnerable and out of warranty in the future?
> 30 years of expected support is pretty unreasonable.

I happen to know, having been with a Ford unit at the time, that the Ford EEC-IV engine control unit in 1980s Ford cars and trucks was designed for a 30 year lifetime. Many are still working.

The average age of light vehicles in the US is 12.2 years.

This is more in NHTSA's wheelhouse, though.

> I don't have a single computing device that has lasted longer than 10 years. Reasonably speaking, either performance or features start to make the device largely obsolete and unusable.

Are you just buying cheap junk? An i7-3770 PC - a good example of an 11 year old PC, and one I happen to use every day - can be quite usable today.

I favor something like this, if less strong. It should be required that a product that reaches end-of-life as defined by the manufacturer should have all documentation and source code released and open sourced; prior to end-of-life (and perhaps for one year after), they're required to provide security updates. The manufacturer is then free to decide the point at which closed source is no longer worth the maintenance cost.

A few additional thoughts:

- Perhaps hardware design/specs should be released as well?

- A government body should probably host this information after EOL.

Ah, the utopian dream of a world where every manufacturer gives away their intellectual secrets just so users can play tech guru. You're suggesting that companies offer up decades of R&D and risk their competitive edge, or else face 30 years of liability? With the speed at which technology evolves, we're lucky if a device is even relevant after 30 months. And let's not forget the minor detail of skyrocketing costs. Want a device built under these fantasy rules? Hope you're ready to pay through the nose—think 10 times the current price. Because nothing says 'accessible technology' like pricing out the average consumer.
^^^ This right here ^^^

Additionally, this cannot be an excuse to charge subscriptions or force lease agreements into the fine print for items consumers buy outright.

Planned or unplanned obsolescence is good for business. You are proposing regulations counter to that, so should expect counter-pressure, even for IoT makers that want to do the right thing.

By volume and impact, what devices have IoT vulnerabilities? If from large mfrs, you might expect some measure of support as that would be somewhat in their best interest, if only to preserve their brand image. My concern would be low quality, usually cheaper, whack-a-mole mfrs that come and go on Amazon, eBay, etc. Even if they release a product that would fall under these guidelines, how are you going to go after a ghost?

Also, what happens when an IoT mfr is acquired, does the acquirer assume all the IoT risks as well?

Planned or unplanned obsolescence is good for business. You are proposing regulations counter to that, so should expect counter-pressure, even for IoT makers that want to do the right thing.

Great points. From one perspective, we can't afford to do this stuff; from another, we can't afford not to. If connectivity makes your life a little easier for little risk, that's one thing; if your dishwasher steals your identity and sells it online, that's another.

My concern would be low quality, usually cheaper, whack-a-mole mfrs that come and go on Amazon, eBay, etc. Even if they release a product that would fall under these guidelines, how are you going to go after a ghost?

Another great point, but that's a snapshot of the market as it is now. We expect certain standards from some things but not others, depending on how much you depend on them, how much is at risk, and what the costs would be. Right now, under the proposal, a company is 100% free to say "I will support this for 0 days and you expect it to ship broken from the factory" -- it's just that they actually have to say that out loud.

Also, what happens when an IoT mfr is acquired, does the acquirer assume all the IoT risks as well?

I expect this to be a hot topic on the record. We'll see what technologists, manufacturers, consumer advocates, etc. say and try to come up with a proposal addressing stated concerns.

> Also, what happens when an IoT mfr is acquired, does the acquirer assume all the IoT risks as well?

Most other liabilities are inherited during an acquisition. I don't see a good reason for this to be an exception.

It would encourage acquirer's to do much more strict due diligence in this regard, which will have a natural pressure to clean up the behavior of manufacturer's that plan to seek a future exit.

Any exception to liability here seems like a get out of jail free card, for all new manufacturers seeking an exit to behave extremely badly. It also opens the door to corporate shell games, where as soon as a liability is discovered it gets acquired by a thin parent entity to dissolve that liability. I'll leave a comment to that effect as well, but it absolutely seems like this liability should survive an acquisition.

While the IoT security situation is out of control I doubt that regulating security updates will have any other result than radically reducing competition and innovation in the space by making it impossible to operate as a small company. It will simply push more hardware innovation out to China.

Having worked in the space I came to the conclusion the only viable secure future is to adopt star topology local networks where local traffic for all devices goes into a single secure regularly updated broker device that then decides what to do with it. Any access out to the Internet or between devices needs to be mediated. The part that will annoy a lot of people is that broker device probably needs to be able to read all of it. Therefore rather than just regulation I would talk to the WiFi alliance in particular about possibly expanding the scope of what it means to be a WiFi router.

The problem is actors like Google really want such a thing to be just in the cloud "for convenience", by which they mean monitoring everything that ever happens.

The only corporate actors I encountered that understood this were the Taiwanese OEMs, who are remarkably on point and blunt behind closed doors, but they are basically powerless to do anything about it.

Edit to add: if there is one thing the FCC could do immediately it would be to ban the covert deployment of cellular modems in other devices and to force giant warning labels for such things and require they be user removable.

> The only corporate actors I encountered that understood this were the Taiwanese OEMs, who are remarkably on point and blunt behind closed doors, but they are basically powerless to do anything about it.

Fascinating! Could you elaborate?

Firstly you have to appreciate the web isn’t a thing. When they want to talk protocols and crypto they mean things like sockets, mqtt and talk about where on the production line the fuses for the keys will be blown and who will have access to that area. It is a different universe.

The absolutely huge thing is they want to live in a world of standard interchangeable pieces. They despise custom solutions to problems unless totally necessary or they are enormously better than the alternatives.

They will flat out tell you that they are essentially waiting for an industry standard solution to problem X to appear, and until it does these ad hoc solutions suck.

If you want IoT security you don’t need to regulate it, you “just” need to create a no-brainer to adopt industry standard model for device operation that these people can drop in place. (I hate MQTT, but think something in that ballpark with the right security model* would be a good starting point). This is a hard enough ask as is, but is made harder by the big software giants all trying to come up with schemes that put them in the middle all the time.

As an aside I also encountered a non Taiwanese executive espousing the view (with respect to slurping up network topologies via multicast) that he hates it, but as long as it isn’t illegal they have to do it. I don’t believe the law would help as you will always have bad actors and people using aliexpress - it needs to be technically impossible, hence the star networks.

Edit to add: * and provisioning process. Were it up to me I'd have something like NFC based key exchange between broker and device during setup as part of the standard.

>Having worked in the space I came to the conclusion the only viable secure future is to adopt star topology local networks where local traffic for all devices goes into a single secure regularly updated broker device that then decides what to do with it. Any access out to the Internet or between devices needs to be mediated.

Yes, yours is (IMHO) the only possible way out, still there are things that simply should be not allowed or be only optional, as I see it the "mistake" is confounding the "Internet" in IoT with the "Cloud".