This seems like a strange regulation. Companies would simply comply by doing pro forms updates for the sake of updating.
Additionally, the update process itself introduces security vulnerabilities.
An IoT device might have a lifespan of 20 years. Let’s say a company is required to update for a 10 years. For the subsequent 10, that process is nothing more than a vector for malware injection.
The most serious type of vulnerability is an unauthorized, unbounded, write operation.
One of the most secure architectures is “stateless.” That’s where the software is hardcoded into the software. This proposal would outlaw that approach. It’s not for all situations, but it should be seriously considered.
The real solution is to hold companies accountable for vulnerabilities.
I suspect this is better done by the FTC.
Perhaps your time would be better spent fighting DRM on broadcast television, or ensuring cell towers aren’t tracking people, or that phone calls have crypto enabled by default.
Additionally, the update process itself introduces security vulnerabilities.
An IoT device might have a lifespan of 20 years. Let’s say a company is required to update for a 10 years. For the subsequent 10, that process is nothing more than a vector for malware injection.
The most serious type of vulnerability is an unauthorized, unbounded, write operation.
One of the most secure architectures is “stateless.” That’s where the software is hardcoded into the software. This proposal would outlaw that approach. It’s not for all situations, but it should be seriously considered.
The real solution is to hold companies accountable for vulnerabilities.
I suspect this is better done by the FTC.
Perhaps your time would be better spent fighting DRM on broadcast television, or ensuring cell towers aren’t tracking people, or that phone calls have crypto enabled by default.