[yk]

Any kind of suggestion, how regulation should look like? For example, automatic updates would probably be a must-have for network connected devices. On the other hand, I do not really want my TV to phone home. The problem is, that computers are too flexible for meaningfull regulation, contrast it with the case of a boiler, the interest of the user is that the boiler does not explode, both for the engineer and the housewive.

[Joeri]

Security can never be perfect, but it can be sufficient. Simple sufficient regulation could be having a clearly documented address and process for security issues to get reported and an obligation to provide fixes for remote vulnerabilities in a reasonable time frame after becoming aware of them within the warranty period (they are design flaws, so warranty should cover them). In other words, legally mandate everyone should do what conscientious vendors already do.

[yk]

Your suggestion is not sufficient, you need also a way to roll out the updates, which means a network connection to the outside world, but for someone who has done a IoT set up himself it is probably a sane thing to put the IoT things onto their own network, without internet connectivity. So yes, it is likely possible that there could be sane regulation, but I lack thrust that regulation will be sane, and even more, I suspect that regulation will interfere with my use case, so that I have to jailbreak my light bulbs.

[JoBrad]

Your light bulbs already have to adhere to regulation, and it's largely not been a hindrance at all. In fact, most of it has been helpful.

[zanny]

Just compelling the ability to update does not mean anyone will make updates.

The only answer that makes any sense at all is funamdental legislation that any product where the primary product is the physical article and not the software must publish the source to included software. That way even if IoT devices are abandoned or become insecure we can update our own hardware.

Most people would not be able to maintain their own devices, but we can easily end up with OpenWRT / DDWRT style products for each class of IoT device if they are required to be freedom respecting. Then techies will naturally instruct their peers to use supported devices, and the natural progression should get us most of the way to where we are today on routers - the liberated ones are recommended and can be supported by the community even if the OEM abandons them, and the ones that are not are a red flag to avoid. The only problem today is that since there is no compulsion to liberate routers a lot of them are sold to ignorant consumers who do not realize the mistake they are making.

So maybe that should be a regulation? Like with how cigarettes must inform consumers of how dangerous they are, proprietary IoT devices must have an FCC general warning their security is out of the users control.