[zanny]

Just compelling the ability to update does not mean anyone will make updates.

The only answer that makes any sense at all is funamdental legislation that any product where the primary product is the physical article and not the software must publish the source to included software. That way even if IoT devices are abandoned or become insecure we can update our own hardware.

Most people would not be able to maintain their own devices, but we can easily end up with OpenWRT / DDWRT style products for each class of IoT device if they are required to be freedom respecting. Then techies will naturally instruct their peers to use supported devices, and the natural progression should get us most of the way to where we are today on routers - the liberated ones are recommended and can be supported by the community even if the OEM abandons them, and the ones that are not are a red flag to avoid. The only problem today is that since there is no compulsion to liberate routers a lot of them are sold to ignorant consumers who do not realize the mistake they are making.

So maybe that should be a regulation? Like with how cigarettes must inform consumers of how dangerous they are, proprietary IoT devices must have an FCC general warning their security is out of the users control.