Re: IoT & Patching - The bigger picture issue is Trust is Dead
Trust may be dead for some devices and by some technical people but the average consumer will go on amazon, buy a cheap device install it, download their app agree to 501 permissions required and put it on their network.
Why are they to know any better? There is no mandatory test and qualification required to buy a IoT device, they don't presume the ones on sale are dangerous.
As well as extending this bill to a larger are (e.g. all of the US or all of the EU) where every manufacturer would be forced to comply, as the author states it should be extended and certified further. A beep for an update will not work as very few cheap IoT devices ever get updated out of the factory.
# All devices need to have security assessment to provide a test of the device based upon current most likely threats. Devices must pass this and be certified before going on sale.
# All internet connected - or connectable - devices have a grading which shows a length of time in which they guarantee updates for a device. All source code is held in Escrow in case the supplier goes under in that time.
# Any security threats discovered in a device during its service guarantee time must be fixed in a standard length of time based upon the severity
Therefore the customer can understand that by pay $5 for an IoT device there are likely to only get 1 year of usable life from it, someone who pays more might get a much longer guarantee.