To add to previous similar comments, I think that one of the best ways to ensure that security updates are provided is to ensure that manufacturers either commit to continuous security updates, or after a minimum sunset period during which they provide security updates (e.g. 5 years), they agree to provide source code as well as build and deployment instructions, so that the community can take over. It must be possible to build the source code using a freely available toolchain. Furthermore, they must agree to provide links to these communities through their support pages for these products, so that users can be made aware of new third party firmware.
A durable IoT device could last decades, but few companies building these products will survive as long as the devices, let alone support a device they are no longer profiting from. As long as they are supporting the device with security updates, it's fine for the firmware to be proprietary. But, when they decide to cut support for the device, they should be willing to ensure that consumers who have purchased this hardware and are still using it won't become victims, and that the overall Internet community won't end up harboring botnets made of living dead ewaste.
Yeah I can't see an alternative to this. I'd go further to say that to guarantee this is done, company's should be required to provide this data upfront in some encrypted form, so that it's out and public in advance and can be unlocked by a simple encryption key (an FCC escrow service would be a good idea).
And that's on the "if I really thought business should get a handout" approach.
Practically, I see no reason the full source code for any of the network-interactive software components IoT devices shouldn't be required to be open and user-flashable upfront. I can buy pre-flashed ESPHome devices which will do wireless updates and come with the full source code and a map of how to talk to their pins (which implements the functionality) - I see no reason why this sort of access shouldn't be the default.
I think that the use of an escrow service would be an excellent idea. There's some complexity to deal with in order to make this fair for both companies and consumers, but I think that these difficulties are surmountable.
An open source firmware model doesn't always make sense for businesses, but I think that for most hardware-oriented businesses, it makes perfect sense. There are plenty of business models in which the hardware itself is deeply discounted or even sold at a loss in order to sell the overall service -- the IoT portion. Right, wrong, or indifferent, that is a model that many businesses pursue. If their business model makes sense in the marketplace, I think that's fine. Plenty of consumers choose proprietary and service-oriented systems -- e.g. Apple's closed ecosystem -- and that's fine as long as the consumer safety and security is prioritized. However, I think that regulation should ensure that the right for consumers to maintain their devices should fall back to the consumers if or when these companies fail.
That being said, I think that consumers should always have a right to root their devices. If consumers decide that the iPhone or IoT light switch that they purchased does not meet their needs, there is no reason why they shouldn't be allowed to flash any firmware they want on it. In the case that hardware is sold at a loss, there should be an up-front contract with a buy-out clause, which also should be regulated to ensure that the company charges a reasonable and non-discriminatory "regular fee" for hardware independent of contracts, much like how many cellular carriers work. If the consumer chooses to "buy out" this contract in order to root their device, then that should be allowed if they pay the pro-rated "regular fee", adjusted for the amount of time they have paid into the contract.
I've considered governance models that can exist beyond the lifetime of a company that would guarantee escrow access to source code. Pitching this to a company is of course quite difficult, since no company thinks that far ahead, and many in leadership refuse to consider what happens if and when their venture fails. I think that the only way to build such a governance model is to provide an open source framework for managing both builds and OTAs that can ensure this. Escrow as a service could be built into this, using one of various cryptographic election strategies for recovering key details if an organization goes dark.
Either way, having the FCC seriously consider the security of IoT devices is a great first step, as long as it is a step and not a hurdle for innovation.
A durable IoT device could last decades, but few companies building these products will survive as long as the devices, let alone support a device they are no longer profiting from. As long as they are supporting the device with security updates, it's fine for the firmware to be proprietary. But, when they decide to cut support for the device, they should be willing to ensure that consumers who have purchased this hardware and are still using it won't become victims, and that the overall Internet community won't end up harboring botnets made of living dead ewaste.