(I also submitted this as an Express Comment in the proceeding. If you agree, consider also filing a comment.)
A lot of issues around IoT device security are hard, but there is one simple and easy piece of policy that would be a big win:
Make the requirements stricter if the product contains a microphone than if it doesn't.
Some device makers are putting microphones into devices that don't need them, to support functionality that isn't useful, just because microphones are cheap. For example, TCL (a Chinese television brand) puts microphones into its remote controls. They do this because while most people don't want to control devices by voice, a few people do, and microphones are very cheap. This is a problem because anything with a microphone in it is a valuable target for hackers; compromising a TV remote with a microphone is _useful_ to them, in ways the compromising eg a wifi-connected clothes dryer would not be. If adding a microphone to a device created additional legal requirements, vendors would stop putting them in places where they lack a legitimate purpose, and there would be fewer insecure microphones floating around.
Make strict rules for all of them. As another commenter pointed out, the wifi-connected clothes dryer could be used in an attack to take down the power grid by having many of them switch on at the same time - causing a network overload.
Don't try to predict potential avenues of attack. Make strict rules for all IoT devices.
A lot of issues around IoT device security are hard, but there is one simple and easy piece of policy that would be a big win:
Make the requirements stricter if the product contains a microphone than if it doesn't.
Some device makers are putting microphones into devices that don't need them, to support functionality that isn't useful, just because microphones are cheap. For example, TCL (a Chinese television brand) puts microphones into its remote controls. They do this because while most people don't want to control devices by voice, a few people do, and microphones are very cheap. This is a problem because anything with a microphone in it is a valuable target for hackers; compromising a TV remote with a microphone is _useful_ to them, in ways the compromising eg a wifi-connected clothes dryer would not be. If adding a microphone to a device created additional legal requirements, vendors would stop putting them in places where they lack a legitimate purpose, and there would be fewer insecure microphones floating around.