Index ¦ Archives ¦ Atom

Expiry dates on smart phones and other IoT devices

A while ago someone1 suggested the idea of putting an expiry date on smart phones. The idea was that when manufacturing a device the company would have to commit to pushing out fixes to any CVEs that come up until the given date. So when buying a phone there would be an expiry date printed on the packageing and consumer could be sure of reciving a supported product until that time.

After the Mirai botnet struck there was a lot of discussion around what to do about the Internet of Things (IoT) threat. Bruce Schneier wrote that it was

a market failure that can't get fixed on its own.

and that it needed some sort of government intervention to fix. I tend to agree with his analysis, there is little to no incentive for vendors to fix the bugs in some internet connected smart toaster. Most consumers don't care if their $20 toaster has been hacked and used to DDoS some website, so long as it sill makes toast. And most vendors of IoT stuff don't have long product cycles and certanly don't budget the time and resources to fix things two years after they have been sold.

The aproach I'd take2 to fixing the IoT threat would be to introduce manditory expiry dates for internet connected things. This wouldn't mean consumers couldn't continue to use them after the expiry date, just that the manufacturers must fix issues with products that have not expired and vendors can't sell expired items. It could be on some sort of sliding scale so things like internet connected washing machines might be 5 years while phones might only be 2 years. A bit like a manufacturer's warranty.

I'd introduce some sort of certification, a minimum security standard that devices need to conform to. This would be pretty simple check box security but it would be good base line. Things like the device must have some sort of automatic update process so that when things do go wrong, they can be fixed. And the update process should check the updates are signed.

I'd also heavily push some standard environments, things like Raspberry Pi's running Raspbian and Windows 10 for IoT3. This would make certification easier because the base environment could already be certified and could make best practice easier and shooting yourself in the foot harder.


  1. After a fair amount of searching I still can't find the original source but I'm pretty sure it was a comment on an LWN article about a horrible android bug (possibly libstagefright) where I first came across the idea. 

  2. Let's just pretend we live in a fantasy world here where governments could move quickly and cooperate, and import and export regulations could actually be applied to things like $13 internet connected light bulbs for sale on eBay. 

  3. I think diversity is important and I'd like to see at least 3 or 4 base platforms. If nothing else so you don't get one bug that just ripps through all devices. 

Creative Commons License
Content on this site is licensed under a Creative Commons Attribution 4.0 International License.
Built using Pelican. Based on a theme by Giulio Fidente on github.