A router-enforced EULA for IoT devices

A recent shower thought: consumer routers could enforce good IoT manufacturer behavior by placing devices on a secure, contained network by default, and allowing full access only if a device is receiving security updates.

The default network would be slower and heavily limited in endpoints it could hit, and in particular would not allow accessing any other devices on the local network. If an IoT manufacturer commits to security updates, they could be allowed on the full network. Defection could be subject to legal liabilities, up to a lawsuit in the worst case.

Over time, the feature could become more sophisticated, for instance by providing a better EOL experience. Currently, IoT manufacturers just leave their waste with the customer and mostly don’t even tell them (a recent example). This system might:

  • offer an API on the router that devices call to register their EOL date
  • inform users when a device approaches EOL
  • show a dashboard of devices and how long they’re supported
  • automatically contain devices that reach EOL

Come to think of it, there’s nothing that would technically restrict this to IoT devices. PCs could opt into this too. Probably most useful as a form of parental management of children’s devices – baby’s first mdm.

Router manufacturers would have to step up their own game, but they also would get upside: more customer touchpoints.

The best version of this would be an open standard, preserving consumer choice and competition. The hope would be that it improves baseline, even if industry consensus is hard. In the worst case, the consumer isn’t served because the standard is captured by the industry, which could then mislead in product ads and/or abuse the customer communications channels with ads.

Micah R Ledbetter @micahrl