Reaching the the legal hammer out to be a last resort, but IMO, EOL-ing a device should require open sourcing it and handing over any info required for administration to the users. Or refund for full price.
A device which can not be administered by the end user is administered (perhaps negligently) by the company who sold it.
First some thoughts about your specific example: My impression (although, just from working in something very tenuously related to automotive stuff) is that the real time, safety critical stuff, and the entertainment center stuff, are on two unrelated computers, ideally with very little connection between them.
The safety critical stuff really ought to be supported for the lifetime of the car. But it shouldn’t have internet access anyway, so a big source of attacks is not available. They sometimes update that software when you go in for maintenance, right? It seems fine.
The entertainment center, why shouldn’t we be able to install our own OS on it? Those things are always quite buggy anyway, I’d love to install Linux on mine.
—
More generally:
Yes, I’ll admit I was going for a bit of back door trickiness. I do think it would be hard to just open up a lot of current platforms.
If the law is that manufacturers must either release “everything” (hand-wave-ily) or offer a full refund in order to release their support obligation, then I’d expect them to do one of the following:
* Make new designs that are easier to open up. A win for everybody! They can push back on the license terms for the libraries they use. Or, perhaps some mechanism could be designed so that they open up the rest of their platform, and the library developer that doesn’t want to open up can keep their part of the support obligation.
* Extend the support lifetime to the point where they are happy to just offer refunds to the few remaining users.
As you say,
> And expecting/dictating a reasonable lifetime from a product might be the better choice - and as the EU directive regarding user-replacable smartphone batteries shows, this goes beyond software.
But I think a reasonable lifespan depends on the type of device, locking in a specific number with the law seems difficult. Offering a choice instead would let the lifetime be set dynamically, but without the current odd situation where obligations just evaporate into nothingness.
What would be the point of open sourcing it? Serious question.
Custom DIY ROM might interesting to some geek out there, but it does nothing for security. There is no automatic update and some custom ROM is never going to get it anyway.
Security through obscurity is a better option in this case.
It would be nice for the community, so they can at least try to fix things.
But mostly, I think it would clarify the responsibility and obligations for support. Obviously a device which hasn’t been opened up can’t possibly be the responsibility of the user, who is locked out and unable to administer it. By default manufacturers should be responsible for the things they manufacture and should have an obligation to make sure they are reasonably free of defects. Devices with known security vulnerabilities are defective.
If they want to release themselves of that responsibility, they should have to actually make it possible for somebody else to pick it up.
It would depend a lot on the device, but open sourcing it would at least make it easier to move some devices to existing community supported projects (e.g. openWRT, DD-WRT, Rockbox). When that happens then there usually an improvement in both security ad features of the devices.
I would love that, but I can see some issues: Embedded stuff (e.g. in your car) might use a proprietary RTOS, like "VxWorks" [1]. Then the developers might had to use a commercial toolchain from e.g. Hightec [2]. They could also have licensed some 3rd party libs. What about external verification tools for critical stuff? What about cloud-connected services (e.g. music streaming)?
For a manufacturer to opensource "all that's necessary to build, deploy and use the soft-/hardware", the whole ecosystem would need a massive paradigm shift.
For certain device classes this is probably much easier than for others. And expecting/dictating a reasonable lifetime from a product might be the better choice - and as the EU directive regarding user-replacable smartphone batteries shows, this goes beyond software.
[1] https://en.wikipedia.org/wiki/VxWorks [2] https://hightec-rt.com/products/development-platform