In May 2018, the Federal Bureau of Investigation (FBI) published a warning notifying that Russian computer hackers had compromised hundreds of thousands of home and office routers and could collect user information or shut down network traffic. The Bureau then urged the owners of several brands of routers to turn them off and on again, and to download firmware updates from the manufacturers. While the FBI warning highlighted the potential danger of routers built on open source code, the warning may have gone largely unnoticed by most consumers.
Software and firmware has become ubiquitous in our daily lives, directing Internet of Things (IoT) devices and applications that are key to modern commerce, urban planning and management, logistics, agriculture, and to critical infrastructure, just to name a few areas. Yet, despite the promising and necessary growth in IoT devices and applications, cyberattacks, data breaches, and data misuse scandals are on the rise, having more far-reaching consequences and becoming a real danger for both brands and customers.
To make matters even worse, the use of open source everywhere as a cost-effective way to allow customization has the potential to exacerbate privacy and cybersecurity problems in the IoT ecosystem. This paper seeks to address the opportunities and challenges presented by the use of open source and provide a discussion of the risks associated with the use of open source in IoT devices.
The issue of data privacy and cybersecurity is increasingly captured by multiple regulatory frameworks, creating a complex regulatory environment. In addition to exploring the potential risks these technologies may present to consumers, this paper also discusses the regulatory alternatives (top-down regulations versus voluntary alternatives) in dealing with the privacy and security concerns posed by open source in the IoT space. The paper concludes by outlining policy solutions that aim to protect consumers without impeding innovation.