The Secure Resilient Future Foundation (SRFF) is proud to join with Consumer Reports and U.S. PIRG in announcing the Connected Consumer Product End of Life Disclosure law, model legislation to promote new laws that protect consumers of smart, Internet-connected products.
As the population of the Internet of Things explodes, more and more products that populate homes and businesses sport always-on Internet connections and smart, software-enabled features. That has led to an explosion of innovative new products and features. But it also brings risks. Manufacturers today regularly declare otherwise functioning products “end of support” and “end of life,” ceasing critical software updates and security patches necessary to keep devices functioning and safe from hackers.
Events in recent years shine a light on the economic and security consequences of this state of affairs. Consumers who purchase expensive, connected devices like the $700 Humane AI Pin, Spotify Car Thing, or the Moxie emotional support robot wake up to find that the manufacturer is terminating support for the software and disabling cloud servers and mobile apps needed to operate the connected device. A product they expected to enjoy for years, they find, has only months or even days to live and has become e-waste destined for the landfill.
Today, consumers lack an easy way to assess how long a product they are interested in will be supported by its maker. The Federal Trade Commission researched 184 connected products and found that just 11% (21) disclosed the device’s software support duration or end date on the product web page. A similar survey of 21 of the top large appliance brands conduced by Consumer Reports found that only three brands tell consumers how long they guarantee updates to their appliances’ software and applications.
EOL Devices: Fertile Ground For Cybercriminals
Then there’s the cybersecurity impact of “end of life” devices that continue functioning, but stop receiving needed software updates and security patches. These abandoned devices – including home broadband routers and smart home appliances – have become fodder for cybercriminal and nation-backed hacking crews.
End of life devices are targeted with attacks on known- but unpatched security flaws, enrolling them in malicious botnets or using them to further attacks on targeted entities including government agencies, technology firms and critical infrastructure. Researchers at Lumen Technology’s Black Lotus Lab wrote in March, 2024 about “Faceless,” a botnet consisting of tens of thousands of compromised end of life (EoL) smart home devices such as broadband routers that was “an integral tool for cybercriminals in obfuscating their activity.”
Raising the Bar for Smart Device Makers
The proposed Connected Consumer Product End of Life Disclosure law addresses these growing risks by raising the bar for smart device manufactures and Internet service providers. Among other mandates, the law requires smart device manufacturers to:
- Clearly disclose the minimum guaranteed support time frames for products during which the manufacturer will provide security and software updates by placing that date on the product package and/or disclosing that information at the point of sale.
- Proactively notify consumers when their connected consumer products will lose support
- Provide information to customers as to how they should handle the connected consumer product’s end of life.
- Notify device owners about the end of product support, providing a list of features lost, and vulnerabilities and security risks that are likely to result from the end of support.
- Provide device owners with clear information about actions they can take if they want to continue using the product in a secure manner
The law also addresses the problem of smart, connected devices that are no longer supported, but that remain Internet connected, making them easy prey for hackers.
“A device that is remotely discoverable but locally forgotten is a risk, an avoidable risk,” said Dan Geer, the CISO of In-Q-Tel and a board member at SRFF. “As the number of devices grows, that risk grows. Somebody or something has to keep track.”
The law does so by requiring Internet Service Providers (ISPs) to remove company-provided connected consumer products (including routers) that have reached their end of life and end of support from their networks and replace them with actively supported and patchable devices at no cost to the consumer.
“Smart devices abandoned by manufacturers pose a major cybersecurity threat, leaving U.S. consumers, businesses, and infrastructure vulnerable to cybercriminals and hostile nations,” said Paul Roberts, the President of SRFF. “The Connected Consumer Product End of Life Disclosure Act addresses this issue by requiring manufacturers to disclose software support periods before purchase, rewarding those who provide longer product support. SRFF, a non-profit made up of cybersecurity and sustainability experts, was proud to contribute to this critical legislation and looks forward to advocating for its passage at state and federal levels to strengthen digital security.”
SRFF: Giving Cyber A Seat At The Table
Founded in April, 2024, Secure Resilient Future Foundation is a 501 c4 non-profit organization made up of professionals focused oncybersecurity and sustainability. Prior to its work on the new model legislation, SRFF joined Consumer Reports and organizations including U.S. PIRG, iFixit, Electronic Frontier Foundation, Software Freedom Conservancy and FixIt Clinic to send a letter to the FTC in September, 2024 urging the Commission to crack down on abusive “software tethering” – a common practice in which manufacturers use software to control and limit how devices function after a consumer has purchased them.
And, in July, SRFF joined with a group of electronics refurbishers, repairers, and recyclers in a letter to the Federal Communications Commission (FCC) calling on that agency to adopt a “uniform handset unlocking policy” and to “address other software locks that restrict the secondary [smartphone] market and harm consumers.”
SRFF and its board members have also worked to raise awareness within the cybersecurity community about the dangers posed by bricked and end of life devices. That includes leading discussions about the risks posed by “bricked and abandoned” devices at cybersecurity events such as Hackers on Planet Earth (HOPE) XV in Queens DEF CON 32 in Las Vegas in August.
Digital transformation is remaking industries and economies. But with that transformation comes new risks: from hacks of critical infrastructure to data theft to anti-competitive practices that skew marketplaces and raise costs. As policy makers weigh rules, regulations and guidelines that promote cyber security and competitiveness, SRFF is working to win cybersecurity pros a seat at the table and ensure that lawmakers lay the foundation for a better, more secure and resilient technology future.
To learn more about SRFF, visit our webpage, or check us out on social media sites like LinkedIn, YouTube, Blue Sky, X, Facebook and Instagram. Finally, if you believe in our mission, consider making a donation to help support the work that SRFF members do!