Our progress towards a more secure and resilient future continues! On June 23, Secure Resilient Future Foundation (SRFF) President and Co-Founder Paul Roberts testified at a hearing before the Massachusetts Joint Committee on Consumer Protection and Professional Licensure in support of S.3090 and H.5114, An Act Relative to Consumer Connected Devices.
The legislation, similar to bills filed in New York and California, would require manufacturers of Internet-connected products to disclose how long they intend to provide software support and security updates for those products before consumers purchase them.
This was the Massachusetts legislature’s first hearing on the Connected Consumer Devices Act. In his testimony, Roberts highlighted a growing cybersecurity and consumer protection problem: millions of Internet-connected devices remain in service long after manufacturers have stopped providing software updates and security patches. While these products continue to function, they often become increasingly vulnerable to cybercriminals and nation-state actors who exploit known, unpatched security flaws.
That risk extends to the Bay State, where analysis by the firm GreyNoise Intelligence in 2025 found more than 33,000 compromised edge devices deployed on the public Internet in Massachusetts.
Unique IP addresses on Massachusetts’ Public Internet exhibiting suspicious behavior. (Source: GreyNoise Intelligence)
Federal cybersecurity agencies, including CISA, have repeatedly warned that compromised end-of-life routers, cameras, and other Internet-connected devices are being used to build botnets and support attacks against critical infrastructure. The cybersecurity risks are real, and they are growing.
“Consumers deserve to know how long the software that powers their products will be supported,” Roberts told lawmakers. “Without that information, families, businesses, and communities are left exposed to growing cybersecurity risks while manufacturers face little accountability for abandoning products after sale.”
The hearing (video) featured testimony from cybersecurity researcher Silas Cutler and Consumer Reports’ Stacey Higginbotham, both of whom emphasized the security and consumer harms associated with unsupported connected devices. Together, the panel urged lawmakers to adopt a common-sense transparency requirement that would allow consumers to compare products based not only on features and price, but also on software support and security.
The bills do not mandate minimum support periods. Instead, they require manufacturers to clearly disclose their support commitments, empowering consumers to make informed purchasing decisions while encouraging greater competition around product longevity and cybersecurity.
SRFF’s support for the legislation is part of its broader Abandon Abandonware campaign, which seeks to address the growing crisis of unsupported software and end-of-life connected devices. As more household products, appliances, vehicles, and critical systems become software-dependent, transparency around software support has become essential to cybersecurity, consumer protection, and environmental sustainability.
The hearing marked an important step forward for legislation that would make Massachusetts a national leader in protecting consumers from the hidden risks of unsupported technology.
SRFF thanks Chairs Payano and Chan, as well as the members of the Joint Committee, for considering this important legislation.
To learn more about SRFF’s work on end-of-life software, connected-device security, and technology resilience, visit secure-resilient.org.