In December 2023 the U.S. government disrupted a botnet operated by People’s Republic of China (PRC) state-sponsored hackers. The hackers had compromised routers and cameras used in homes and small businesses and used them to create a botnet that could take down legitimate web sites or infrastructure. The attack was possible because these devices had stopped receiving software updates that fixed known vulnerabilities. These devices had reached what the IT world refers to as their end of life, but we like to call them zombies.
What the Heck is a Zombie Device?
These zombies are everywhere. They pose a risk to both individuals and national security as they could get taken over by malicious actors at any time. When they get hacked, they might become a national security risk by helping spread and fuel a botnet, or become a way for hackers to access the consumer or office network, accessing information or distributing ransomware.
In the fourth quarter of last year internet infrastructure firm Cloudflare stopped a record-breaking distributed denial of service (DDoS) attack fueled by IoT devices. In the same report that disclosed the record-breaking botnet attack, Cloudflare documented that the largest source of traffic used in DDoS attacks appears to come from compromised smart TVs and digital set-top boxes.
Aside from the security risks, zombies also pose a risk to consumers who buy products with internet connectivity expecting those products to last until they physically break. Many consumers don’t understand that with some types of connected devices, when security updates end, many of the useful features of their product end with them.
Ideally, when connected products reach their end of life and stop getting security updates, they should be taken offline to minimize security risks. However, even if a consumer doesn’t take the product offline, they can also lose the ability to get feature updates that allow them to support future versions of applications. So not only will your smart TV become a potential security risk, after it stops getting software updates it may also stop being able to support the latest version of the Netflix app.
The security risks are often immediate, but the degradation of features like the ability to support updated apps or features like talking to Alexa or Siri may take time to show up. But the essential point remains: any connected device requires up-to-date software and when support for software ends, the device becomes a security risk as its usefulness degrades.
So What if my Device is a Zombie?
But many consumers aren’t aware of this. In December 2024, Consumer Reports conducted a survey of 2,130 Americans asking them questions about the types of connected devices they own, how long they expect those products to last and the relationship software has to how those devices function. Among people with any type of connected device, four in ten (43%) said that the last time they purchased one they were not aware that it might lose software support at some point. Roughly a third of consumers with a connected device (35%) said that they had been aware that their product would lose software support at some point, and 22% said they did not recall.
What’s even more eye opening is how many consumers expected their products to retain their usefulness after losing software support.
Based on the chart above, it’s clear that a lot of Americans who own smart devices don’t understand the relationship between software support and how long a device might retain its usefulness. I don’t blame them. It’s a tough thing to understand. There are two types of software support. The first is regular feature and operating system updates that simply keep the device working with the latest versions of whatever software the product and its app are running on. The second is security updates that address vulnerabilities after they are found.
Both sets of software updates are important to keep a device functioning. But even there, it can be complicated to tease out the relationship between software support and how well a device functions when manufacturers stop providing it. One reason is that the usefulness of a connected device will depend on a variety of factors including how important software is to its core features, and how important connectivity is to those core features. It will also depend on whether a consumer is using connected features of a connected device.
For example, a large appliance such as an oven should still heat food even if the internet stops working. For consumers who happen to buy a connected oven and don’t plan to use the connected features such as remote pre-heating or AI cooking functions, losing internet access and software updates won’t matter. Although if they did connect the device to their network, and the product loses software updates, they should disconnect it from their network immediately.
So when 70% of consumers who have a connected large appliance say they think their connected large appliances will be useful even after their software is no longer supported, they are probably right. And to keep those appliances from becoming zombies that are useful to hackers, they should take them offline when the product loses support.
However, when other devices such as the smart TV mentioned earlier, or a smart speaker are no longer supported, they may also stop being useful. First, because these zombie devices should be removed from the internet for security reasons, they will lose the ability to stream content in the case of a TV and the ability to access a digital assistant in the case of a smart speaker.
But even if a consumer leaves the zombie device online, over time an unsupported device will lose the ability to run newer versions of apps. Consumers have likely encountered this on their phones when they try to download a new version of a favorite app only to be told that their phone no longer supports the latest version because they are stuck on an old operating system. This will happen with smart TVs, and in some cases it can happen with video doorbells or video cameras. Eventually, as the consumer tries to keep the app updated, it will fail to work with the end device that is no longer supported.
Based on the classes of devices above, it’s reasonable to assume that consumers would be most impacted by smart TVs, routers, video doorbells, smart speakers and video cameras losing software support. Consumers relying on apps to program smart thermostats, light bulbs and to control robot vacuums might notice when their devices lose software support, but if they take those offline to avoid them becoming zombies, the devices should still be somewhat useful.
Are the Zombies in my Home Right Now?
Zombies are clearly a problem. However, even if a consumer is aware that a connected device may not function safely or as well after software support ends, they often have no idea whether or not their product has become a zombie. Only 39% of Americans who owned a smart device and realized that they had lost software support found out about losing that support from the manufacturer. The rest saw it in the media or simply saw their devices stop working. Those that answered “other” mentioned they found out via their grandkids, they found out after calling for support, or “it was acting strange.”
Ironically, “it was acting strange,” is often the only indication a consumer may have that their device has been taken over by a malicious actor. They may see their overall network performance slow down, the device lag, or the device turning off and on at odd times. Zombie devices can lurch about erratically just like fictional zombies.
Today, the makers of smart devices have no clear legal obligation to tell consumers when the software support for their products ends. We’ve documented this problem through research into how long manufacturers say they will support smart appliances (only 14 percent of 21 brands we connected provide a specific time frame), and the FTC has done an even larger study across 184 devices showing that only 11 percent provide support time frames to consumers. In the conclusion of that study, the FTC wrote, “failure to provide software updates or the failure to disclose the duration of software support raises concerns about harm consumers cannot avoid,” which would be a violation of Section 5 of the Federal Trade Commission Act.
What’s important is that every connected device has an expiration date that’s dictated by how long a manufacturer plans to support its software. Today, consumers often have no way of knowing that expiration date if it even exists. But Consumer Reports also wanted to know how long consumers expected manufacturers to support their software.
The results range widely. A lack of awareness around the importance of software updates and what it means when devices lose software support probably contributes to the wide variation of expectations here. However, there is clearly an expectation for longer support time frames.
It’s Zombie Hunting Time
Clearly zombie devices are bad. And our data shows that many consumers are unaware of the threat these zombies represent, while those that are aware may not be able to find information about whether or not they are even harbouring zombies in their network. This could be discouraging, but we actually have a pretty good sense of how to solve the problem.
The first solution is requiring manufacturers to disclose when they plan to stop providing software updates. We call this a minimum-guaranteed support time frame. A manufacturer can extend this time, but for every connected product they sell, a manufacturer must provide a pledge to provide software updates for a minimum amount of time that they disclose at the point of sale and on the product web page. The good news is that many makers of smart home devices such as Amazon, Google, Signify (the maker of Philips Hue products), and others already do this on the web. Yes, you have to search for it, but at least these manufacturers have a plan. A majority of Americans who own a smart device support this as shown in the chart below. And among all Americans 68% believe manufacturers should be required to disclose how long they will support the software in their devices.
The upcoming U.S. Cyber Trust Mark Program will also help with this. The program will let consumers scan a QR code on a product’s packaging to access a label that shows how long the manufacturer plans to support its software. This labeling program is voluntary and labels won’t appear on products until early next year, but it’s a start.
The second solution to eradicate zombie devices is to educate consumers about the potential harms of leaving these devices on their network. While a device may look like it is working, if it isn’t receiving software updates it represents a danger if it is still connected to the internet. There are technology solutions such as swapping out manufacturer code for open source software or running some devices only on the local network, that could allow consumers to keep these devices out of the landfill and still in some form of operation, but that’s a post for another day.
