Do you know if your Alexa device is still supported by Amazon? If you’re still rocking the original “Pringles can” style smart speaker the answer is that security updates are no longer guaranteed. Amazon has ended guaranteed software updates, including security updates for that product. What about your Arlo wireless video cameras? A flurry of Arlo devices including the Arlo Pro 2 Wire free cameras lost support at the beginning of this year.
However, as a consumer you might not be aware since you can still buy that camera on Amazon at the moment. Amazon even sells an older Arlo camera (the Arlo Pro Camera) that lost support July 1, 2023 as part of its authorized refurbishing program. When connected devices reach their end of life, they lose software and security updates. They become what we like to call zombie devices.
These zombie products can be taken over by malicious actors and used in botnets. They can also become a weak link in the consumer’s home network. The U.S. recently disrupted a botnet known as Volt Typhoon operated by the People’s Republic of China (PRC) state-sponsored hackers. The hackers had compromised routers and cameras used in homes and small businesses as part of the attack. Other botnets often include IoT devices such as cameras or set top boxes.
But figuring out if your video doorbell or smart TV no longer gets security updates, and is at risk, is an impossible task for most consumers. The makers of IoT devices don’t have to tell consumers when these devices reach the end of life, and often don’t. And even if they do list what products have reached their end of life, as Amazon or Arlo does, consumers have to dig around on web sites to find that list. Additionally, some manufacturers will list when products will reach their end of life and then stop listing unsupported products as Amazon does, while others will list only products that are at or near their end of life, so consumers don’t know when their current products will stop receiving support.
Frankly, it’s a mess. This is why Consumer Reports, Secure Resilient Future Foundation, U.S. PIRG, and the Center for Democracy and Technology have teamed up to produce a model bill that the federal or state governments could adopt to help solve the security and consumer confusion. The Connected Consumer Products End of Life Disclosure Act would help by requiring the following from manufacturers and ISPs:
- Manufacturers must clearly disclose a minimum guaranteed support time frame by which they will provide security and software updates for connected consumer products, and place that date on the product package or share that information at the point of sale. This time frame must fit with reasonable consumer expectations for the life of the product.
- Manufacturers should also share the minimum guaranteed support time frame end date on the connected consumer product web page and keep that updated.
- Manufacturers must proactively notify consumers when their connected consumer products will lose support and provide advice as to how a consumer should handle the connected consumer product’s end of life.
- Notifications about the end of product life must include clear information about actions the user can take if they want to continue using the product in a secure manner and provide a list of features lost, and vulnerabilities and security risks that are likely to result from the end of life.
- The law also requires ISPs to remove company-provided connected consumer products (including routers) from consumer homes when they reach end of life.
Manufacturers are already starting to disclose some of this information (even if it is often hard to find). Major brands such as Amazon, Arlo, GE, Google, and Signify (maker of Philips Hue lights) already share some information about how long they plan to provide security updates on their respective web sites.
Brands that sell connected consumer products in the UK must abide by the UK’s Product Security and Telecoms Infrastructure Act which requires them to publish how long they plan to support a connected device. The upcoming U.S. Cyber Trust Mark gives manufacturers the option of disclosing how long they plan to support their products’ software. But today’s efforts are voluntary, difficult to find, and leave plenty of room for consumer confusion.
Consumers support better access to this information as well. In December 2024, Consumer Reports conducted a nationally representative survey of 2,130 Americans that found 72% of Americans who have purchased smart devices believe manufacturers should be required to disclose how long they will support those devices.
The Connect Consumer Products End of Life Disclosure Act would take something some in the industry are doing, and make it obligatory for everyone, while also closing loopholes that lead to persistent security holes across home and small business networks.
