When end of life in your device means the end of security
The last few months have been tough for consumers who got into the smart home early on. In October, Google ended support for its first and second generation Nest thermostats after 14 years. In January, Belkin ended support for WeMo products. After May 20, Amazon will stop supporting several early generations of Kindle e-readers.
Companies killing off connected devices isn’t anything new, but at Consumer Reports (CR) we’re trying to address the challenges that connectivity brings to the average product’s lifespan and eventual demise. First up, we are pushing legislation in several states that would require companies to disclose up front how long they plan to keep connected devices connected and up-to-date. Our model legislation also requires those support time frames to match reasonable consumer expectations about the lifespan of the device. For companies that want to build long-lived connected devices, we have developed a list of recommendations that they can implement.
But we haven’t spent much time thinking about how a responsible manufacturer should take a device offline after they have decided to stop supporting it. The risk is that once a device stops getting security updates or necessary support while still remaining online, it becomes a potential security risk. We call these devices zombies, and they are increasingly targets for malicious actors looking to launch cyberattacks.
What options do consumers have?
Given these concerns, CR decided to look at the responsibilities a manufacturer has to harden the device before cutting it loose into the wild? Hardening a device refers to reducing the ways it can be attacked. The idea is that before a device maker stops supporting a product it will patch vulnerabilities and turn off any non-essential services to harden it. This is an urgent topic, especially in the wake of reports that Nest thermostats were actually still reporting data back to servers, even if users were not able to remotely control the devices.
Our model legislation that requires a company to set a minimum supported time frame for a connected device also requires manufacturers to tell consumers how to securely operate that device after support ends if possible. But if a consumer doesn’t take the device offline, what should a manufacturer do to prevent an end of life device from becoming a zombie?
When a company decides to stop issuing security updates and supporting a connected device there are four potential options available to consumers.
- The consumer can remove the device from the home and network.
- Keep the device online even though the app support or connected features stop working: This is the default scenario as most consumers may not even recognize when some of their devices stop getting support or cloud connections. But this exposes the consumer to risks, including the risk that hackers could exploit vulnerabilities later found on the device to spread malware or exfiltrate data.
- The consumer can keep the device in the home but disconnect it from Wi-Fi: This option makes sense for products that still retain most of their functionality without an Internet-connection, like a connected fridge or washing machine. But it does require the consumer to know when manufacturer support stops and then remove it from the network.
- Keep the device on the network with new firmware/software: When popular products lose support from manufacturers we often see workarounds or projects designed to keep the products working. Consumers typically have to find and load new software onto the device, and depend on a third party community to keep it operating as it used to.
What should responsible manufacturers do?
Regardless of what the consumer decides to do, manufacturers have a role to play in ensuring these end of life devices are hardened before the manufacturer stops supporting them. Once a manufacturer stops providing security updates and cloud or app support they should do the following things.
- The manufacturer should proactively alert the consumer that they should take the device offline and provide clear instructions on how to do so. This alert should have the following information:
- The manufacturer should tell the user exactly what features they will lose when the device loses its cloud support.
- The manufacturer should communicate to the user exactly what features they will lose after the device loses its cloud support and the consumer takes the device offline.
- The manufacturer could provide access to a tool that allows a consumer to remove the device from their WiFi network with a single step.
- Manufacturers should build tools to allow consumers to delete their data from the device and servers before consumers dispose of a product and inform consumers what happens to their data left on servers.
- In case the device is left online, the manufacturer should issue a final software update to patch everything to the most up-to-date version of software used on the device. This update might include rendering unused ports or developer access inoperable.
- The manufacturer could push a local API to the device before it is disconnected. A local API would allow the device to retain some functionality and communicate with other devices such as a smart home hub or even a phone even after the cloud servers are shut down. This means the user could still control the device locally on via app if they chose. For example, Bose provided a local API as part of its plan to sunset the Bose SoundTouch bars this month. That step ensured that some functions of the speakers still work with the app.
- In some cases a manufacturer might open up the device software to third-parties or allow a community to take over back end support for a connected device. Before doing this, a manufacturer should take steps to harden the device ahead of its new life on the internet. When taking this step:
- The manufacturer should let consumers know that if they take this step, they need to take steps to properly harden the device and provide instructions on how to do so.
- A manufacturer should publish a software bill of materials for the product that allows potential third-party maintainers to track new vulnerabilities that may affect their device.
Connected devices are not going away. As manufacturers embed AI and connectivity into their products, figuring out how to mitigate the security threat of zombie devices becomes more urgent. Leaving these devices open to the internet without taking measures to harden them creates a hazard akin to dumping plastics in landfills. Doing nothing will cost us, so working with manufacturers and educating consumers is necessary. Let’s talk about it.
