No one wants to give a holiday gift that may suddenly stop working or becomes a security risk for the recipient, but that’s what might happen if you give your loved ones a connected gadget. The Federal Trade Commission (FTC) released a report Tuesday showing that 89% of connected devices they reviewed — from glucose monitors to light bulbs — don’t have any information about when they will stop working. This leaves buyers uncertain about how long the product will last.
The FTC’s report, which investigated how manufacturers conveyed software support time frames for 184 different connected products. Of the 184 product webpages, only 21 or 11.4% disclosed the device’s software support duration or end date on the product web page. Further searching using Google, allowed the FTC investigators to discover information on 60 products, including support information for some products that were on the company’s web site, but not on the product web page.
The agency concluded that it’s difficult for buyers of smart products to find accurate information about how long a device will be supported, and thus how long such a device might last. The lack of uniformity when such information is provided, also makes it hard for consumers to compare different devices.
The agency’s findings credit and expand on research Consumer Reports did in September showing that among large appliance manufacturers, only three out of 21 brands (14%) provided buyers with an indication of how long they would support their appliances. And among those who provided a time frame, the maximum stated time frame for software support was five years. This is much less than the expected 10 years Consumer Reports found that consumers expect a large appliance to last.
Zombie Devices are a Danger for Everyone
Software support is essential for connected products, because any device connected to the internet requires continued updates to stay secure and operational. Without software updates, these devices can become zombies, slowly decaying and becoming a source of harm.
The end of software support means that over time the product may not work with modern operating systems or services. As Apple or Android release new versions of their operating systems, the apps that don’t get updates will stop working. The end of software support also means that the company may not fix security vulnerabilities, enabling malicious actors to hack the product. This is happening right now with several brands of routers sold to consumers and small businesses. Last week D-Link urged customers who are operating four of its routers to stop using the devices because a security researcher discovered a critical security exploit against them.
D-Link has said it does not plan to update those routers, which reached their end of life on May 1 of this year. Earlier this year, the Department of Justice announced that it had disrupted a Chinese hacking effort that took advantage of Cisco and Netgear routers that had reached their end of life, but were still in operation.
Clearly, when companies stop supporting software updates to connected products, consumers need to know. And ideally, they would have that information when they purchase the product, since it will affect how long the product will actually function in a safe and secure manner.
How Manufacturers and Government Can Help
But today, the only option for most consumers is to search the web to try to discover if they can find this information. And the FTC report shows that they probably can’t. If they are lucky, the buyers of connected devices might get an email or notice via their app, a few months before their smart device reaches its end of life. But Consumer Reports thinks consumers deserve to know how long a product will stay safe and secure when they buy a product, not a few months before it dies.
Consumer Reports has been advocating for companies to disclose a guaranteed minimum support time on the product packaging for connected devices. We think companies should plan for and disclose their plans for both security updates and anticipated engineering and cloud resources needed to keep a product functional to a certain date. This date can be extended at the company’s discretion, but should represent the minimum amount of time that the consumer can rely on the product to keep working.
In September we asked the FTC to set clear guidelines for connected devices that include a requirement for companies to disclose this guaranteed minimum support time. In today’s report, the FTC notes, “Manufacturers’ failure to disclose the duration of their software support commitments warrants further consideration by policymakers and law enforcers. Depending on the facts, the failure to inform prospective purchasers about the duration of software updates for products sold with written warranties may violate the Magnuson Moss Warranty Act.” The report also warns that failure to disclose plans for software support may be a deceptive or unfair practice, which would violate the law and allow the FTC to take action.
This is encouraging, and Consumer Reports hopes that the clear interest from the FTC prompts makers of connected devices to quickly and clearly start placing their plans for software support on their product web pages. In the long term, Consumer Reports would like to see product makers put this date on their packaging or at the point of sale, so consumers can easily find it.
We are also advocating for guaranteed minimum support time frames with the Federal Communications Commission’s voluntary U.S. Cyber Trust Mark program. Currently those that get the label can include a minimum support date by which consumers can expect to receive security updates, but the label also allows companies to state that they have no plans to include support time frames. The ability to ignore the requirement to post a minimum support date, and the voluntary nature of the FCC’s program means there is still a sizable opportunity for companies to harm consumers by shutting down or stopping security updates for their connected devices without providing any compensation or even notice to consumers.
Today’s FTC report shows that it’s too easy for a consumer to spend their hard-earned money on a gift or product that will eventually stop working, not because it physically breaks, but because the manufacturer has decided to stop providing software support. In today’s connected world, smart devices will reach their end of life, but consumers shouldn’t be caught by surprise when that happens.
