Consumer Groups Push Law To Reign In Zombie Devices
Model legislation from Consumer Reports, US PIRG and SRFF requires manufacturers to declare software support periods prior to purchase, and requires ISPs to replace their end of life devices.
A group of consumer advocacy groups introduced model legislation on Thursday to address the growing epidemic of “zombie” Internet of Things (IoT) devices that have had software support cut off by their manufacturer.
The Connected Consumer Product End of Life Disclosure Act requires manufacturers of connected consumer products to disclose for how long they will provide technical support, security updates, or bug fixes for the software and hardware that are necessary for the product to operate securely.
A Law To Combat Zombie Devcies
The model legislation is the brainchild of Consumer Reports, U.S. PIRG, the Public Interest Research Group, and SRFF*, the Secure Resilient Future Foundation - consumer advocacy groups that have been raising alarms about the growing epidemic of what Consumer Reports refers to as “zombie devices.”
Recent surveys of consumers show that purchases of smart, Internet connected devices often happen without any knowledge on the part of the consumer about how long the software running the device will be supported. For example, a December 2024, Consumer Reports survey of 2,130 Americans that found that four in ten (43%) owners of a connected device said that the last time they purchased one they were not aware that it might lose software support at some point, while 22% of those surveyed said they did not recall whether or not they were informed.
A Federal Trade Commission study published in November, 2024 surveyed 184 connected products and found just 21 (11%) disclosed the device’s software support duration or end date on the product web page. A similar study by Consumer Reports of the top large appliance brands found that only three of 21 brands told consumers how long they guarantee updates to their appliances’ software and applications.
“Consumers deserve to know how long their connected devices will be supported,” said Justin Brookman, director of technology policy for Consumer Reports in a statement. “Currently, it’s nearly impossible for most people to figure out if their devices are still receiving critical updates. This lack of transparency leaves consumers vulnerable and creates significant security risks.”
The model legislation, if passed, would create new requirements for smart device makers, including the need to clearly disclose how long they will provide security and software updates on product packaging and online, according to a draft published by Consumer Reports.
This listed support frame must also fit with “reasonable consumer expectations for the life of the product,” according to the draft language, meaning that device makers can’t simply assign arbitrary or unrealistically short support periods for long-lived products.
If enacted as written, the law would also require manufacturers to notify consumers when their devices are nearing the end of life and provide guidance on how to manage that. Such notifications will also be required to include details about what features and capabilities the device will lose, as well as the potential security risks of keeping it operating without active software support.
The Cyber Risk of EOL Devices
The Act also seeks to improve the U.S.’s cybersecurity by requiring Internet Service Providers to remove and replace un-supported “end of life” hardware like broadband routers that they sell or lease to their customers. Such devices are easy prey for hackers. In recent years, they have been targeted and hacked by China-backed crews looking to conduct espionage and disruptive attacks on U.S. companies, government agencies and critical infrastructure.
“A device that is remotely discoverable but locally forgotten is a risk, an avoidable
risk,” said Dan Geer, the CISO of In-Q-Tel and a board member at SRFF. “As the number of devices grows, that risk grows. Somebody or something has to keep track.”
Coming to a Legislature Near You!
The organizations are working with legislators at the state and federal level to get the model legislation introduced. Both the federal and state governments need to adopt the “Connected Consumer Products End of Life Disclosure Act” and prioritize the security of connected devices, the groups believe.
(*) Fight to Repair Newsletter is a publication of the Secure Resilient Future Foundation, a 501 c4 non-profit organization.