Have you thought about what you’re going to do when your smart fridge is too old to download its latest software update? While you’d probably replace your phone or computer when its software hits its end of life, your fridge will still keep your food cold even if it can’t stream TikToks like those fancy newer models can.
As connected devices grow old, they can potentially fuel botnet attacks
As connected devices in our homes, such as smart TVs, thermostats, and appliances, grow old and lose security updates, they can potentially become targets to help fuel botnet attacks — and new research by Consumer Reports shows that most owners aren’t aware of the risks.
Botnet attacks are a risk not only to your home network but also to national security. The attacks mean hackers use a network of infected devices to bring down a server or website via a distributed denial-of-service attack (DDoS), potentially taking useful services or critical infrastructure offline for extended periods of time.
IoT gadgets have been involved in several attacks over the years, including the infamous Mirai attack nearly a decade ago. As the smart home matures, so does the number of susceptible “zombie devices” — connected devices that are still online but not getting necessary security updates.
The good news is that most smart appliances are designed to carry out their primary function without an internet connection, so the simple fix when they’ve reached the end of their “smart” life is to disconnect them from Wi-Fi and carry on. This should make sure your aging smart thermostat doesn’t become the equivalent of an extra on The Walking Dead — no longer alive but capable of great harm.
However, in most cases, devices like Wi-Fi routers, smart speakers, and streaming sticks won’t work unless they’re online. If these devices aren’t getting security updates, you should stop using them immediately. Just this week, Taiwanese router maker Zyxel said it wouldn’t patch two actively exploited vulnerabilities found in its routers and told customers to stop using them.
But how are you supposed to know when your smart home gadget has reached this fragile state? And wouldn’t you have liked to know this was going to happen before you purchased it? Ideally, companies need to publicize how long they’ll support products and warn consumers once their devices are no longer secure.
Image: Consumer Reports
A new survey from Consumer Reports published this week shows — somewhat unsurprisingly — that over 40 percent of Americans had no idea that their smart gadgets might lose software support one day. And nearly 70 percent of the 2,130 people surveyed believe that smart appliances such as fridges, washing machines, and ovens should continue to work even after losing support.
The consumer advocacy publication is calling for companies to provide a minimum guaranteed support timeframe for any connected product — an expiration date, so to speak. “A manufacturer can extend this time, but for every connected product they sell, a manufacturer must provide a pledge to provide software updates for a minimum amount of time that they disclose at the point of sale and on the product web page,” writes Stacey Higginbotham, a policy fellow with Consumer Reports.
While smartphone and PC manufacturers are fairly good at alerting customers when their devices have reached their end of life, few manufacturers of smart home devices publish the expiration dates of their products or reliably inform customers when a device is no longer receiving software updates.
Consumer Reports is calling for companies to provide a minimum guaranteed support timeframe for any connected product
According to Consumer Reports, less than 40 percent of those surveyed knew that a device they owned had lost support because the manufacturer notified them. The rest heard about it through the media or realized only once their device stopped working properly.
There are some companies making good-faith efforts here. Consumer Reports singles out Amazon, Google, and Signify (the manufacturer of Philips Hue lighting) for having plans in place for software lifespans.
For example, in its end-of-support policy, Philips Hue states it will continue to support its lightbulbs with security updates for a minimum of five years from the day you buy them. This list on Amazon shows how long its Echo smart speakers and displays will get security updates, and Google has a similar resource for its smart home products.
According to Consumer Reports’ research, only 3 out of 21 appliance brands publicize how long they guarantee updates to their appliances’ software and applications. However, you still have to dig through websites to find any of this information.
Image: Consumer Reports
It’s a significant shift for a consumer to think about the software lifespan of appliances like fridges, washing machines, and thermostats when they’re looking to buy them, but it’s an important one.
The Consumer Reports survey shows that around 70 percent of respondents believe manufacturers should be required to disclose how long they’ll support the software in their devices. Publishing an expiration date for security support at the point of sale would help people understand the risks as well as the benefits of buying connected devices.
But you can see why manufacturers aren’t keen to advertise that the $200 smart thermostat you’re thinking about buying might stop functioning as you’d expect in a decade or that it might become a security risk or an expensive paperweight. Additionally, smaller companies can struggle to plan that far ahead.
It’s a significant shift to think about the software lifespan of home appliances like fridges, washing machines, and thermostats
Smart thermostat company Ecobee recently ended support for its original smart thermostat after 16 years and doesn’t guarantee how long it will support its current line. While Ecobee’s track record is very good here — it still supports the Ecobee3 model it launched in 2014 — it’s understandably hard for companies to see into the future.
Of course, there’s nothing stopping companies from extending their timeframes. Amazon-owned router company Eero guarantees updates for at least 5 years after a device is last available to buy, meaning support for its second-gen Eero — which is still available to buy — jumped from 2027 to 2030. However, that doesn’t address the concern that someone might choose not to buy the device based on an expiration date.
The FTC is also paying attention here. Last year, it issued a report stating that almost 90 percent of connected devices it reviewed didn’t offer information on how long software support would be provided and that this could be a violation of federal law.
One potential solution lies in the US Cyber Trust Mark Program, which the FCC launched last month. The mark — accessed via a QR code on a product’s packaging or link on a website — provides details about a product’s security, including its “minimum support period end date.” This data can be easily updated by a company, making it more fluid than stamping an expiration date on the product.
But the Cyber Trust Mark Program is brand new and voluntary, meaning there’s no guarantee you’re going to see one on your next smart TV, nestled alongside the Energy Star label.
Considering the potential far-reaching security concerns around these zombie devices, there’s a strong argument to be made that companies should be forced to provide this data. Whether that’s using the Cyber Trust Mark, the Product Security Verified Mark being developed by the Connectivity Standards Alliance, or through other forms of legislation, this is a problem that needs a solution.
