Consumer Reports, Secure Resilient Future Foundation (SRFF), and US PIRG today announced a joint effort to address the growing security risks posed by outdated Internet of Things (IoT) devices. The organizations have developed a model bill, the “Connected Consumer Products End of Life Disclosure Act,” aimed at requiring manufacturers and Internet Service Providers (ISPs) to provide clear and timely information about the support lifecycles of connected devices.
The proliferation of IoT devices in homes and businesses has created a significant security challenge. When these devices reach their end of life and no longer receive software and security updates, they become vulnerable to exploitation by malicious actors. These “zombie devices” can be hijacked and used in botnets, posing a risk to individual users and the wider internet.
“Consumers deserve to know how long their connected devices will be supported,” said Justin Brookman, director of technology policy for Consumer Reports. “Currently, it’s nearly impossible for most people to figure out if their devices are still receiving critical updates. This lack of transparency leaves consumers vulnerable and creates significant security risks.”
The proposed legislation seeks to address this issue by mandating:
- Clear disclosure of minimum guaranteed support timeframes: Manufacturers must clearly disclose the duration for which they will provide security and software updates, both on product packaging and online. This time frame must fit with reasonable consumer expectations for the life of the product.
- Proactive consumer notification: Manufacturers must notify consumers when their devices are nearing the end of life and provide guidance on how to handle the device’s end of life.
- Information on lost features and vulnerabilities: Notifications about end-of-life must include details about features that will be lost, and potential vulnerabilities and security risks that may arise.
- ISP responsibility: The bill requires ISPs to remove company-provided connected devices, such as routers, from consumer homes when they reach their end of life.
“One day, your internet-connected devices will stop working, become insecure—or both. But you won’t know when. Companies selling smart products don’t have to disclose how long they’ll provide software support and security updates, so they can end support, disable features, or stop security updates at any time, leaving smart connected devices vulnerable to hackers,” says Paul F. Roberts, President of the Secure Resilient Future Foundation (SRFF), a nonprofit of cybersecurity and sustainability experts, “SRFF is proud to have contributed to this legislation, and will advocate for its passage to strengthen our cybersecurity.”
A nationally representative December 2024 survey conducted by Consumer Reports found that 72% of Americans who own smart devices believe manufacturers should be required to disclose how long they will support those devices’ software.
The organizations are calling on federal and state governments to adopt the “Connected Consumer Products End of Life Disclosure Act” and prioritize the security of connected devices.
Contact: cyrus.rassool@consumer.org