Consumer Reports strongly supports California’s Connected Consumer Products end of life disclosure bill. The bill, based on CR’s model legislation, would provide transparency around how long consumers can expect their connected devices to operate in a safe and secure manner. The bill has an added benefit of improving national and personal security.
Consumers are purchasing more devices that connect to the internet in the form of smart TVs, smart home products and even large appliances. But over time connected products lose software support, which can affect their security and also their features. For example, a connected TV that loses support may not support certain apps or a router that no longer gets updates becomes a potential security risk. Some devices may stop working altogether.
Additionally, when consumers keep connected devices such as routers and IoT products online after they have stopped receiving security updates, it leaves these products open to cyberattack. We call these devices zombies. Zombie devices post a very real security risk, because they can easily get hacked and become part of botnets used to take down web sites and services, or be used to establish footholds in networks. Attackers can also use the zombie devices to access home networks. But consumers have no way of knowing when their device becomes a zombie if the manufacturer doesn’t tell them.
This bill would help consumers to make informed purchases by requiring manufacturers to put a minimum guaranteed support time frame on product web pages, and disclose that time frame at the point of purchase. It also would require manufacturers to let consumers know when a connected device loses support. These two simple provisions would greatly improve cybersecurity by ensuring consumers can more effectively choose and use supported devices, which in turn will greatly reduce the number of unsupported zombie devices on the internet that are available for cyberattacks.