The proposed legislation, collectively called An Act Relative to Consumer Connected Devices, was introduced by Massachusetts Senator William Brownsberger and State Representative David Rogers in their respective chambers.
“Our daily lives have become intertwined with smart devices,” Rogers said in an emailed statement to WIRED. “Once a company decides it will no longer provide software updates for these devices, they become ticking time bombs for hackers to exploit. We need to ensure consumers are given the tools to understand their devices and the risks before they buy them.”
State Senator Brownsberger’s office acknowledged our request for comment, but he has not yet responded.
The bills come nearly a year after a joint report from advocacy groups Consumer Reports, US PIRG and the nonprofit Secure Resilient Future Foundation, encouraging lawmakers to support policies that notify customers when their connected products stop working. That includes a wide range of smart home devices such as WiFi routers, security cameras, connected thermostats and smart light bulbs. While it is a proposed state law for now, supporters hope it will lead to more similar legislation in the near future.
“Almost everyone has a story about a device they love that suddenly stops working the way they thought it would, or simply breaks,” says Stacey Higginbotham, policy associate at Consumer Reports. “Your product is now connected to a manufacturer through this software cable that determines how it is going to perform.”
The Massachusetts bill, if ultimately passed, would require manufacturers to clearly disclose on product packaging and online how long they will provide software and security updates for a device. Manufacturers should also notify customers when their device is nearing end of life and inform them of features that will be lost and potential security issues that may arise when regular support ends. Once a device stops receiving regular updates, it is more susceptible to cyber attacks and becomes a vector for malware.
“This is a problem that is becoming increasingly apparent as the Internet of Things matures,” said Paul Roberts, chairman of the SRFF and a Massachusetts resident who has worked with the lawmakers. “This is unavoidable. We can’t just leave them outside, connected and unpatched.”
Wi-Fi has been commonplace in homes and offices for more than two decades, which means there’s a rapidly growing population of old devices that are still connected to the Internet and that likely haven’t received security updates in years. These zombie gadgets – routers, sensors, connected devices, security cameras – are vulnerable to attack by their unsuspecting owners.
“We’re trying to reduce the attack surface,” Higginbotham said. “We cannot prevent it, but we do want consumers to realize that they can host something. In short, they have an open door that can no longer be locked.”
The bills’ focus on cybersecurity also has the benefit of attracting the attention of people who might be concerned about such issues, such as US lawmakers.
“I hope that legislators can get their arms around this pretty easily and understand the problem here,” Roberts says. “And support the solution.”
#Lawmakers #pushing #companies #customers #products #die