On Tuesday, two Massachusetts lawmakers introduced two bills to the state’s House and Senate that, if passed, would create a state law requiring companies to tell customers when service on their connected products will end. It is an effort meant to tamp down on cybersecurity risks and also boost consumer protections. With knowledge about future support, consumers can confidently buy a device knowing how long they can expect it to reliably work, and when to plan for its eventual obsolescence.
The pieces of proposed legislation, collectively named An Act Relative to Consumer Connected Devices, were introduced by Massachusetts state senator William Brownsberger and state representative David Rogers in their respective chambers.
“Our daily lives have become intertwined with smart devices,” Rogers says in a statement emailed to WIRED. “Once a company decides it will no longer provide software updates for those devices, they become ticking time bombs for hackers to exploit. We must ensure consumers are given the tools to understand their devices and the risks, before they purchase them.”
State senator Brownsberger’s office has acknowledged our request for comment but he has not yet responded.
The bills arrive nearly a year after a joint report by the advocacy groups Consumer Reports, US PIRG, and the nonprofit Secure Resilient Future Foundation that encouraged lawmakers to support policy that would inform customers when their connected products were going to stop working. That includes a broad array of smart home devices, like Wi-Fi routers, security cameras, connected thermostats, and smart lights. While it is a proposed state law for now, supporters hope it will inspire more legislation like it in the near future.
“Almost everybody has a story about some device that they love that suddenly stopped working the way they thought it would or has just straight up died,” says Stacey Higginbotham, a policy fellow at Consumer Reports. “Your product is now connected to a manufacturer by this software tether that dictates how it’s going to perform.”
The laws in the Massachusetts acts, if eventually passed, would require manufacturers to clearly disclose on product packaging and online how long they will provide software and security updates for a device. Manufacturers would also need to notify customers when their device is approaching the end of its service life and inform them about features that will be lost and potential security vulnerabilities that may arise when regular support ends. Once a device stops getting regular updates, it’s more prone to cyberattacks and becoming a vector for malware.
“This is an issue that is becoming more and more pronounced as the internet of things ages,” says Paul Roberts, president of the SRFF and a resident of Massachusetts who worked with the lawmakers. “This is inevitable. We can’t just leave them out there and connected and unpatched.”
Wi-Fi has been commonplace in the home and the office for over two decades, meaning there is a rapidly growing population of old devices still connected to the internet that likely haven’t received security updates in years. These zombie gadgets—routers, sensors, connected appliances, home security cameras—have been left vulnerable to attack by their unsuspecting owners.
“We’re trying to reduce the attack surface,” Higginbotham says. “We cannot not prevent it, but we do want to give consumers the awareness that they could be hosting something. Basically, they have an open door that can no longer be locked.”
The bills’ focus on cybersecurity also has the benefit of catching the eye of people who might worry about that kind of thing—like US legislatures.
“I’m hoping legislators are able to pretty easily wrap their arms around this and understand the problem here,” Roberts says. “And get behind the solution.”
