Consumer Groups Push New Law Fighting 'Zombie' IoT Devices

Long-time Slashdot reader chicksdaddy writes: A group of U.S. consumer advocacy groups on Wednesday proposed legislation to address the growing epidemic of "zombie" Internet of Things (IoT) devices that have had software support cut off by their manufacturer, Fight To Repair News reports.

The Connected Consumer Product End of Life Disclosure Act is a collaboration between Consumer Reports, US PIRG, the Secure Resilient Future Foundation (SRFF) and the Center for Democracy and Technology. It requires manufacturers of connected consumer products to disclose for how long they will provide technical support, security updates, or bug fixes for the software and hardware that are necessary for the product to operate securely.
The groups proposed legal requirements that manufacturers "must notify consumers when their devices are nearing the end of life and provide guidance on how to handle the device's end of life," while end-of-life notifications "must include details about features that will be lost, and potential vulnerabilities and security risks that may arise." And when an ISP-provided device (like a router) reaches its end of life, the ISP must remove them.

"The organizations are working with legislators at the state and federal level to get the model legislation introduced," according to Fight To Repair News.

"must notify consumers"

[Valgrus Thunderaxe]

I guess that means I need to give them my personal information. That's a non-starter, out of the gate.

Re:

[arglebargle_xiv]

Fair enough, so you've chosen to have a zombie device. To each their own.

In my case I'd have no problem handing over randomaddress123456@gmail.com to get notifications.

Re:

[misnohmer]

It does not mean that. A simple example of a totally private device would be a device that displays said notification on the built-in screen, stating that you have not applied updates it too long, therefore you are now at risk. This device would not automatically apply updates, as that could compromise your location (at the very least the IP you're connecting from). Manufacturer would release updates on a regular cadence, so your device knows exactly when to expect an update.

If you allow devices which aut

Re: "must notify consumers"

[Z00L00K]

Just set it to 25 years after last sale.

Or provide source code for the device.

if there is an IOT device zombied

[FudRucker]

and it is being exploited remotely i think the owner's ISP should be able to block the malicious connection, or throttle the connection down to nothing or sandbox it to neutralize the threat,

Re:if there is an IOT device zombied

[darkain]

Part of the problem is how would an ISP detect all types of malicious traffic without encryption-busting deep-packet-inspection tech? Not all of these exploits are generic DDoS attacks.

Re:

[Rockoon]

detection has little to do with it

The evil bit makes this simple

[_merlin]

The evil bit [wikipedia.org] defined in RFC 3514 [ietf.org] (2003) can be used for this.

Re:

[Anonymous Coward]

i think the owner's ISP should be able to

Yeah, nah. I don't want my ISP doing *anything* to my traffic besides routing and passing it. If I'm breaching their TOS they can let me know/enforce the TOS.

Re:

[arglebargle_xiv]

And how will that work for Ma Kettle, and the 900 other drool-and-click users all spewing toxic malware onto your ISP's subnet?

Re:

[Uldis Segliņš]

Yes, and road maintenance workers should control what is in bad peoples trunks and put on extra pressure un their brakes if they have something illegal.

Thats easy for most devices

[viperidaenz]

Software updates usually stop before the product hits the shelf

Re:

[arglebargle_xiv]

I'm still getting regular updates for years-old Lenovo hardware. It really depends on the company:

Cisco: You will get updates for a few years if you pay us 5x the original purchase price in rental fees.

HP: We will send you updates that will reduce functionality and/or brick your device.

Microsoft: We will update for awhile but then force you to discard your entire IT base and buy new stuff that's essentially exactly the same as what we just forced you to throw out, with the version number incremented by one

Right to Update

[crow]

When a company drops support for a product, they should be required to release information to allow owners to update to open source software. Details of how to make this work are tricky, and it might not help much unless there is enough of a community to develop and distribute hacked firmware that uses alternate servers or whatever.

I use to do viedo survalnce camers

[ghinckley68]

Most of them were EOL the day you bought them. They crank them out by the millions recompile the stock china inc software to work with what ever and then they are gone. And good luck getting a big company to give up their secrets.

Wrong administration

[Tony Isaac]

Maybe the next one will be more open to this kind of consumer-friendly legislation.

Must remove?

[Uldis Segliņš]

What is this nonsense? They against my will remove basic or all functionality and as a bonus they will take it physically? Win win, yeah! Wtf?! Just open up the server software and someone will support instead. And local software as well, so I can remove your buggy crap and put on opensource supported firmware. Solutions of the cleverestest, remove does not solve anything. How exactly they think Chinese weirdname company that has closed down will do it?

Re:

[whatdoibelieve]

I just read the summary, so forgive me if I am wrong, but the only devices that would be physically removed are the ISP-provided devices that you likely don't own anyways.

For example, ISP A "leases" their router to you every month for your internet connection. Assuming you use it and not your own, if that piece of hardware goes obsolete then the ISP has to remove it also implying that they would need to give you a newer, non-obsolete one.

Zombie product repository and servers ?

[az-saguaro]

Some observations.
Then a question for all - is there any actual implementation of these ideas already extant or underway?

Discounting all the cynicism, exploit concerns, company bad faith, and other "dark" issues, this is a legitimate concern.
Even if a company made a good product, useful, no spying, honestly supported the product, etc. - BUT - they then go out of business, what happens to the products and users?

Scenario A. If the product is self-sufficient, its onboard code properly runs the device without

Re:

[Anonymous Coward]

Sounds like you're assuming devices have perfect security. I expect most devices will fall into Scenario A - where the devices are no longer supported by software updates because they're EOL or the manufacturer has closed shop - but the problems start when devices get exploited. Suddenly you get thousands, or millions, of a class of device becoming members of malicious networks for DDoS, ransomware or general evil.

How are you going to update or replace the codesigned firmware on these devices when you can't

Make them responsible for wate disposal too

[Errol backfiring]

If producers are willfully turning functional devices to waste, make them responsible for recycling the materials of the device as well. Off course the owner should be able to choose an open source upgrade as well to keep it functioning.

Pointless

[thegarbz]

With 99% of the problem devices being cheap trash imported from China through stores with zero accountability this won't really have much of an impact.