Consumer Groups Push New Law Fighting 'Zombie' IoT Devices

Long-time Slashdot reader chicksdaddy writes: A group of U.S. consumer advocacy groups on Wednesday proposed legislation to address the growing epidemic of "zombie" Internet of Things (IoT) devices that have had software support cut off by their manufacturer, Fight To Repair News reports.

The Connected Consumer Product End of Life Disclosure Act is a collaboration between Consumer Reports, US PIRG, the Secure Resilient Future Foundation (SRFF) and the Center for Democracy and Technology. It requires manufacturers of connected consumer products to disclose for how long they will provide technical support, security updates, or bug fixes for the software and hardware that are necessary for the product to operate securely.
The groups proposed legal requirements that manufacturers "must notify consumers when their devices are nearing the end of life and provide guidance on how to handle the device's end of life," while end-of-life notifications "must include details about features that will be lost, and potential vulnerabilities and security risks that may arise." And when an ISP-provided device (like a router) reaches its end of life, the ISP must remove them.

"The organizations are working with legislators at the state and federal level to get the model legislation introduced," according to Fight To Repair News.

"must notify consumers"

[Valgrus Thunderaxe]

I guess that means I need to give them my personal information. That's a non-starter, out of the gate.

Re:"must notify consumers"

[arglebargle_xiv]

Fair enough, so you've chosen to have a zombie device. To each their own.

In my case I'd have no problem handing over randomaddress123456@gmail.com to get notifications.

Re:

[thegarbz]

That's not true. What we are supposed to do is demand that these devices be put into the public domain so we can service them ourselves without fear of litigation.

You can demand all you want, that's not necessarily compatible with IP law. Or what are we expecting every customer to sign complex NDAs with upstream providers simply because someone doesn't want to push out an update?

I like where you're coming from, but it's frankly unworkable.

Re:

[kqs]

Don't let the perfect be the enemy of the good. Our world would be much better with less "my way or LET THE WORLD BURN" morons.

Try to improve congress, please. (Though plenty of the young folks are worse than the older ones. I'm a fan of replacing the idiots and malicious and corrupt ones, rather than just the old ones, but you do you.) But simultaneously, we should try to improve the zombie IoT problems.

Re:"must notify consumers"

[misnohmer]

It does not mean that. A simple example of a totally private device would be a device that displays said notification on the built-in screen, stating that you have not applied updates it too long, therefore you are now at risk. This device would not automatically apply updates, as that could compromise your location (at the very least the IP you're connecting from). Manufacturer would release updates on a regular cadence, so your device knows exactly when to expect an update.

If you allow devices which auto update, it becomes even easier - an auto update simply downloads a version of software which will inform you of the end-of-life for your device. If you block auto updates, it will inform you you've end-of-lifed it yourself.

Re:

[Anonymous Coward]

If you allow devices which auto update, it becomes even easier

for the manufacturer to brick it/force you to buy another one/remove features....

Re:

[El Fantasmo]

If you allow devices which auto update, it becomes even easier

Yeah, until they try to monetize a feature that is currently free, or they get bought by some other company mucks with the UI simply for re-branding, or start to serve ads etc.

Re: "must notify consumers"

[Z00L00K]

Just set it to 25 years after last sale.

Or provide source code for the device.

Re:

[thegarbz]

Just set it to 25 years after last sale.

Or provide source code for the device.

That's not always possible. Just look at the cluster fuck that was the Winamp open sourcing, which resulted in a lot of proprietary code being published. And when you don't publish that code the software fails to compile.

Re:

[JThundley]

The point is to change it so that doesn't happen. Why should all us internet users have to suffer? Why do I care if a manufacturer chose hard-to-open source? Open it!

Re:

[thegarbz]

That is not a chance *you* can decide to make. IP law is rife in the supply chain. What do you propose, force millions of end users to suddenly have to sign NDAs to keep using their device because its use depends on a specific Broadcom driver that can't be shipped in any other way? Or are you happy with providing a "solution" that doesn't work in the form of half the code missing?

if there is an IOT device zombied

[FudRucker]

and it is being exploited remotely i think the owner's ISP should be able to block the malicious connection, or throttle the connection down to nothing or sandbox it to neutralize the threat,

Re:if there is an IOT device zombied

[darkain]

Part of the problem is how would an ISP detect all types of malicious traffic without encryption-busting deep-packet-inspection tech? Not all of these exploits are generic DDoS attacks.

Re:

[Rockoon]

detection has little to do with it

The evil bit makes this simple

[_merlin]

The evil bit [wikipedia.org] defined in RFC 3514 [ietf.org] (2003) can be used for this.

Re:

[Anonymous Coward]

i think the owner's ISP should be able to

Yeah, nah. I don't want my ISP doing *anything* to my traffic besides routing and passing it. If I'm breaching their TOS they can let me know/enforce the TOS.

Re:

[arglebargle_xiv]

And how will that work for Ma Kettle, and the 900 other drool-and-click users all spewing toxic malware onto your ISP's subnet?

Re:

[Uldis Segliņš]

Yes, and road maintenance workers should control what is in bad peoples trunks and put on extra pressure un their brakes if they have something illegal.

Thats easy for most devices

[viperidaenz]

Software updates usually stop before the product hits the shelf

Re:Thats easy for most devices

[arglebargle_xiv]

I'm still getting regular updates for years-old Lenovo hardware. It really depends on the company:

Cisco: You will get updates for a few years if you pay us 5x the original purchase price in rental fees.

HP: We will send you updates that will reduce functionality and/or brick your device.

Microsoft: We will update for awhile but then force you to discard your entire IT base and buy new stuff that's essentially exactly the same as what we just forced you to throw out, with the version number incremented by one.

TP Link: Updates? Hey Siri what does "update" mean?

Draytek: We still provide updates for things powered with steam.

Feel free to extend with other companies.

Re:

[Voyager529]

Feel free to extend with other companies.

Samsung: Our dedicated update team ensures that you get *timely* updates, where 'timely' means "the least convenient time possible", and 'update' means "additional functionality that zero customers asked for, but adds useless icons and notifications".

Apple: "Our updates are generally innocuous, and you don't *have* to take them, but good luck getting any new apps, since all the app developers are going to mandate the new version"

Firefox: "Our update addresses the most important function a browser can have:

Re:

[thegarbz]

I had a genuine chuckle at most of those but what do you mean by "where 'timely' means "the least convenient time possible"" I have never once had a Samsung device force an update or interrupt what I'm doing. They universally provide a notification and then the option to update when you want. That includes my TV by the way. There's always been a "later" button.

Re:

[Voyager529]

I'll concede that the last time I had a Samsung phone running Samsung firmware, it was in the Lollipop days, and when they had an update it was "install now" or "remind me in four hours". The nag would overlay on whatever you were doing at the time, and there was no way to schedule or deny the update (4.4.4 was when Android peaked, IMO).
I'm sure they've gotten better, likely adopting Apple's method of scheduling updates for 3AM while charging or some such, but for a while there, they were particularly bad.

Re:

[thegarbz]

I'll concede that the last time I had a Samsung phone running Samsung firmware, it was in the Lollipop days, and when they had an update it was "install now" or "remind me in four hours".

Having gone through this literally last week its "Install now" or "Schedule" and it comes up only on device unlock, otherwise it gets sent as a notification (which can also be swiped away). Personally I typically just hit the Schedule button and then set it to something like 4am. Alarms still work when the phone is locked and freshly booted.

That said there's no way to say you don't ever want that particular update. If you swipe away the notification it appears again a few days later. But it doesn't interrup

Re:

[arglebargle_xiv]

The Firefox one is a particular favourite, that pretty much sums up their updates. Oh, and while we're at it:

Signal: We'll send you a 300MB update to our chat app every other day that has no new features or changes but reminds you that we're still alive. If you don't keep constantly applying each update, the app will stop working.

Re:

[sodul]

Obligatory https://www.youtube.com/watch?... [youtube.com]

Right to Update

[crow]

When a company drops support for a product, they should be required to release information to allow owners to update to open source software. Details of how to make this work are tricky, and it might not help much unless there is enough of a community to develop and distribute hacked firmware that uses alternate servers or whatever.

Re:

[drinkypoo]

They should have to put the full toolchain needed to get from the source to the code on the device into escrow in order to put the device on the market, and it should be automatically released when the device has been off the market for a year or the IP rights expire, whichever comes first. Servers are your problem, but what is needed to make use of the device itself should be mandatory.

The problem then becomes what licenses they are allowed to use, which is a lumpier problem because of the toolchain bits.

Re:

[crow]

It might be best not to release certain keys for code signing, but users still need a way around it.

Re:

[drinkypoo]

It might be best not to release certain keys for code signing, but users still need a way around it.

If the platform has code signing, then that's a feature you should be able to use; The necessary keys have to be part of the release as well, and you should be able to change the keys.

Re:

[Voyager529]

They should have to put the full toolchain needed to get from the source to the code on the device into escrow in order to put the device on the market, and it should be automatically released when the device has been off the market for a year or the IP rights expire, whichever comes first. Servers are your problem, but what is needed to make use of the device itself should be mandatory.

This right here is the solution. We can all pack up and go home; this is the EXACT right answer.

Re:

[MachineShedFred]

This even fixes the problem that they aren't really looking at - the whole premise of this is that a company just EOL's support in favor of new crap. They aren't thinking about "the company cakes it's pants, and nobody is left to do any of the work necessary to open the ecosystem for long-term life."

If that work is done previous to go-to-market, even a product from a company that cakes it's pants and shuts off the servers on a Tuesday night would still be useful.

I use to do viedo survalnce camers

[ghinckley68]

Most of them were EOL the day you bought them. They crank them out by the millions recompile the stock china inc software to work with what ever and then they are gone. And good luck getting a big company to give up their secrets.

Re:

[cusco]

You work for ADT, or one of the other low-cost installers?

This is why you buy Axis or Pelco cameras, ten years of support and management tools to maintain large numbers of installed devices. I've worked with fleets of as large as 18,000 Axis cameras, and updated firmware on all but the 100 oldest (which were scheduled for replacement anyway) in under 3 months. If you run a Pelco Endura system a former co-worker upgraded firmware on 1,500 cameras overnight. Axis and Pelco seem to also be the only major ma

Wrong administration

[Tony Isaac]

Maybe the next one will be more open to this kind of consumer-friendly legislation.

Must remove?

[Uldis Segliņš]

What is this nonsense? They against my will remove basic or all functionality and as a bonus they will take it physically? Win win, yeah! Wtf?! Just open up the server software and someone will support instead. And local software as well, so I can remove your buggy crap and put on opensource supported firmware. Solutions of the cleverestest, remove does not solve anything. How exactly they think Chinese weirdname company that has closed down will do it?

Re:Must remove?

[whatdoibelieve]

I just read the summary, so forgive me if I am wrong, but the only devices that would be physically removed are the ISP-provided devices that you likely don't own anyways.

For example, ISP A "leases" their router to you every month for your internet connection. Assuming you use it and not your own, if that piece of hardware goes obsolete then the ISP has to remove it also implying that they would need to give you a newer, non-obsolete one.

Zombie product repository and servers ?

[az-saguaro]

Some observations.
Then a question for all - is there any actual implementation of these ideas already extant or underway?

Discounting all the cynicism, exploit concerns, company bad faith, and other "dark" issues, this is a legitimate concern.
Even if a company made a good product, useful, no spying, honestly supported the product, etc. - BUT - they then go out of business, what happens to the products and users?

Scenario A. If the product is self-sufficient, its onboard code properly runs the device without need for updates or internet dependencies, then it doesn't matter that the company is out of business. It just won't get new updates if that had been the case previously, but the device still works.

Scenario B. The product has some legitimate reason to contact the company servers as part of its legitimate core functions. If the servers go quiet, the device no longer works as intended.
(I don't know what such "legitimate" needs might be, which is why I would love to get responses from people who would know, but for now, this is just abstract imaginings).

Scenario A is not really a problem. Zillions of devices have been made, used, and then the company disappears, or the product is discontinued, but the items already in the field keep working until they break, obsolete, or customer stops using it. (I have a million old calculators and outdated phones that still work just fine. I even have old crt tv's that work fine except there is no signal to receive.)

Scenario B - that IS a problem for users who need the device and count on it working.

So, it seems to me, the question is how do you keep software and server support live for these devices when the companies go zombie?

Fantasy Suggestion 1 : Have a third party repository and server farm. It could be private business, government, a standards agency, industry consortium, not-for profit, etc. Hardware tech companies should be required by law that if they are going out of business, they have to make a public disclosure, notify customers, etc., but also notify the product support agency (PSA). If company demise is inevitable, then the software and server functions are picked up by the PSA. No updates, security fixes, etc, would be forthcoming in the future, but the devices would work at their current level. Companies need not share, post, disclose, host or do anything with PSA until they are in a state of bankruptcy or shutdown. But, they would be obligated to sign onto this arrangement before receiving certification to sell their product in the first place. How would it be funded? By a tax on the device sales, or a licensing fee that the companies pay to participate in this arrangement which would be a contingency of their products being approved for market.

Fantasy Suggestion 2 : Mandate by federal legislation that all such devices have, by design, one or two operational modes. Mode 1 would be equivalent to scenario A - the device just works no matter if connected or not to MomCorp. Mode 2 allows the device to communicate with MomCorp servers, which might allow certain additional functionality, but in the event MomCorp goes out of business or discontinues support for that device, it will revert to Mode 1 for ongoing core functionality without future updates. A company that fails to build this functionality by design will not get permission to sell their product.

Many industries have certification standards that manufacturers must build to in order to market their products - transportation, aviation, pharma, medical devices, industrial products, electrical products, radio and communication devices, etc. IoT might be relatively new, but the concept of standards and certification is certainly not. The two just need to catch up with each other - politics, corruption, stupidity, greed, lack of good citizenship, and other BS aside for the moment.

But, the idea of a company or agency running zombie product farms does seem knew to me - which is why I would love to hear from others. It

Re:

[Anonymous Coward]

Sounds like you're assuming devices have perfect security. I expect most devices will fall into Scenario A - where the devices are no longer supported by software updates because they're EOL or the manufacturer has closed shop - but the problems start when devices get exploited. Suddenly you get thousands, or millions, of a class of device becoming members of malicious networks for DDoS, ransomware or general evil.

How are you going to update or replace the codesigned firmware on these devices when you can't

what about an local server for some online stuff?

[Joe_Dragon]

what about an local server for some online stuff? With maybe an differnt keys in the last updated pushed to devices.

Make them responsible for wate disposal too

[Errol backfiring]

If producers are willfully turning functional devices to waste, make them responsible for recycling the materials of the device as well. Off course the owner should be able to choose an open source upgrade as well to keep it functioning.

Pointless

[thegarbz]

With 99% of the problem devices being cheap trash imported from China through stores with zero accountability this won't really have much of an impact.

Re:

[I've Got Three Cats]

I agree. Very pointless.

It will do nothing to stop manufacturers from creating zombie devices at their convenience in the first place. Or provide consumer remedy for any zombie devices a manufacturer creates.

The only effect this law seems destined to create is increased instances of data rape; do you really want to go all in with your personal info to China or some other sleaze bag fly-by-night reseller company?

Simplest answer: no IoT

[whitroth]

At the very least, if they won't sell you one without that crap, do not connect to your wifi. If you don't know if you need another half-gallon of milk, you need to be back with your parents.

Replacing a garbage POS routers, yes!

[Murdoch5]

I've never run into a situation where I've said: "That's a quality router / modem, from the ISP.", not once! I would go on more step and suggest ISP's must include a full-featured, properly secured router / modem, that has a comprehensive firewall included. For the past 10+ years, I've locked every modem / router from the ISP into bridge mode, and gone into a firewall, and managed everything myself, to the verbal objection of the ISP. I've had Rogers (Ontario, Canada) tell me it voids my service contract