The pieces of the proposed legislation, collectively named an Act Relating to Consumer Connected Devices, were introduced by Massachusetts state senator William Brownsberger and state representative David Rogers in their respective chambers.
“Our daily lives have become intertwined with smart devices,” Rogers says in a statement emailed to WIRED. “Once a company decides it will no longer provide software updates for those devices, they become a time bomb for hackers to exploit. We must ensure consumers are given the tools to understand their devices and the risks before purchasing them.”
State Senator Brownsberger’s office has acknowledged our request for comment but has not yet responded.
The bills come nearly a year after a joint report by advocacy groups Consumer Reports, US PIRG and the nonprofit Secure Resilient Future Foundation encouraged lawmakers to support a policy that would notify customers when their connected products stop working. This includes a wide range of smart home devices like Wi-Fi routers, security cameras, connected thermostats, and smart lights. Although this is just a proposed state law, supporters hope it will inspire more such laws in the near future.
“Almost everyone has a story about some device they love that suddenly stopped working the way they thought it would or just plain shut down,” says Stacey Higginbottom, policy fellow at Consumer Reports. “Your product is now connected by this software tether to a manufacturer that decides how it will perform.”
The law in Massachusetts acts, if ultimately passed, to require manufacturers to clearly disclose on product packaging and online how long they will provide software and security updates for a device. Manufacturers will also be required to notify customers when their device is approaching the end of its service life and inform them about features that will be lost and potential security vulnerabilities that may arise when regular support ends. Once a device stops receiving regular updates, it increases the risk of cyber attacks and becoming a carrier of malware.
“This is an issue that is becoming more apparent with the age of the Internet of Things,” says Paul Roberts, president of SRFF and a Massachusetts resident who works with lawmakers. “It’s inevitable. We can’t leave them connected and unpatched.”
Wi-Fi has become commonplace in the home and office for more than two decades, which means there is a rapidly growing population of older devices still connected to the Internet that likely haven’t received a security update in years. These zombie gadgets—routers, sensors, connected devices, home security cameras—are left vulnerable to attack by their unsuspecting owners.
“We’re trying to reduce the attack surface,” says Higginbotham. “We can’t stop it, but we want to give consumers the awareness that they can host something. Basically, they have an open door that can no longer be closed.”
The bill’s focus on cybersecurity also has the advantage of attracting the attention of people who might worry about this kind of thing – such as US legislators.
“I’m hoping that legislators will be able to easily understand the issue and understand the problem,” says Roberts. “And pursue solutions.”
<a href