Lawmakers are pushing to make companies tell customers when their products will die

Tuesday two Massachusetts lawmakers have introduced bills in the state House and Senate that, if passed, would create a state law requiring companies to tell customers when service on their connected products ends. It is an effort aimed at reducing cybersecurity risks as well as enhancing consumer protection. With knowledge of future support, consumers can purchase a device with confidence, knowing how long they can expect it to work reliably, and when they plan for eventual obsolescence.

The pieces of the proposed legislation, collectively called the Consumer Connected Devices Act, were introduced by Massachusetts Senator William Brownsberger and State Representative David Rogers in their chambers.

“Our daily lives have become intertwined with smart devices,” Rogers says in an emailed statement to WIRED. “Once a company decides it will no longer provide software updates for these devices, they become time bombs for hackers to exploit. We must ensure consumers have the tools to understand their devices, and the risks, before they buy them.”

State Senator Brownsberger’s office granted our request for comment but has not yet responded.

The bills arrive nearly a year after a joint report from advocacy groups Consumer Reports, US PIRG, and the nonprofit Secure Resilient Future Foundation, which encouraged lawmakers to support policy that would notify customers when their connected products stop working. This includes a wide range of smart home devices, such as Wi-Fi routers, security cameras, connected thermostats, and smart lights. While it is a proposed state law for now, supporters hope it will inspire more legislation like it in the near future.

“Almost everyone has a story about a device they loved that suddenly stopped working the way they thought it would or just died,” says Stacey Higginbotham, policy fellow at Consumer Reports. “Your product is now connected to the manufacturer via this software tether that determines how it performs.”

The laws in Massachusetts, if eventually passed, would require manufacturers to clearly disclose on product packaging and online how long they will provide software and security updates for a device. Manufacturers will also need to notify customers when their devices are approaching the end of their service life and inform them of features that will be lost and potential security vulnerabilities that may arise when regular support ends. Once a device stops getting regular updates, it becomes more vulnerable to cyberattacks and becomes a vector for malware.

“This is an issue that is becoming more apparent as the Internet of Things advances,” says Paul Roberts, a Massachusetts-based president of SRFF who has worked with lawmakers. “This is inevitable. We cannot leave them there connected and beyond repair.”

Wi-Fi has been common in the home and office for more than two decades, which means there is a rapidly growing number of older devices still connected to the Internet that likely haven’t received security updates in years. These zombie gadgets — routers, sensors, connected devices, and home security cameras — have become vulnerable to attack by their unsuspecting owners.

“We’re trying to reduce the attack surface,” Higginbotham says. “We can’t prevent it, but we want to give consumers awareness that they may be hosting something. Essentially, they have an open door that can no longer be closed.”

The bills’ focus on cybersecurity also has the benefit of attracting the attention of people who might be concerned about that kind of thing — like US lawmakers.

“I hope lawmakers can easily get around this and understand the problem here,” Roberts says. “And support the solution.”