The Expert's View with Jeremy Kirk

Endpoint Security , Internet of Things Security

Smart Devices: How Long Will Security Updates Be Issued?

Survey Shows Long-Term Software Support Varies Widely
Smart Devices: How Long Will Security Updates Be Issued?
A photo illustration of Samsung's SmartThings app with a connected refrigerator (Photo: Samsung)

If you've managed to equip your home with smart devices and appliances that work properly, you probably think you're all set. But a critical question about connected devices is how long they will be supported. Security problems will inevitably emerge, which will pose risks to personal data or threaten a device's functionality. Will manufacturers promptly patch those devices?

See Also: Maintain a Clear Bill of (Third-Party Risk) Health

The U.K. consumer watchdog and testing organization Which? warns that manufacturer support for security updates could run out long before an appliance dies a natural death.

Because most IoT initiatives are now voluntary for manufacturers, perhaps public pressure is the best way to get companies on board. Twitter isn't a bad start, because companies tend to pay attention to consistent flows of focused tweets. Perhaps a hashtag: #whenIoTdies. 

The organization asked major smart appliance manufacturers how long software updates will be provided. The answer most provided - "the life of the product" - begs more questions.

While most countries have consumer protection regulations that could be applied to smart devices, there generally are no hard and fast laws specifically for IoT. Also, devices such as washing machines and refrigerators have a potentially long life span, usually much longer than a laptop or desktop computer.

If a software component becomes vulnerable, the device could stop working due to a malicious attack. Or it could get roped into a botnet and used for misdeeds such as distributed denial-of-service attacks, as we saw with video cameras used for the Mirai botnet four years ago (see: New Mirai Variant Exploits NAS Device Vulnerability).

Software Support: Unknown

Which? posed questions to Beko; BSH, which makes Bosch Neff and Siemens branded products; Hoover/Candy; LG; Samsung; Miele; and Whirlpool, which also makes the Indesit and Hotpoint brands.

Most deferred to saying a product will be supported through its lifetime. Samsung told Which? that it would provide updates for a minimum of two years, while Miele said it would offer 10 years of security updates for smart appliances.

The researchers point out that none of the brands actually specify in written policies how long they would provide updates, which doesn't give consumers a lot of transparency nor leverage if something goes wrong.

Europe's automobile industry is bound by regulations for supporting vehicle components to ensure consumers have access to critical parts, says Brad Ree, CTO of ioXt and board member with the ioXt Alliance, which is a trade group dedicated to securing IoT devices. But Ree says with connected devices, no regulator has yet made the leap to ensure that the software is supported for an extended period.

Brad Ree

"Right now, consumers really don't know how long the product is going to be supported," Ree says.

That's critical because smart devices cost more than devices without software control features.

The U.S. is trying to nudge manufacturers in the right direction. Two years ago, the National Telecommunications and Information Administration created a document about what type of information companies should clearly communicate to consumers before they buy a smart device.

The voluntary recommendations include describing whether and how a device receives security updates and the anticipated timeline for the end of security support. The NTIA also recommended that manufacturers tell consumers how they will be notified about security updates, what happens when the device no longer receives support and how the manufacturer ensures the integrity of the updates.

What's a 'Reasonable' Support Period?

The U.K. has a similar tenet in its Code of Practice for Consumer IoT guidelines for manufacturers. It recommends vendors publish an end-of-life policy that explicitly states the minimum length of time that a device will get updates as well as a justification for the duration of the support period.

Australia doesn't have a law covering IoT devices. I asked the Australian Competition and Consumer Commission, which regulates commerce, how the problem intersects with existing consumer regulations.

The ACCC says that generally, products sold must be safe, have no faults and last a reasonable amount of time. When it comes to connected appliances and software upgrades, again, those must last "for a reasonable amount of time," the agency says.

So what's reasonable?

"What is considered a reasonable amount of time for these products to last will differ in each case, as it takes into account individual circumstances, including the type of product and how it was used," the ACCC says.

The ACCC advises that consumers buying connected appliances ask about the length of time the software will be supported and the limitations on that support. Also, it's important to ask if the device will still function after software support stops, which could give rise to safety issues.

Good luck getting an answer to that kind of question from a salesperson if you shop at a Harvey Norman in Australia, a Best Buy in the U.S. or an Argos in the U.K. If the manufacturers haven't made that information available, asking questions won't help.

Product Expiration Dates

Matt Tett of IoT Alliance Australia, an industry group, and managing director of Enex TestLab says the long-term outlook for products remains a question.

Mat Tett

"It's not an easy problem that consumers and the supply industry are facing," Tett says. "But it is one that needs to be addressed before the spectre of a security vulnerability raises its head."

Tett says one avenue to explore is whether consumers would pay for ongoing maintenance subscriptions if the alternative is that the manufacturer disconnects the backend service that keeps a device running.

Ree says that his trade group, the ioXt Alliance, recommends that manufacturers include an end-of-life policy and an expiration date for IoT products.

Manufacturers usually require their own suppliers to give advance notice if a they plan to discontinue a critical component, Ree says. That tenet should also apply to the relationship with consumers.

"If you as a manufacturer hold your suppliers to that, then you should be held by your customers to the same thing," Ree says.

Because most IoT initiatives are now voluntary for manufacturers, perhaps public pressure is the best way to get companies on board. Twitter isn't a bad start, because companies tend to pay attention to consistent flows of focused tweets. Perhaps a hashtag: #whenIoTdies.

And if you hear of a connected device that's still viable but is no longer receiving important security updates, please get in touch with me. Let's keep smart devices safe.



About the Author

Jeremy Kirk

Jeremy Kirk

Managing Editor, Security and Technology, ISMG

Kirk is a veteran journalist who has reported from more than a dozen countries. Based in Sydney, he is Managing Editor for Security and Technology for Information Security Media Group. Prior to ISMG, he worked from London and Sydney covering computer security and privacy for International Data Group. Further back, he covered military affairs from Seoul, South Korea, and general assignment news for his hometown paper in Illinois.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing careersinfosecurity.eu, you agree to our use of cookies.