Consumer Groups Push New Law Fighting 'Zombie' IoT Devices (consumerreports.org)
- Reference: 0176748153
- News link: https://yro.slashdot.org/story/25/03/17/0126204/consumer-groups-push-new-law-fighting-zombie-iot-devices
- Source link: https://advocacy.consumerreports.org/press_release/consumer-reports-us-pirg-and-secure-resilient-future-foundation-propose-connected-consumer-products-end-of-life-disclosure-act-to-address-iot-security-risks/
> A group of U.S. consumer advocacy groups on Wednesday proposed legislation to address the growing epidemic of "zombie" Internet of Things (IoT) devices that have had software support cut off by their manufacturer, [2]Fight To Repair News reports .
>
> The [3]Connected Consumer Product End of Life Disclosure Act is a collaboration between [4]Consumer Reports , [5]US PIRG , the Secure Resilient Future Foundation ( [6]SRFF ) and the [7]Center for Democracy and Technology . It requires manufacturers of connected consumer products to disclose for how long they will provide technical support, security updates, or bug fixes for the software and hardware that are necessary for the product to operate securely.
The groups proposed legal requirements that manufacturers "must notify consumers when their devices are nearing the end of life and provide guidance on how to handle the device's end of life," while end-of-life notifications "must include details about features that will be lost, and potential vulnerabilities and security risks that may arise." And when an ISP-provided device (like a router) reaches its end of life, the ISP must remove them.
"The organizations are working with legislators at the state and federal level to get the model legislation introduced," according to [8]Fight To Repair News .
[1] https://www.slashdot.org/~chicksdaddy
[2] https://fighttorepair.substack.com/p/consumer-groups-push-law-to-reign
[3] https://advocacy.consumerreports.org/press_release/consumer-reports-us-pirg-and-secure-resilient-future-foundation-propose-connected-consumer-products-end-of-life-disclosure-act-to-address-iot-security-risks/
[4] https://consumerreports.org/
[5] https://pirg.org/
[6] https://secure-resilient.org/
[7] https://cdt.org/
[8] https://fighttorepair.substack.com/p/consumer-groups-push-law-to-reign
if there is an IOT device zombied (Score:2)
and it is being exploited remotely i think the owner's ISP should be able to block the malicious connection, or throttle the connection down to nothing or sandbox it to neutralize the threat,
Re:if there is an IOT device zombied (Score:4, Insightful)
Part of the problem is how would an ISP detect all types of malicious traffic without encryption-busting deep-packet-inspection tech? Not all of these exploits are generic DDoS attacks.
Re: (Score:2)
detection has little to do with it
Re: (Score:2)
Yes, and road maintenance workers should control what is in bad peoples trunks and put on extra pressure un their brakes if they have something illegal.
Thats easy for most devices (Score:3)
Software updates usually stop before the product hits the shelf
Right to Update (Score:5, Insightful)
When a company drops support for a product, they should be required to release information to allow owners to update to open source software. Details of how to make this work are tricky, and it might not help much unless there is enough of a community to develop and distribute hacked firmware that uses alternate servers or whatever.
I use to do viedo survalnce camers (Score:2)
Most of them were EOL the day you bought them. They crank them out by the millions recompile the stock china inc software to work with what ever and then they are gone. And good luck getting a big company to give up their secrets.
Wrong administration (Score:2)
Maybe the next one will be more open to this kind of consumer-friendly legislation.
Must remove? (Score:2)
What is this nonsense? They against my will remove basic or all functionality and as a bonus they will take it physically? Win win, yeah! Wtf?! Just open up the server software and someone will support instead. And local software as well, so I can remove your buggy crap and put on opensource supported firmware. Solutions of the cleverestest, remove does not solve anything. How exactly they think Chinese weirdname company that has closed down will do it?
"must notify consumers" (Score:4, Insightful)
I guess that means I need to give them my personal information. That's a non-starter, out of the gate.