'Zombie Devices' Raise Cybersecurity Alarm as Consumers Ignore Smart Tech Expiry Dates

A survey of 2,130 Americans has revealed widespread vulnerability to cyber attacks through unsupported smart devices, with 43% unaware their devices might lose software support. The security threat was underscored in December 2023 when U.S. authorities disrupted a Chinese state-sponsored botnet targeting home routers and cameras that had stopped receiving security updates. Cloudflare separately reported a record-breaking DDoS attack in late 2023, primarily originating from compromised smart TVs and set-top boxes.

The survey, conduced by Consumer Reports, found that only 39% of consumers learned about lost software support from manufacturers, with most discovering issues when devices stopped working (40%) or through media reports (15%). Most consumers expect their smart devices to retain functionality after losing software support, particularly for large appliances (70%). However, Consumer Reports' research found only 14% of 21 smart appliance brands specify support timeframes, while an FTC study of 184 devices showed just 11% disclose support duration.

Easy fix

[Baron_Yam]

STOP HAVING EVERY DAMN THING NEED INTERNET ACCESS.

For fuck's sake, let's have a standard where all your devices use non-routing protocols and have to connect to a local server before a connection to the world can be established.

Now you have only one central device to keep updated, and 90% of its job is, from the very beginning, to keep those other devices isolated and protected.

Re:

[PhrostyMcByte]

I feel like there needs to be some regulation here for national security purposes... If you release a smart device (probably need to define what that is) you are required to support it for X amount of time, with a SLA on how fast those updates come in, and intentionally brick it once you have stopped performing updates.

This would encourage smarter choices like not exposing devices to Wifi and using things like Zigbee instead. Or maybe some sort of advertising protocol that routers would automatically harden

Re:

[tlhIngan]

For fuck's sake, let's have a standard where all your devices use non-routing protocols and have to connect to a local server before a connection to the world can be established.

There are several. Apple HomeKit, Matter, Zigbee are all local protocols that by default don't even touch the Internet. If you want, you have to enable a gateway device, of which there are many available. I believe even Home Assistant supports all of them.

The problem is, it's hard to do. Apple demands a lot - your devices have to be

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Baron_Yam]

True enough. I'm an IT geek, so of course I built a 'smart' home. Sensors and switches everywhere. The ones that need to be secure are Zigbee, the ones that don't are 433MHz. My cameras are wired. They all go through my Home Assistant, and only my Home Assistant is allowed to talk to the Internet.

I made the mistake of letting my vacuum talk to the Internet for 30 seconds, and it pulled a mandatory update that removed existing functionality. (Fuck you sideways, iRobot)

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[AmiMoJo]

It exists, it's called Matter. Doesn't need internet access, connects to a local server.

Re:

[thegarbz]

Great idea. Just as soon as we give everyone CS classes, teach them the basics of networking, move to IPv6 in order to abolish CG-NAT.

The reason everything has internet access and is provisioned via the cloud is because we broke it. People expect networks to work seamlessly weather they have wifi on or off, and when they walk out of their house. People expect to be able to access their devices despite having a non-routable public IP. People expect to be able to set all this up themselves with simple clicks

Re:

[strikethree]

STOP HAVING EVERY DAMN THING NEED INTERNET ACCESS.

NO. WE WANT YOUR DATA AND THE ABILITY TO STOP THE DEVICE FROM WORKING AT ALL SO WE CAN GET MORE OF YOUR MONEY.

Since they have more money than you, the message is: SHUT THE FUCK UP ASSHOLE. WE ARE DOING BUSINESS HERE.

lol, if there were ANY government officials who gave the slightest bit of crap about the societies they lived in, none of this would be an issue. Instead, it is GREED GREED GREED.

The core fallacy

[JamesTRexx]

There are no such things as "smart" devices.
Only gullible consumers.

Re:

[arglebargle_xiv]

Whatâ(TM)s even more eye opening is how many consumers expected their products to retain their usefulness after losing software support.

Holy shit, you mean people paid a ton of money for something and just expected it to keep working? What fools!

Incidentally, the oldest embedded devices I have were plugged in 20-odd years ago and haven't missed a beat since. This is proper embedded hardware and software, not something shovelled onto a Raspberry Pi.

Forever

[merde]

In days of old, if I bought a fridge or a TV or a dishwasher I expected it to work until it broke down and the cost of repair exceeded the cost of replacement.

As a consumer, why should me expectation be any different now?

As a computer guy I understand about software vulnerabilities... which is why my (85 inch, expensive) TV set and fancy receiver are not connected to any network and all streaming is performed by a cheapo Amazon TV stick which can be replaced as necessary. The TV works just fine as a dumb monitor, and can continue to do so until it fails. And if the TV stick/disc player/HTPC get too old to be supported they are easy and cheap to replace.

Of course, all the manufacturers want us to buy a new TV every few years so will schedule "end of life" to maximise shareholder value, so this problem is not going to go away in a hurry.

Re: Forever

[madbrain]

I use an expensive but great Miele dishwasher. It's now 15 years old and has no smarts. I have no plans on replacing it. However, it's very valuable to me to be notified when the dishes are done. To that effect, I installed a $15 energy monitoring smart plug - a Kasa KP125 . It has a local API. I setup an automation in home assistant which does the notification based on wattage used. Works perfectly. If the smartplug stops being supported, I can block it from internet access, or just replace it as it's not

Re: Forever

[vbdasc]

Just wait until your next TV demands always-up connection to the cloud before showing anything on the screen. Because "smart" TV, of course.

Re:

[thegarbz]

Those devices work just fine even without the smart functionality. Your consumer expectation remains intact.

Re:

[strikethree]

Of course, all the manufacturers want us to buy a new TV every few years so will schedule "end of life" to maximise shareholder value, so this problem is not going to go away in a hurry.

If you had any government officials who gave the slightest shit about the societies they managed, then this would not be an issue. instead, they get bribes and kickbacks and the ability to send money to their friends and associates. Corruption has ruined the modern world and will soon be sending it into a death spiral. Enjoy the celebration of greed going on. You may as well join in; otherwise, you are just food for the machine. (but you are food for the machine regardless)

The cloud is a trap...

[MpVpRb]

...run away
Avoid so-called "smart" devices that require cloud or server support, ALL of them.
Only use devices that don't connect to the internet and maintain full function when used locally.

Re:

[merde]

Avoid so-called "smart" devices that require cloud or server support,

This is hard to do if the objective is to stream Netflix or Spotify...

Re:

[lucifuge31337]

You buy a $30-60 streaming stick for that which can be just as cheaply replaced. Building something like that into a TV is wasteful planned obscelescence.

Re: The cloud is a trap...

[madbrain]

You can in many cases stream local content from a NAS, though. For music, I do that using Music assistant on Home assistant. I also stream from Qobuz. They also let you purchase content and store it locally, DRM free.

For video content, Plex works, to some degree. I use it to record and watch OTA content. The laser in my optical drives is getting weak, and it may be time to rip all those DVD/BD/UHD BD to my NAS, also.

An HTPC with Jriver still does a far better job than any stick for video, though, in terms o

Re:

[account_deleted]

Comment removed based on user account deletion

IoT is a mesd

[bradley13]

Companies dropping support for IoT devices is a mess. People don't expect parts of their house to expire.

Re:

[kqs]

This is the main thing. When I replace a light switch, I expect it to last for decades, not months. When I buy a washer or microwave, same thing.

Re: IoT is a mesd

[madbrain]

You can use dumb appliances with energy monitoring smartplugs to get smart functionality . All my plug-in kitchen appliances wlrk that way. The hardwired induction cooktop does not. I have not researched how to make it smart.
My double oven is hardwired. Last year , I replaced the 28 year old model with a smart one. Top rated GE model in consumer reports. Unfortunately uses cloud for smarts. Costco won't take it back when Haier drops the cloud support because it's been over 90 days. I really love the oven, t

Durable goods should last at least 15 years

[ebunga]

If a "smart" appliance doesn't have a life cycle of at least 15 years, then the company that made it is running a scam.

Taking a cue from government???

[davidwr]

The US government considers something a "durable good" if its average life is at least 3 years.

Re:

[bill_mcgonigle]

Figures. When I was in econ that was 10 years low, 20 years midpoint.

If your fridge only lasted 35 years you had no right to complain.

They would probably reduce it to "lasts beyond the manufacturer warranty" if they could.

Like how a vaccine had to prevent infection and transmission until three years ago.

This is why textual analysis is a bankrupt interpretation of law.

Re:

[Anonymous Coward]

I remember when people used to be able to stay somewhat on topic and not turn a thread about shitty IoT devices having the absolute most predictable outcome ever into an ignorant anti-vaxx screed.

I don't want devices that have an expiry date

[ixus2600]

What is the point? My current fridge is 15 years old. It is still a decent fridge. It doesn't need replacing. I would rather have a fridge that lasts, than a fridge that needs to be replaced on a schedule like a smartphone. Same with the washing machine and the coffee machine. Not everything needs to be disposable.

User blaming

[gwjgwj]

Why are you blaming users? The manufacturers have made vulnerable devices, they are at fault.

If I put it up it stays up

[Nofsck Ingcloo]

If I put a camera outside my house it is going to stay there forever. If someone wants to take it down they are going to have to bring a ladder and a cop with a court order and a gun. And he's going to have to use the gun. So get out of my life.

Re:

[Fly Swatter]

This is not about anyone stealing your outdated insecure junk.

But that camera is discontinued and the back doors are long known, everyone is now seeing your life - such as it is.

Subscription

[Otaku-GenX]

This is a problem intentionally created by companies. They want scheduled obsolescence so they can make more money. And now they also want everything to have a subscription so they can make even more money AND enforce the obsolescence but not update the devices for more than a couple years. What happened to I buy a TV and hook up my device. They every few years I replace the device and not a whole TV. I do not want to throw away every electronic item in my house every couple of years.

Re:

[sjames]

It's kinda like living in the Communist dream of nobody personally owning anything, except instead of the people as a collective owning it, only a few people hiding behind a corporate charter own it all. And you don't get to vote for the real leader, only which guy will be the yes man for the real owners. And they all tell you that anything that would reduce their control for your benefit would be the evil Socialism.

Previous models are reliable, not zombies.

[Flamecation21]

For an article on Slashdot it sure low-key villanizes common sense. Why get a new device that barely better then the one you have, and have paid off? Why use a new device that's poorly programmed, poorly made, and has fewer ways to repair? And "smart" appliances are even worse. Why would anyone need a tv screen for a refrigerator door? There might be some uses for bluetooth programming a microwave, but getting a droid to remove the food and serve it to you still hasn't gotten to an affordable market level.

In defense of medical equipment

[davidwr]

This is NOT a defense of putting medical equipment online per se but it IS a defense of allowing medical equipment to communicate with the outside world:

Decades ago, back in the days of plain-old-telephone-service, I had a relative with a pacemaker. Once a month, she put a device up to her pacemaker. The other end of that device was an acoustic-coupled (!) modem that transmitted telemetry back to her doctor's office.

A realistic 21st-century version would have it transmitting telemetry to your phone over s

Have We Given Up On Firewalls?

[rsmith-mac]

To quote TFA:

Cloudflare documented that the largest source of traffic used in DDoS attacks appears to come from compromised smart TVs and digital set-top boxes.

Very few articles, TFA included, do a good job of explaining how zombie devices are getting enrolled in botnets. While CR is right to call out a general lack of software support - and more importantly, a lack of notice for when software support is ending - most devices should not be internet accessible by default.

Even the most basic consumer routers have inbound firewalls that would prevent attackers from connecting to and taking over a vulnerable device. And while outbound connectivity is less than ideal in some cases, that has historically not been a significant threat vector.

So what am I missing here? Have we given up on firewalls? There shouldn't be scourge of TVs that are getting pwned.

Re: Have We Given Up On Firewalls?

[madbrain]

Most people want to be able to access their smart devices remotely. That is a very important feature. But mom and pop will not setup a home VPN. Their ISP may use CG-NAT and prevent it, also.

Device makers effectively bypass the firewall. Devices make outbound connections to the cloud server. Apps make outbound connection to the same cloud server. That's how they communicate. Even if you only want to use them locally, in a lot of cases.

Unfortunately, cloud servers have operating costs. And vendors go bankrup

Re: Have We Given Up On Firewalls?

[vbdasc]

what if your smart tv initiates a connection to an expired domain controlled by criminals?

Egress firewalling is hard. It is for enterprises with dedicated IT staff, not homes of average Joe's or even Slashdot users.

Re:

[thegarbz]

So what am I missing here? Have we given up on firewalls? There shouldn't be scourge of TVs that are getting pwned.

What you're missing here is that the provisioning of these devices happens via a cloud service. The sale point of something "smart" is that you are able to access it remotely. That means your devices ultimately connect to some remote server. The way they do that presents a risk. That's before you consider some stupid backdoored devices punching holes in your router via UPNP to open up to any idiot out there.

If firewalls were enough to keep bad guys out we wouldn't have malware.

Re:

[rsmith-mac]

What you're missing here is that the provisioning of these devices happens via a cloud service. The sale point of something "smart" is that you are able to access it remotely. That means your devices ultimately connect to some remote server. The way they do that presents a risk.

Sure, it presents a risk. But I've also not heard of any major TV vendors getting their cloud service compromised and all of their TVs getting compromised in turn. Especially with these devices increasingly using certificate pinning,

There is an easy way to stop this

[WaffleMonster]

All they need to do is make vendors liable for the safety defects in their own products. Vendors should be totally free to walk away from whatever they want except liability.

If a defect in my toaster causes it to spontaneously combust it doesn't matter that there is a new and improved replacement model or toaster is otherwise out of warranty or support.

Likewise if a safety defect in a product creates safety risks of data exfiltration, stalking, exploitation by criminal enterprise...etc vendors should not be able to walk away from liability.

Re:

[thegarbz]

You've already failed in holding vendors liable by linking this to safety. Safety has a very specific meaning in law, and equating your house burning down and a potentially fatal injury to someone hacking your devices creating a potentially dangerous situation. The problem is who the perpetrator is in the eyes of the law. Your device doesn't hack itself - if it did then the liability link you are drawing would be clear - but rather there's a 3rd party involved with direct liability in the matter. On top of

Re:

[WaffleMonster]

You've already failed in holding vendors liable by linking this to safety. Safety has a very specific meaning in law, and equating your house burning down and a potentially fatal injury to someone hacking your devices creating a potentially dangerous situation.

"The freedom from injury, harm, danger or loss to personal property whether deliberate or accidental."
https://thelawdictionary.org/s... [thelawdictionary.org]

This definition seems to conflict with your claim. It is saying safety is among other things freedom from danger whether deliberate or accidental.

The problem is who the perpetrator is in the eyes of the law.

Whatever liability the perpetrator is on the hook for is a separate matter from vendor liability for their product safety failures especially where they knew about the problem and decided not to act.

Your device doesn't hack itself - if it did then the liability link you are drawing would be clear
- but rather there's a 3rd party involved with direct liability in the matter. On top of that security vulnerabilities in and of itself don't immediately give rise to the same level of risk.

Given the scale of the network

Re:

[strikethree]

All of those concepts reduce profits. Find a way to relay that lost money into a government employees hands and you will find those rules in place faster than you could think of them. If you can't find a way to funnel those lost profits anywhere useful, give up, the legislation you are looking for will NEVER appear.

Simple reason

[sjames]

It's because the things aren't supposed to have an expiration date at all. Toasters don't 'expire', they make toast until they don't. TVs work until they don't. Even when they reach don't, older consumers remember this strange practice of 'fixing' the device so that it works again.

This "smart" crap that has an expiration date would, in a just world, be found to fail on the implied warranty of merchantability.

The only useful "smart" in a TV should be responding to HDMI-CEC so a separate inexpensive smart de