A recent report by Consumer Reports has shed light on the growing threat of 'zombie' smart home devices, which can potentially fuel botnet attacks and compromise national security. The report highlights the need for manufacturers to provide expiration dates for software support, ensuring that consumers are aware of the risks associated with using outdated devices.

As connected devices in our homes, such as smart TVs, thermostats, and appliances, grow old and lose security updates, they can become targets for hackers to fuel botnet attacks. These attacks can bring down servers or websites via distributed denial-of-service (DDoS) attacks, potentially taking useful services or critical infrastructure offline for extended periods. IoT gadgets have been involved in several attacks over the years, including the infamous Mirai attack nearly a decade ago.

The good news is that most smart appliances are designed to carry out their primary function without an internet connection, so disconnecting them from Wi-Fi can mitigate the risks. However, devices like Wi-Fi routers, smart speakers, and streaming sticks require internet connectivity to function, and if they're not receiving security updates, they should be stopped immediately.

A new survey by Consumer Reports shows that over 40% of Americans are unaware that their smart gadgets might lose software support one day. Nearly 70% of the 2,130 people surveyed believe that smart appliances should continue to work even after losing support. The consumer advocacy publication is calling for companies to provide a minimum guaranteed support timeframe for any connected product – an expiration date, so to speak.

While smartphone and PC manufacturers are fairly good at alerting customers when their devices have reached their end of life, few manufacturers of smart home devices publish the expiration dates of their products or reliably inform customers when a device is no longer receiving software updates. According to Consumer Reports, less than 40% of those surveyed knew that a device they owned had lost support because the manufacturer notified them.

Some companies, such as Amazon, Google, and Signify (the manufacturer of Philips Hue lighting), are making good-faith efforts to provide software lifespans. For example, Philips Hue states it will continue to support its lightbulbs with security updates for a minimum of five years from the day you buy them. However, only 3 out of 21 appliance brands publicize how long they guarantee updates to their appliances' software and applications.

The Federal Trade Commission (FTC) is also paying attention to this issue. Last year, it issued a report stating that almost 90% of connected devices it reviewed didn't offer information on how long software support would be provided and that this could be a violation of federal law.

One potential solution lies in the US Cyber Trust Mark Program, which the FCC launched last month. The mark provides details about a product's security, including its "minimum support period end date." This data can be easily updated by a company, making it more fluid than stamping an expiration date on the product. However, the Cyber Trust Mark Program is brand new and voluntary, meaning there's no guarantee you're going to see one on your next smart TV.

Considering the potential far-reaching security concerns around these zombie devices, there's a strong argument to be made that companies should be forced to provide this data. Whether that's using the Cyber Trust Mark, the Product Security Verified Mark being developed by the Connectivity Standards Alliance, or through other forms of legislation, this is a problem that needs a solution.