Stories

> End of Life, Unsupported IoT Devices

End of Life, Unsupported IoT Devices

perspectives

August 4th, 2020

#iot

We often read about keeping the software and firmware in our computers and electronic devices including Internet of Things (IoT) devices up to date. But how many of us check to see if a device we own or are responsible for has reached its end of life or is otherwise no longer supported?


Our home and business networks contain a growing number of remarkable IoT devices that help us in our daily tasks. Thermostats are now offered with Internet connectivity and with associated smartphone apps and browser controls to manage comfort. These devices can also be useful for monitoring remote, vacation homes, or of offices by a central operations group. Internet connected lawn irrigation systems, smart televisions, streaming media players, and smart speaker systems, are all common. Security systems and cameras connect us to our properties and often to monitoring services, including law enforcement. We can remotely open and close garage doors to provide access to a service person while watching their actions on the connected camera.


We add such devices to our home and business environments for the great conveniences and functions they provide. However, not everyone is aware of how critical it is to maintain them. IoT devices are vulnerable to new security issues, which can negatively impact physical and computer network security. Software and firmware are complex, often built with common shared libraries of code and Operating Systems (OS) to help reduce complexity and cost to develop. Over time, what was once considered secure code, can be discovered to contain security vulnerabilities. This approach of using common code and OSs can result in many types of devices being vulnerable when a new security issue is discovered in a shared common code library. When a security vulnerability is discovered, it must be updated to eliminate this security issue.


How should we ensure these connected IoT devices are regularly updated when needed?


Some devices are almost effortless in this area as they employ modern security and software designs and will automatically update. Others are not so effortless and require periodic checking and manual updating. For these devices, one must “read the manual”, and follow the update process outlined by the manufacturer.


A less well-known category exists and that is an IoT device may be declared “end of life” by a manufacturer, or unsupported by a manufacturer that is no longer is business. What does a homeowner, a business owner, or network manager need to do in this situation?


Unfortunately, there is no central registry where one can go and check to see if a device is end of life or no longer supported. It is up to the device owner/manager to attempt an update and discover if it is in this end of life or no longer supported category.


If when you do discover an end of life or unsupported device, the choices are to remove internet connectivity or possibly replace it with a newer, fully supported model. Removing connectivity may be as simple as unplugging an Ethernet cable, or modifying a configuration to disable wireless connectivity (e.g., turn off WiFi). In some cases, removing internet connectivity is not an option as there is no other interface to manage the device other than via the internet.


A device owner/manager should consider removing the device from service even if they cannot find a notice that an unsupported device contains a security vulnerability. Given the complexity of software, and the practice of reusing code libraries across many types of devices, the chances of a device changing from secure to insecure/vulnerable will increase over time.


Why do devices reach this end of life or unsupported state? In some cases, older models were produced that had a limited number of functions. Over time new functions are added, putting more demand on the original hardware that was designed with limited computing power or memory. Eventually manufacturers can be faced with the reality that older models can’t be updated and place them in an end of life status.


Another reason for a device to become unsupported is simply that a manufacturer goes out of business. In this case, no responsible manufacturer exists to produce a potentially much needed security update.


Some manufacturers are being proactive and will communicate with registered owners of devices of their end of life status. Others even go as far as to offer a discount for a newer generation device as an incentive to keep their customer base satisfied as well as secure.


Why should a home or business operator be concerned about end of life and unsupported IoT devices? The simple reason is that eventually, many if not all IoT devices, will be discovered to have some software or firmware security vulnerability. Malicious cyber actors are smart, are always probing networks, and always searching for newly discovered vulnerabilities that can be exploited. When they find these vulnerabilities, your home or business can be the next ransomware or data exfiltration target. The losses can be financial or personal ranging from photos to tax records that are encrypted by the malware and cannot be recovered. Damages can be even greater if information is stolen that could lead to identity theft or loss of sensitive customer data.


The takeaway and message to owners and managers of connected IoT devices is to be aware of what they have in their home and business networks. Ensure devices are receiving automatic updates or are manually updated. Register your IoT devices so a manufacturer can contact you with an end of life advisory. And finally, plan on the need at some point in time to disconnect or potentially replace a device that has reached end of life status or is no longer supported.