Your Appliances Could Retire On Their Botnet Earnings
The report that The Register referenced in their article came from a UK consumer advocacy group by the name of Which?, but sadly their findings will apply across the planet. They took a look at the fine print that came with a variety of smart appliances to see just how long a customer could expect their rather expensive appliances to receive security updates. This is a rather important question as we have learned from botnets such as Mirai that famously ran on routers, webcams and other IoT devices. The inevitable vulnerabilities that exist on smart fridges and other appliances can also be used for this purpose, especially if they no longer receive security updates.
Their findings were depressing, if not unexpected, with many manufactures not offering any clear statements on how long security updates would be pushed out or made available to install yourself. The ones which did offer some sort of timelines offered coverage for an amount of time significantly shorter than the usual lifetime of a major appliance. The best timeline was offered by high end supplier Miele who will continue to update your fancy fridges for 10 years, while the worst came from Samsung who guarantee security updates for up to two years; though they did respond to The Register’s story to state that their updates are not necessarily limited to that deadline.
This leaves those who forked over the extra cash to hook their appliances up to the internet with a lousy choice. The disposal of an appliance is not a simple process once it leaves the consumers hands; there are a variety of materials, including rather toxic ones, which need to be dealt with by someone. As well, the resources which go into making the appliance in the first place leaves a rather large environmental footprint as it is. This will worsen if appliances are no longer used for the roughly 11 year lifespan we currently expect.
On the other hand, continuing to use an appliance after it is no longer receiving security updates is also rather irresponsible as the chances that it becomes possessed by an evil electronic spirit will grow every day it remains plugged in. It would also be dangerous to pass an older device onto someone else, either directly, via a refurbished appliance store or even a charity. There are some models that would continue to function without an internet connection, but similar to you dear reader, most of them can’t actually continue to function if they are completely severed from the web forever.
If a manufacturer decides to withdraw software support, or switch off central servers, users could find themselves with a big, frosty brick in their kitchen. In the wider IoT world, there's precedent for this.