Yesterday, Rob and Tod dug into the details of some proposed language for IoT labelling for End-of-Life (EOL) and End-of-Service (EOS) devices proposed by our friends at the Center for Democracy and Technology (CDT) and other consumer advocacy groups.
The language is especially concerned about labelling for kidtech and medtech, and wants vendors to be more responsible for letting people know when their IoT toys, medical gear, and assorted other internet-connected doo-dads won't be supported with security and usability patches and updates.
You can read lots of opinions on this topic, including ours, at the Dark Reading article by Arielle Waldman, but to expand a little more on our concerns here, I wanted to jot down some things to keep in mind when thinking about how EOL/EOS actually works when it comes to labelling and handling it in your environment.
Notionally, it's a good idea to label consumer tech with an EOL/EOS date, but the devil will absolutely be in the details of how that will actually work. After all, you probably want to know that your Thing of the Internet will be vendor-supported tomorrow if you buy it today. Practically, though, it gets complicated, and fast. Every such Thing made today has a software stack, that in turn is often drawn from dozens to hundreds of open source projects. These software sources, the hardware assembler (who is usually the "vendor"), and the retailer all have to agree on pushing out a patch or update.
Here in infosec, we need to really internalize the idea that just because something is missing a patch doesn't mean it stops working, so it's a sneaky fail case that's hard for consumers to even notice. At the same time, your home network and all the stuff attached to it is now often also touching your employer network, so keeping up on patching at home is becoming a corporate IT problem. With work-from-home, IT is responsible for the PlayStation in the CEO’s living room. Sophisticated attacks can target developers at home, and have, by subverting the usual write code-compile-ship workflow at the "write code" part.
As far as the actual notification mechanism is concerned, while physical labelling on docs and the device can be helpful, we need to appreciate that the secondary market -- selling your stuff on eBay or donating it to Goodwill -- will break the relationship between customer and vendor, making timely notification (such as by warranty card) that much more difficult. Besides, just because a vendor tells you when the EOL date is doesn’t mean they have to tell you how to keep patched, or make it easy. Autoupdates can help, until the autoupdate service itself goes EOL. And these EOL/EOS dates aren't set in stone -- some vendors will backport patches (Microsoft) past EOL if it's really serious. Some don't (F5 nginx), and require you to update.
So, I'm super curious to see where this model language goes and if we'll make some headway in being open and transparent about the realities of maintaining old tech on your home network. Of course, that's an especially relevant question if your home network is so close to your employer's network. After all, if you're a knowledge worker in America today, your aging internet devices are really starting to become your CISO's problem.
-
Overview
Complete security visibility across IT, OT, IoT, cloud, mobile, and remote assets.
-
Integrations
runZero seamlessly integrates with a wide variety of tools, enhancing network visibility, enriching asset data, and uncovering control gaps.
-
Community Edition
Our completely free version of the runZero Platform is ideal for home use and environments with fewer than 100 assets.
Welcome to the New Era of Exposure Management
Check out our launch video to see how we're fixing what’s broken with vulnerability management & overcoming persistent problems.
-
Solutions
Gain visibility, control the unknowns, and ensure compliance with confidence.
-
Regulatory Compliance
Ensure compliance and stay resilient against evolving cyber threats.
It’s Time To Move Away From Legacy Vulnerability Management
Legacy vulnerability scanners were built for a different time — when networks had clear perimeters, assets were reachable, and credential-based scanning was feasible across the board. That world doesn’t exist anymore.
-
Resource Center
Dive into a treasure trove of resources to expand your exposure management knowledge.
-
runZero Research
Explore the world of exposure management through the runZero lens.
-
runZero Blog
See what's happening at runZero and read up on the latest ideas, opinions, and articles from our experts and researchers.
-
Support Resources
Everything you need to maximize your experience with the runZero Platform.
Divining Risk: Deciphering Signals From Vulnerability Scores
Vulnerability scores promise clarity, but too often just add to the noise. In this report, we analyze signals from over 270,000 CVEs to reveal what CVSS, EPSS, and SSVC actually tell us — and what they don’t. Discover what these systems get right, where they fall short, and how to turn that insight into smarter prioritization.
-
Our Customers
Our customers are everything. We're super proud to be trusted by leading organizations around the globe to help them improve their security.
-
Case Studies
See how runZero has empowered security teams to take control of their networks, uncover their unknowns, and save significant time and money.
-
Testimonials
Read reviews of the runZero Platform and see how teams have improved their security with our technology.
New Report Published by the U.S. Department of Energy
CECA evaluations confirm runZero's active scanning enhances ICS visibility without performance impact on SCADA.
-
About Us
Wondering who the heck are these people? Meet the team and get the story behind runZero... once upon a time called Rumble.
-
Events
Track down runZero Yetis in the wild! Join us in-person or virtually at one of our upcoming events.
-
Investors
Meet the cybersecurity investors, trailblazers, and innovators who help us navigate our journey and the evolving security landscape.
-
Newsroom
Read the latest articles, announcements, and press releases from runZero.
-
Careers
Want to join our forces? We're looking for bright minds and passionate souls who want to write the next chapter in exposure management.
Join the runZero Research Team for our next episode!
Every month, our research team does a deep dive into the ones and zeros behind all things exposure, from new threats and risky devices to the most secretive, silent, and unheard of vulnerabilities hiding in IT, OT, IoT, remote, cloud, and mobile environments – see you there!
-
Infinity Partner Program
See how we can work together to provide best-in-class security solutions and outcomes for our joint customers.
-
Partner Directory
Explore our directory of trusted (and awesome) partners.
-
Partner Sign In
Sign in to our Infinity Partner Portal.
Join our Infinity Partner Program
Designed with a partner-first mindset, the runZero Infinity Partner Program offers incredibly valuable resources, relationships, and rewards to partners who choose to grow their business with us.