One of the challenges with many IoT devices, in particular those targeting consumers and small businesses, is the ability to find how long a device is supported. This “expiration date” is becoming important as vulnerabilities are often discovered after a product no longer receives updates. In this case, users are often out of luck and left with a vulnerable device. Manufacturers will often not even acknowledge the vulnerability or provide notifications to users.
This will also make it difficult buying a device. It is often not clear what the “expiration date” of the device will be, and in some cases, you may purchase a device that no longer receives any updates.
Luckily, the UK government is here to help. As of April, any supplier of internet-connected devices in the UK must file a “Declaration of Compliance” with the UK’s Office of Office for Product Safety & Standards [1]. Failing to do so can lead to hefty fines. The statement must include the minimum support period for the device. The same regulation also requires unique passwords and contact information to report vulnerabilities.
Sadly, I haven’t found a simple database to look up this declaration of compliance, but vendors post it on their websites. The regulation also states that the statement of compliance must accompany the product. But when you buy and open the product, it may be too late. Vendors may include this statement outside of the UK for simplicity, as you often find a long list of compliance statements for various locations included. Still, there is no guarantee that vendors will do this.
However, many vendors choose to make these statements public on their website. I collected below a few from popular vendors:
Supplier
Statement URL
Apple
https://regulatoryinfo.apple.com/ukpsti
Asus
https://www.asus.com/support/faq/1051929/
GL.Inet
https://www.gl-inet.com/psti/
GoPro
https://gopro.com/en/us/legal/uk-psti-compliance
Google
https://support.google.com/product-documentation/answer/14869041?hl=en
Lenovo
https://www.lenovo.com/us/outletus/en/compliance/uk-psti-soc/
Linksys
https://downloads.linksys.com/support/assets/others/UK_PTSI_Statement_of_Compliance_w_products.pdf
Motorola
https://en-gb.support.motorola.com/app/answers/detail/a_id/178271/~/uk-psti
Netgear
https://kb.netgear.com/000066102/UK-PSTI-Declaration-of-Conformity
Philips
https://www.documents.philips.com/assets/UK%20Declaration%20of%20Conformity/20240530/78360cfd353b45bd944eb180001d9832.pdf
Samsung
https://news.samsung.com/uk/notice-new-uk-product-security-and-telecommunications-infrastructure-psti-law
TP-Link
https://www.tp-link.com/uk/support/psti/
Please let me know if you know of a better database that lists the compliance statements. For example, I could not find one for Ubiquity (Unifi). However, I believe they are still using the default password “ubnt” which puts them out of compliance.
I recommend labeling new devices with the purchase date and the end of support date as you receive them. The purchase date is good to have handy for warranty purposes, and the end of support date is important to know when you will have to replace the device.
[1] https://www.gov.uk/government/publications/the-uk-product-security-and-telecommunications-infrastructure-product-security-regime
—
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.