- ■
Massachusetts introduces two bills requiring manufacturers disclose product support timelines on packaging and online, per WIRED reporting
- ■
The policy addresses a growing attack surface: Wi-Fi devices commonplace for 20+ years now run unpatched, creating vulnerability vectors manufacturers can no longer ignore
- ■
For device makers: compliance costs force disclosure infrastructure redesign; for enterprises: purchasing decisions must now factor lifecycle transparency into procurement criteria
- ■
Watch New York's similar bill (introduced Jan 2025) and whether federal legislation follows within the next legislative cycle
The inflection point arrives quietly in Massachusetts. Two bills introduced this week mandate what was once manufacturer discretion: telling customers when their connected devices will stop receiving updates. State Representative David Rogers frames it plainly—devices without security patches become 'ticking time bombs for hackers.' This isn't abstract cybersecurity policy. It's about the millions of 'zombie devices' still connected to home networks: routers from 2015, cameras from 2017, sensors gathering dust but still broadcasting. The legislation signals something larger: the beginning of a multi-state regulatory cascade that could reshape how the IoT industry operates within 6-12 months.
The transition starts with a security paradox. Connected devices have become infrastructure—routers, thermostats, cameras woven into homes and offices. But manufacturers have no incentive to maintain them forever. Once a device stops generating revenue through new sales or subscriptions, support ends. The device keeps running, keeps connecting to the network, but stops receiving security patches. That's not obsolescence. That's abandonment. And in the language of cybersecurity, abandonment is vulnerability.
Massachusetts State Representative David Rogers and Senator William Brownsberger are trying to change the calculation. Their two bills—H.5563 in the House and S.3606 in the Senate—would require manufacturers to clearly state on product packaging and in online listings exactly how long they'll provide software and security updates. When that timeline approaches its end, companies would need to notify customers. When it ends, companies must disclose what features will be lost and what security vulnerabilities may emerge.
This sounds basic. It should be. Instead, it represents a fundamental shift in how the IoT industry operates. Right now, most manufacturers choose whether to disclose support timelines at all. Many don't. You buy a Wi-Fi router without knowing whether it'll receive updates for two years or ten. That decision—the manufacturer's alone—has created exactly the problem the bills aim to solve.
"We're trying to reduce the attack surface," says Stacey Higginbotham, a policy fellow at Consumer Reports, one of the organizations that pushed for this legislation. "We cannot prevent it, but we do want to give consumers the awareness that they could be hosting something. Basically, they have an open door that can no longer be locked."
The numbers justify the urgency. Wi-Fi has been standard for over twenty years. That means a rapidly aging installed base of devices—routers, sensors, home security cameras—still connected to networks they were never designed to defend. These are the zombie devices. Owners don't realize they're vulnerable because the devices still function normally. They stream, they sense, they record. But they're unpatched against exploits discovered in the last five years.
Manufacturers know this. They've known it for years. The reason nothing has changed is market structure. Disclosing short support windows makes products less attractive. Customers who understand that their device will stop receiving updates in three years make different purchasing decisions than customers kept in the dark. So companies benefit from opacity. The cost of that opacity—the expanded attack surface, the botnet risk, the security incident exposure—falls on customers and, eventually, society. Paul Roberts, president of the Secure Resilient Future Foundation and a driving force behind the legislation, describes it clearly: "They privatize the profit and socialize the risk."
Massachusetts isn't the first state to move on this. New York introduced a virtually identical bill just last month, introduced by State Senator Patricia Fahy. Neither bill is guaranteed to pass. Both face the typical legislative friction—committee reviews, lobbying from manufacturers, language negotiations. But the pattern matters. What we're seeing is the early formation of state-level consensus. That's how policy cascades form.
The precedent is clear. Look at gaming monetization regulation. It started in a handful of European countries with loot box disclosure requirements. Within two years, multiple U.S. states were drafting similar bills. The initial friction gave way once the first jurisdiction proved implementation was feasible. Device lifecycle disclosure follows the same curve: one or two states pass legislation, manufacturers realize compliance is manageable, and the incentive flips. Remaining in non-compliant states becomes more expensive than simply adopting uniform disclosure practices nationally.
For manufacturers, the timeline is now compressed. They have 6-8 months to understand what compliance looks like before the next legislative wave hits. That means building disclosure infrastructure, determining realistic support timelines for each product line, and preparing notification systems for the end-of-life phase. None of this is technically difficult. It's all commercially inconvenient. That's the inflection point. Inconvenience is becoming mandatory.
The security case is airtight. Unpatched devices are demonstrably exploitable. The IoT botnets that have powered some of the largest DDoS attacks of the past decade relied on exactly this dynamic: millions of still-functioning devices whose manufacturers had moved on. Every month that passes adds more devices to that pool. Disclosure won't eliminate the risk, but it transfers knowledge to the people who actually own the devices. A homeowner who understands their five-year-old router will never receive another update can make an informed choice: upgrade, replace, or disconnect. Right now they can't even make that choice because they don't have the information.
What's remarkable is how little organized opposition exists. Manufacturers grumble about compliance costs, sure. But there's no powerful lobby arguing against transparent product lifecycles the way there was against right-to-repair legislation. That absence matters. It suggests the industry expects this to pass somewhere soon and is already calculating transition costs. Once Massachusetts or New York moves, the pressure accelerates.
The window opens now for three distinct audiences. Device manufacturers have 6-8 months to implement disclosure infrastructure before the legislative cascade accelerates—companies betting on regulatory inertia are miscalculating badly. Enterprise buyers need to revise procurement criteria immediately; the devices your organization standardized on two years ago may already be approaching end-of-life, and that risk will now be disclosed to your competitors. For security professionals, this is the moment to audit installed device inventory and calculate replacement timelines before mandated disclosure becomes competitive intelligence. The policy inflection is real. The question now is speed of spread.
