Making Sense of Security

Securing your Digital World.

Making Sense of Security

Sonos’s tone-deaf legacy product policy angers customers

When you buy a cloud-connected appliance, how long should the vendor support it for with software updates? That’s the question that home audio company Sonos raised this week when it dropped some unwelcome news on its customers.

The company has announced that it will discontinue software updates for older products in May this year (here’s a list of products that it marks as legacy). Stopping software updates for legacy kit is nothing new, but it’s the way the company has done it that has Sonos customers’ hackles up.

Sonos points out that it supports software updates on products for at least five years after it stops selling them. However, the issue here is that all products in a Sonos network must run on the same software, meaning that any newer (‘non-legacy’) equipment connected to the speakers will also stop downloading new software updates. The only way around this for Sonos users is to disconnect their new equipment from their legacy kit and run them independently of each other.

From Sonos’s email to customers:

Please note that because Sonos is a system, all products operate on the same software. If modern products remain connected to legacy products after May, they also will not receive software updates and new features.

This carries service implications for users, because while products will continue working without software updates, it doesn’t mean that they will work as well. Sonos explains that as third-party connected cloud partners change their own services, they may become incompatible with the legacy software.

This isn’t just a product service issue; it’s a cybersecurity problem. Any cloud-connected equipment is potentially vulnerable to attack, and researchers frequently discover new exploits. Ugo Vallauri is co-founder and policy lead of the Restart Project, a European organisation that promotes user repairs of consumer electronics in a bid to cut down on e-waste. He told us:

A big issue is the lack of separation between security updates and software updates. While we can’t expect a product’s software to be improved indefinitely, security updates should be ensured for as long as possible. In this case, Sonos is not even mentioning security updates when suggesting that “legacy” products could continue to be used.

When we asked Sonos about this, it replied:

We take our customer’s security seriously and will work to maintain the existing experience and conduct critical bug fixes where the computing hardware will allow.

So perhaps there’s hope, but there’s no official policy that tells you exactly what to expect in terms of cybersecurity fixes.

Contrast that with computer software companies like Microsoft. It also ceases support for its products (a concept known as end of life, or EOL). However, it lets customers know about it years in advance, rather than giving them four months’ notice, as Sonos has done. It offers cybersecurity updates for an extended period and allows customers to buy extended support after that. And EOL Microsoft software connected to the network doesn’t affect software support for non-EOL software.

Sonos customers are furious. On the company’s forum, one, named Stueys said:

Just received the legacy email that tells me that half my 10 unit system will be obsolete from May. So it appears that I can either pile more money into Sonos, accept that my modern equipment (less than 2 years old) will no longer be updated because I have the audacity of being a long term customer or go somewhere else.

So how long should companies maintain software support for their products?

Gay Gordon Byrne is executive director of the Repair Association, a US non-profit that advocates for the right for people to repair products. She told us:

There are ZERO support obligations in the US. There are no requirements that any product be updated for any reason other than for “Defect Support”. Even fixing known defects is voluntary until/unless there is a mandatory recall or other banishment, such as when the Samsung Galaxy 7 phones were so prone to battery fires that they were prohibited on planes.

We asked Sonos why it couldn’t have introduced a software feature that would enable newer products to maintain backwards compatibility with older products. After all, games console vendors engineer entire operating systems to be backwards-compatible with old games, which is a much tougher task. We’ll update this article when the company respond.

Stueys asked Sonos:

So I can make an informed decision Sonos must now publish the support windows for all products currently available. At least try to recover some credibility.

We put this to Sonos, and it restated that it will support products with regular software updates for at least five years after it stops selling them.

Sonos explains that if customers don’t want to keep their old legacy kit, they can trade up. This program, announced in October 2019, gives customers a 30% credit for each legacy product they replace.

There’s a catch, though: to take advantage of the trade-in deal they have to activate ‘recycle mode’, which is effectively a kill switch for legacy equipment. Activating this mode deliberately bricks Sonos equipment in 21 days with no chance of recovery. It’s designed to stop legacy kit from falling into the hands of second-hand customers and degrading their experience, Sonos told The Verge.

All this leads to a bigger question: Do you really own your equipment when it’s connected to a cloud service? Companies have trampled over user rights in the past, such as when Nest bought IoT home hub device Revolv and then bricked all the devices in the field. It’s an ongoing problem and we document other examples.

Vallauri concluded:

Increasingly, products are rendered useless via software before they are physically obsolete. We first experienced this with mobiles and tablets, but we will experience this with many of the products we buy. This is totally unacceptable, given their cost to consumers and their environmental cost.


Latest Naked Security podcast

LISTEN NOW

Click-and-drag on the soundwaves below to skip to any point in the podcast.

View Original Source Article HERE