Finding End of Support Dates: UK PTSI Regulation

Published: 2024-06-07. Last Updated: 2024-06-07 13:12:40 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)

One of the challenges with many IoT devices, in particular those targeting consumers and small businesses, is the ability to find how long a device is supported. This "expiration date" is becoming important as vulnerabilities are often discovered after a product no longer receives updates. In this case, users are often out of luck and left with a vulnerable device. Manufacturers will often not even acknowledge the vulnerability or provide notifications to users.

This will also make it difficult buying a device. It is often not clear what the "expiration date" of the device will be, and in some cases, you may purchase a device that no longer receives any updates.

Luckily, the UK government is here to help. As of April, any supplier of internet-connected devices in the UK must file a "Declaration of Compliance" with the UK's Office of Office for Product Safety & Standards [1]. Failing to do so can lead to hefty fines. The statement must include the minimum support period for the device. The same regulation also requires unique passwords and contact information to report vulnerabilities. 

Sadly, I haven't found a simple database to look up this declaration of compliance, but vendors post it on their websites. The regulation also states that the statement of compliance must accompany the product. But when you buy and open the product, it may be too late. Vendors may include this statement outside of the UK for simplicity, as you often find a long list of compliance statements for various locations included. Still, there is no guarantee that vendors will do this.

However, many vendors choose to make these statements public on their website. I collected below a few from popular vendors:

Supplier Statement URL
Apple https://regulatoryinfo.apple.com/ukpsti
Asus https://www.asus.com/support/faq/1051929/
GL.Inet https://www.gl-inet.com/psti/
GoPro https://gopro.com/en/us/legal/uk-psti-compliance
Google https://support.google.com/product-documentation/answer/14869041?hl=en
Lenovo https://www.lenovo.com/us/outletus/en/compliance/uk-psti-soc/
Linksys https://downloads.linksys.com/support/assets/others/UK_PTSI_Statement_of_Compliance_w_products.pdf
Motorola https://en-gb.support.motorola.com/app/answers/detail/a_id/178271/~/uk-psti
Netgear https://kb.netgear.com/000066102/UK-PSTI-Declaration-of-Conformity
Philips https://www.documents.philips.com/assets/UK%20Declaration%20of%20Conformity/20240530/78360cfd353b45bd944eb180001d9832.pdf
Samsung https://news.samsung.com/uk/notice-new-uk-product-security-and-telecommunications-infrastructure-psti-law
TP-Link https://www.tp-link.com/uk/support/psti/

 

Please let me know if you know of a better database that lists the compliance statements. For example, I could not find one for Ubiquity (Unifi). However, I believe they are still using the default password "ubnt" which puts them out of compliance.

I recommend labeling new devices with the purchase date and the end of support date as you receive them. The purchase date is good to have handy for warranty purposes, and the end of support date is important to know when you will have to replace the device.

[1] https://www.gov.uk/government/publications/the-uk-product-security-and-telecommunications-infrastructure-product-security-regime
 

 

---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|

Keywords: iot ptsi uk
0 comment(s)
ISC Stormcast For Friday, June 7th, 2024 https://isc.sans.edu/podcastdetail/9014

Comments


Diary Archives