Sonos’s tone-deaf legacy product policy angers customers – Naked Security

Source: National Cyber Security – Produced By Gregory Evans

When you buy a cloud-connected appliance, how long should the vendor support it for with software updates? That’s the question that home audio company Sonos raised this week when it dropped some unwelcome news on its customers.

The company has announced that it will discontinue software updates for older products in May this year (here’s a list of products that it marks as legacy). Stopping software updates for legacy kit is nothing new, but it’s the way the company has done it that has Sonos customers’ hackles up.

Sonos points out that it supports software updates on products for at least five years after it stops selling them. However, the issue here is that all products in a Sonos network must run on the same software, meaning that any newer (‘non-legacy’) equipment connected to the speakers will also stop downloading new software updates. The only way around this for Sonos users is to disconnect their new equipment from their legacy kit and run them independently of each other.

From Sonos’s email to customers:

Please note that because Sonos is a system, all products operate on the same software. If modern products remain connected to legacy products after May, they also will not receive software updates and new features.

This carries service implications for users, because while products will continue working without software updates, it doesn’t mean that they will work as well. Sonos explains that as third-party connected cloud partners change their own services, they may become incompatible with the legacy software.

This isn’t just a product service issue; it’s a cybersecurity problem. Any cloud-connected equipment is potentially vulnerable to attack, and researchers frequently discover new exploits. Ugo Vallauri is co-founder and policy lead of the Restart Project, a European organisation that promotes user repairs of consumer electronics in a bid to cut down on e-waste. He told us:

A big issue is the lack of separation between security updates and software updates. While we can’t expect a product’s software to be improved indefinitely, security updates should be ensured for as long as possible. In this case, Sonos is not even mentioning security updates when suggesting that “legacy” products could continue to be used.

When we asked Sonos about this, it replied:

We take our customer’s security seriously and will work to maintain the existing experience and conduct critical bug fixes where the computing hardware will allow.

So perhaps there’s hope, but there’s no official policy that tells you exactly what to expect in terms of cybersecurity fixes.

Contrast that with computer software companies like Microsoft. It also ceases support for its products (a concept known as end of life, or EOL). However, it lets customers know about it years in advance, rather than giving them four months’ notice, as Sonos has done. It offers cybersecurity updates for an extended period and allows customers to buy extended support after that. And EOL Microsoft software connected to the network doesn’t affect software support for non-EOL software.