this post was submitted on 26 Apr 2025
61 points (100.0% liked)
Hacker News
1267 readers
590 users here now
Posts from the RSS Feed of HackerNews.
The feed sometimes contains ads and posts that have been removed by the mod team at HN.
founded 7 months ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
The point I was trying to make, is that if the device is sold and the consumer is the one with physical access, the device should be treated as compromised. You are correct about minimizing attack surface and blast radius.
The thermostats EOLd before the 20 or so years is more directed in breaking the trust/expectation of the consumer/client. No one reads the EULA. It's a deep can of worms.
You are correct that the device still works, excluding the cloud services, not denying it.
I disagree that it breaks the trust. No one buys a computer and expects software updates 20 years later. Of course you can make the case with Linux, but that's a general purpose OS and requires knowledge beyond that of a typical consumer. A more apt analogy would be to expect Microsoft to still provide updates for Windows 98.
If you're going to support legacy hardware indefinitely, or even for decades, you're going to have to continuously add developers, and developers for legacy code are super expensive. Sure, COBOL still works fine, but you have to pay someone $250k a year to maintain it.
If the public expects their smart devices to be supported for 20 years, then their expectations need to be broken. Hardware, cyber security, and resource utilization will continue to rapidly evolve, and old equipment literally won't be able to keep up.
Hell, most of the smart devices out there have critical vulnerabilities. The ESP32 stack has been found to have hidden commands whose attack vector isn't fully understood. Literally every smart device on the market should have been EoLd months ago, and I can only imagine what holes tech from 2014 has.
The people down voting me to hell just don't understand how fucking dangerous the Internet is, and how much effort is required to protect an infrastructure. People like me bust our asses to keep shit like this safe, but there's a limit to what we can reasonably be expected to do. We're already really fucking overworked.
Of course, I would prefer that it be codified into law that companies need to allow the ability to manually flash a firmware before marking something EoL. Block it from your servers, but let volunteers maintain the hardware for as long as possible.
I don't think you should be downvoted tho. Reasonable and correct opinion from a (guessing) security professional.
The 20 year smart devices argument should be the norm, imho. We have way too much e-waste as it is. Although that would also mean that smart devices should include that in sales calculations.
The firmware flashing before EoL brings a tear to my eye from the elegance of a solution. Also manufacturers would have to stop with other anti-consumer practices like serialization and scrubbing identity markings, otherwise reversing could be too costly.
You guessed correctly. I was a senior SecOps engineer for a federal contractor before DOGE decided that my company increasing government efficiency by 900% was a bad thing.