Why would you care about an insecure device connecting to your servers if the server is connected to the internet?
Any packet can be from an attacker and your server has to deal with that regardless if the computer you’ve sold is the one attacking.
Sounds like security through obscurity. Or some shit manufacturer says to force users to upgrade.
You might argue it’s there to protect the user from state actors attacking during winter. Which would be fair. But they did not disclose the actual reason why they EoL’d the device as insecure, seems shady.
Still the correct response should be retuning probably half of the money for the device to any user that proves ownership, instead of this entrapment. No one buying a thermostat expects it to work for only 5-11 years.
Because in cyber security minimizing your attack surface is a big deal. The server is hardened against the public Internet, but it has to allow devices to connect to it. If those devices have been compromised, they can compromise your whole infrastructure, especially if it’s from a device that hasn’t had any vulnerabilities patched because they were end of lifed.
And there can be legitimate reasons to EoL a product. Certain pieces of hardware could have unpatchable vulnerabilities, or an older security standard, or an encryption algorithm might be compromised and the hardware literally can’t run the new cyphers.
The thermostats still work as thermostats, you just can’t connect to their servers to control them remotely.
Why would you care about an insecure device connecting to your servers if the server is connected to the internet?
Any packet can be from an attacker and your server has to deal with that regardless if the computer you’ve sold is the one attacking.
Sounds like security through obscurity. Or some shit manufacturer says to force users to upgrade.
You might argue it’s there to protect the user from state actors attacking during winter. Which would be fair. But they did not disclose the actual reason why they EoL’d the device as insecure, seems shady.
Still the correct response should be retuning probably half of the money for the device to any user that proves ownership, instead of this entrapment. No one buying a thermostat expects it to work for only 5-11 years.
Because in cyber security minimizing your attack surface is a big deal. The server is hardened against the public Internet, but it has to allow devices to connect to it. If those devices have been compromised, they can compromise your whole infrastructure, especially if it’s from a device that hasn’t had any vulnerabilities patched because they were end of lifed.
And there can be legitimate reasons to EoL a product. Certain pieces of hardware could have unpatchable vulnerabilities, or an older security standard, or an encryption algorithm might be compromised and the hardware literally can’t run the new cyphers.
The thermostats still work as thermostats, you just can’t connect to their servers to control them remotely.