Because in cyber security minimizing your attack surface is a big deal. The server is hardened against the public Internet, but it has to allow devices to connect to it. If those devices have been compromised, they can compromise your whole infrastructure, especially if it’s from a device that hasn’t had any vulnerabilities patched because they were end of lifed.
And there can be legitimate reasons to EoL a product. Certain pieces of hardware could have unpatchable vulnerabilities, or an older security standard, or an encryption algorithm might be compromised and the hardware literally can’t run the new cyphers.
The thermostats still work as thermostats, you just can’t connect to their servers to control them remotely.
The point I was trying to make, is that if the device is sold and the consumer is the one with physical access, the device should be treated as compromised. You are correct about minimizing attack surface and blast radius.
The thermostats EOLd before the 20 or so years is more directed in breaking the trust/expectation of the consumer/client. No one reads the EULA. It’s a deep can of worms.
You are correct that the device still works, excluding the cloud services, not denying it.
Because in cyber security minimizing your attack surface is a big deal. The server is hardened against the public Internet, but it has to allow devices to connect to it. If those devices have been compromised, they can compromise your whole infrastructure, especially if it’s from a device that hasn’t had any vulnerabilities patched because they were end of lifed.
And there can be legitimate reasons to EoL a product. Certain pieces of hardware could have unpatchable vulnerabilities, or an older security standard, or an encryption algorithm might be compromised and the hardware literally can’t run the new cyphers.
The thermostats still work as thermostats, you just can’t connect to their servers to control them remotely.
The point I was trying to make, is that if the device is sold and the consumer is the one with physical access, the device should be treated as compromised. You are correct about minimizing attack surface and blast radius.
The thermostats EOLd before the 20 or so years is more directed in breaking the trust/expectation of the consumer/client. No one reads the EULA. It’s a deep can of worms.
You are correct that the device still works, excluding the cloud services, not denying it.