Beginner question: what about if the device doesn't accept over the air updates? What sort of security concerns are there for such a device that wakes up periodically to send data over HTTP.
You still have to defend against MitM attacks, that could steal your data. A recent example is Samsung smart TV that could be controlled with voice. If someone can route TV connection to his server posing as Samsung's server, she can eavesdrop you in your living room.
Another problem is that during the lifespan of product, several critical exploits could be found that would compromise the security if not patched. There already efforts to defeat SSL and we may need to upgrade to more advanced protocol in near future.
One last problem is that in your case the device needs to have server address hardcoded. The company could go out of business and you would have no way to redirect it to alternate unofficial server. Therefore, firmware upgrades are pretty nice to have in IoT.
If the device does not listen, i.e. it calls out, then it is inherently much more secure. However, many devices use an embedded web server and do listen for requests.
If the device does not listen, and polls regularly for updates, then that is fine ... perhaps even ideal.
Another problem is that during the lifespan of product, several critical exploits could be found that would compromise the security if not patched. There already efforts to defeat SSL and we may need to upgrade to more advanced protocol in near future.
One last problem is that in your case the device needs to have server address hardcoded. The company could go out of business and you would have no way to redirect it to alternate unofficial server. Therefore, firmware upgrades are pretty nice to have in IoT.