[fuckyouriotshit]

Manufacturers don't necessarily have to rotate the keys on older devices; they could rotate the keys on newer devices such that it's difficult to reliably tell what batch/generation a newer device is from, because it could be using a newer or older key.

Such behavior would require some way of revoking old keys from newer devices to prevent a situation where a compromised and blacklisted old key is selected and causes the CAPTCHA to fail, seemingly at random.

[md_]

I don't totally follow. The key is baked into each device, so if you sold a mix of devices where some had the old key and some the new, revocation of the old key would brick the new devices with that old key.