[renonce]

It's not practical to hide vendor keys. Unless the key is embedded in a security chip in factory it's usually possible to extract them from the firmware. Even if vendor CA is not compromised, stealing keys from a single device should be sufficient.

[0xbadcafebee]

I was thinking more along the lines of signature verification, but I forgot that any spoofed device could just supply a signature it got out of a device, so I think you're probably right.