[rkangel]

Any connected device NEEDS continual updates in order to continue to be secure.

This is particularly true of internet connected devices, but is also true for IOT devices that only connect to the internet indirectly. Security holes get found, if you can't patch and update devices in the field then you are leaving your customers unprotected.

[Aardwolf]

> Any connected device NEEDS continual updates in order to continue to be secure.

And I feel that updates are being abused too much by device makers now:

-allows making devices worse, say "optimizing" the UI e.g. to make you spend more time in the parts they (not necessarily the user) want you to see

-allows releasing half-finished games since they can just be updated later anyway

-allows breaking old functionality for whatever reason

-allows the device makers to choose when to do the update rather than the user, say just when you want to start playing a game

It's a shame there's no less invasive way to ensure devices are secure. It sure is convenient for the device makers that the solution to security also gives them continuous control over your device's features and when you can actually use it

[Nextgrid]

There is security and there is cargo cult. "unprotected" really depends on what the user is using the device for, what the vulnerabilities are, and what's the worst thing someone with total root level access to the device can actually do.

If the device is using a read-only firmware, has a secure boot chain of trust, lives behind a firewall and only makes outgoing connections, the risk is very limited. You can't directly connect to it, so your only option is to tamper with traffic in transit and exploit some buffer overflow in how it parses replies to its requests - that's already a very targeted attack that's really hard to scale, and with an intact secure/trusted boot chain it still means you can't persist so you'd need to redo this every time the device is rebooted.

And finally, assuming you manage to do all the above, what't the payoff? For a "Car Thing", the payoff is quite limited. I guess you can blast obnoxious music at full volume against the user's wishes?

[the_snooze]

It's not just security, but simple functionality too. Connected devices rely on remote services, by definition. Those services' APIs will change and get deprecated over time. At the very least, you need to keep clients up-to-date to conform to those API changes.

[rkangel]

I would argue that connected devices should only rely on your services - otherwise how do you know that they're not going away?

And if they're your services then you can maintain their stability.

[the_snooze]

"Your services" aren't entirely yours. Practically speaking, no one builds systems entirely from scratch. A service likely has remote dependencies too, some of which will trickle down to the clients of your service. For Spotify specifically, they rely on SSO providers and third-party payments services; if those APIs change, then the client will likely require updates even though Spotify didn't change anything in their own core functionality.

[TheLoafOfBread]

I have never updated my ethernet switches. Ever.