[nickdothutton]

It is quite common to find device manufacturers, even those of many years standing, who _appear to_ begin with the device and add the software as an afterthought. Paying little attention to security or even the software lifecycle (patches, updates, the changing landscape/ecosystem). I have even known it happen that the device brand subs out the software to a random small developer, who then closes up shop/dies/gets out of that business, and the device company doesnt even have the source code, let alone any ability to further improve/fix the software that drives their device. This leads to layers upon layers of subsequent middleware, UIs, shims etc.

[jamwise]

It's frightening how often this happens. And these days with the boatloads of cheap computer and phone peripherals being bought every minute there's just no realistic way for an authority to monitor and regulate all of it.

I bet it's not an insignificant amount of devices out there that had their firmwares written by a "random small developer" who is in fact some kind of supply chain hacker.