- cross-posted to:
- [email protected]
- [email protected]
- cross-posted to:
- [email protected]
- [email protected]
You must log in or register to comment.
Google assimilated and ruined the brand Nest. I don’t know who created the thermostats, but they will be shut down, like all the others, once the enshittified products generate too little income.
Dude, they’re 11 years old.
Edit: These are not ‘just thermostats’. These are computers that are meant to connect to the Internet. 11 years of support for a computer is a long time.
When a computer’s support reaches EoL, it’s no longer secure. You don’t want devices that are vulnerable to connect to your servers, so from a SecOps standpoint blocking their access makes sense.
It’s not like these thermostats are going to be useless. You can still use them as thermostats, just not with the cloud service.
But I get it. Any logic or reason that disagrees with the hive mind craving to hate literally anything a company does will get downvoted to hell.
11 years is not a long time for a thermostat
It’s an Internet connected computer that has a temperature sensor and relays. Computers run operating systems, and those operating systems require constant updates to patch vulnerabilities. When those updates stop, the clock starts ticking on when they’ll become attack vectors. You don’t allow attack vectors to access your servers.
The only thing being taken offline is access to their servers (which is a plus for me). The thermostats still function as thermostats.
So no, it’s not a fucking thermostat. If you want one that’ll last 50 years, go buy an old mercury thermostat or one that relies on other laws of physics instead of literal computers. Everything has an expected lifespan.
Honest to God, I could have sworn I remembered Google bricking these same devices like 10 years ago, which is why I find it weird that anyone cares about Nest products. I built my own smart thermostat (super easy, you just need homeassistant, an ESP32 or pi pico, a 4x relay board, and a sht-3x sensor (plus 18vac to 3.3vdc or 5vdc converter to power everything). The hardest part is an enclosure, but I guarantee there’s a nerd like me in your city that would design you one for fun (literally, building custom smart devices is what I do for fun)
I agree with almost everything you said, save for the ‘cloud service’. Simply, the only thing any device needs to connect to for me is either my router or my Home Assistant instance. On a related note, I’m tired of being farmed for data, especially when I don’t use advertising or any kind of invasive technique to make purchasing decisions. As for bug fixes thanks to anonymous data, if I see any issues I’ll go to the devs. If it isn’t broken I don’t need a fix.
I can think of many times being connected to external servers have been detrimental. I definitely don’t want any half-baked features/enshittification like AI detection, I just want CCTV (Reolink); I don’t want good features that I use to be removed just because the majority never used Snap, and voice control was great until ‘Xbox’ became ‘Hey Cortana’ then removed (Xbox).
Cloud connection does far more than give users external connectivity and cool stuff like remote control with your phone. It brings unwanted extras. The other issue is I bet there is no way for a consumer to replace the cloud service with their own, personal system (therefore extremely safe from hacks compared to a centralised system).
I don’t need this much assistance.
I agree. Not being able to connect to their cloud service would be an upgrade in my book.
My current thermostat is at least 20 years old. What’s your point? That we should accept big tech telling us to throw our devices away long before they’ve outlived their usefulness because their programmers can’t do their jobs without an ever growing 16-layered ball of code that performs like crap?
20 year old code can work as well as the day it was written. This is tech companies tying hardware to cloud services that they have no interest in supporting 10 years after they sold it to you.
Working as well and being secure are two different things. Smart devices are computers that connect to the Internet, and devices that no longer receive security updates are attack vectors.
From a SecOps standpoint, it’s perfectly reasonable to block such devices from hitting your servers.
These thermostats still work as thermostats, you just can’t use the cloud service.
From a SecOps standpoint, it’s perfectly reasonable to block such devices from hitting your servers.
Then they should give users a way to replicate the lost features on their own server. That’d be the user’s own risk.
I know that no company does that. Doesn’t make it right.
Don’t buy IoT bullshit, kids.
TP-link does. My Kasa devices work completely locally.
Also, you can get (certain) dirt cheap Tuya based devices and flash tasmota on it. Esphome is also a possibility.
I build most of my own smart devices, though.
I see you’re getting downvoted but it’s a reasonable take. I fired from the hip thinking this was like most IoT garbage these days that is bricked without a connection to the server.
Your current thermostat isn’t a computer that connects to the Internet, is it?
The thermostats still work locally.
And still work fine.
And? If your device is no longer receiving security updates, it’s perfectly reasonable to not allow it to access your servers.
It’s a fucking thermostat my dude that’s not very old have you ever been in a house
No, it’s a computer that controls relays. Computers that connect to the Internet need security updates to not be attack vectors. Blocking insecure devices from connecting to your servers is good security.
The devices aren’t bricks. They still function as thermostats. You just can’t use their cloud service with them.
It’s a thermostat, my parents still have one of those goldtone Honeywell ones with a dial from like the 1960’s. The only reason the app won’t work is because they can’t be bothered to support it. Stop making things obsolescent, make it mandatory that all this crap has a set support time after which it must be open sourced.
Agreed. If copyrights expire, then why not for proprietary software, especially when it’s no longer supported?
No, it’s a computer that runs a thermostat.
And you generally don’t allow devices that aren’t receiving security updates to continue accessing servers.
I do agree with making them open source it, though.
But they also aren’t bricking the devices. They still work as thermostats.
So fucking what? Stop repeating this shitty, weak argument over and over again.
There is absolutely no logical reason why they can’t continue to support it, no matter how old it gets. A 20-year-old computer can run modern Linux just fine with security updates, why can’t a 12-year-old thermostat that is also running on a heavily modified Linux?
Because you have to pay developers to maintain it. Developers are expensive. At some point it doesn’t make sense to keep doing that, so products are end of lifed.
You’re more than welcome to attempt to flash a custom firmware on it, though. I’m sure there are devs working on it.
Also, that 20 year old computer is running a general purpose OS that is designed to work on just about any system. The OS on a smart device, especially one from 2014, is heavily customized
Why would you care about an insecure device connecting to your servers if the server is connected to the internet?
Any packet can be from an attacker and your server has to deal with that regardless if the computer you’ve sold is the one attacking.
Sounds like security through obscurity. Or some shit manufacturer says to force users to upgrade.
You might argue it’s there to protect the user from state actors attacking during winter. Which would be fair. But they did not disclose the actual reason why they EoL’d the device as insecure, seems shady.
Still the correct response should be retuning probably half of the money for the device to any user that proves ownership, instead of this entrapment. No one buying a thermostat expects it to work for only 5-11 years.
Because in cyber security minimizing your attack surface is a big deal. The server is hardened against the public Internet, but it has to allow devices to connect to it. If those devices have been compromised, they can compromise your whole infrastructure, especially if it’s from a device that hasn’t had any vulnerabilities patched because they were end of lifed.
And there can be legitimate reasons to EoL a product. Certain pieces of hardware could have unpatchable vulnerabilities, or an older security standard, or an encryption algorithm might be compromised and the hardware literally can’t run the new cyphers.
The thermostats still work as thermostats, you just can’t connect to their servers to control them remotely.
The point I was trying to make, is that if the device is sold and the consumer is the one with physical access, the device should be treated as compromised. You are correct about minimizing attack surface and blast radius.
The thermostats EOLd before the 20 or so years is more directed in breaking the trust/expectation of the consumer/client. No one reads the EULA. It’s a deep can of worms.
You are correct that the device still works, excluding the cloud services, not denying it.
I disagree that it breaks the trust. No one buys a computer and expects software updates 20 years later. Of course you can make the case with Linux, but that’s a general purpose OS and requires knowledge beyond that of a typical consumer. A more apt analogy would be to expect Microsoft to still provide updates for Windows 98.
If you’re going to support legacy hardware indefinitely, or even for decades, you’re going to have to continuously add developers, and developers for legacy code are super expensive. Sure, COBOL still works fine, but you have to pay someone $250k a year to maintain it.
If the public expects their smart devices to be supported for 20 years, then their expectations need to be broken. Hardware, cyber security, and resource utilization will continue to rapidly evolve, and old equipment literally won’t be able to keep up.
Hell, most of the smart devices out there have critical vulnerabilities. The ESP32 stack has been found to have hidden commands whose attack vector isn’t fully understood. Literally every smart device on the market should have been EoLd months ago, and I can only imagine what holes tech from 2014 has.
The people down voting me to hell just don’t understand how fucking dangerous the Internet is, and how much effort is required to protect an infrastructure. People like me bust our asses to keep shit like this safe, but there’s a limit to what we can reasonably be expected to do. We’re already really fucking overworked.
Of course, I would prefer that it be codified into law that companies need to allow the ability to manually flash a firmware before marking something EoL. Block it from your servers, but let volunteers maintain the hardware for as long as possible.
I don’t think you should be downvoted tho. Reasonable and correct opinion from a (guessing) security professional.
The 20 year smart devices argument should be the norm, imho. We have way too much e-waste as it is. Although that would also mean that smart devices should include that in sales calculations.
The firmware flashing before EoL brings a tear to my eye from the elegance of a solution. Also manufacturers would have to stop with other anti-consumer practices like serialization and scrubbing identity markings, otherwise reversing could be too costly.
You guessed correctly. I was a senior SecOps engineer for a federal contractor before DOGE decided that my company increasing government efficiency by 900% was a bad thing.
We shouldn’t be forced to replace tech this frequently. If you are comfortable shelling out money for the next big thing that is on you. The rest of us want functioning products that last.
You’re not being forced to replace anything. The thermostats still operate as thermostats. You just can’t use their cloud service.
Devices that connect to the Internet need continuous updates to not become vulnerable to attacks. At some point it’s perfectly reasonable to end of life a product, and I think over a decade of supporting a computer is reasonable.
Also, they aren’t bricking these thermostats. You can still use them locally.
HiVe MiNd.
No, you’re just a dumbass.
No, I just understand smart devices and cyber security.
Yikes
Building and programming smart devices is my hobby, and cyber security is my career. So I do actually know what I’m talking about.
Yeah, it sucks when a device reaches EoL, but it can definitely be for legitimate reasons.
