Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
sidewndr46 4 days ago

I find the EOL aspect of this discussion out of place. These devices shipped like this. They didn't gain these vulnerabilities due to aging or something like that.

You can have a device that is 100% supported by everyone from the chip vendor, board assembler, and an OEM that is still trivially vulnerable.

Hilift 4 days ago | parent | next [-]

It's probably relevant due to companies usually dump EOL hardware, and some of it gets a new life in a non-business environment. But if it needs a firmware update for a security vulnerability you're out of luck. There is legitimate commercial market for used EOL hardware as parts for people that keep old hardware a bit longer, but that's probably short term until it can be replaced.

bee_rider 4 days ago | parent | next [-]

There really ought to be an “open source your drivers or offer a refund” law for companies that want to EOL devices. It isn’t the 90’s anymore, hardware innovation has really slowed, a chip could be good for decades.

Zigurd 4 days ago | parent | prev | next [-]

I bought a TV on deep discount. The Android TV OS was already trailing-edge and soon went unsupported. Being just a little paranoid, I monitored the network for continued activity after I removed the network configuration from the built-in software, which I replaced with an external device that's fully supported. I doubt many of the other customers for this cheap TV are as vigilant.

sidewndr46 4 days ago | parent | prev [-]

But no one should be buying or using these devices when they are brand new. Why would I care about them when used?

nickpsecurity 4 days ago | parent | prev | next [-]

The differences are vulnerability disclosure, vulnerability class, and patch availability. The device is most-vulnerable between the moment common hackers know how to exploit it and when a patch (or mitigation) for that vulnerability is applied.

Older hardware has had longer for vulnerabilities to be found. Some might not mitigate new classes of vulnerabilities. The EOL hardware will not receive patches for any vulnerabilities. So, they're at higher risk of attack.

From there, the attack will be either malicious input to that machine over the network or a file that embeds an attack. Many problems can be mitigated by running secure software, esp for input validation, on that hardware. One might also use them offline or on trusted networks with software that's hand-chosen for them. (That's what I do.)

swinglock 4 days ago | parent | prev | next [-]

My thought too. They are not insecure because they won't be patched, they are just insecure. Even if patched, what's to say there are not 99 other vulnerabilities lurking, even in their supported products?

sidewndr46 4 days ago | parent [-]

I seem to remember at least one case where a manufacturer attempted to patch an issue like this and managed to actually introduce another one in its place.

yjftsjthsd-h 4 days ago | parent | prev [-]

If it's supported, then as soon as somebody finds a vulnerability (and notifies the vendor) it should get fixed.

sidewndr46 4 days ago | parent | next [-]

Why would I care if I have already been compromised? It's like I was murdered and the prosecutor leaves a "got em!" note on my grave after a conviction. I don't think I'm going to care very much.

kej 4 days ago | parent [-]

It would matter quite a bit to the next person on the murderer's hit list, just like it matters to people whose devices haven't been compromised yet.

tonyhart7 4 days ago | parent | prev [-]

or they sell them to blackmarket as 0 day exploit