The point I was trying to make, is that if the device is sold and the consumer is the one with physical access, the device should be treated as compromised. You are correct about minimizing attack surface and blast radius.
The thermostats EOLd before the 20 or so years is more directed in breaking the trust/expectation of the consumer/client. No one reads the EULA. It’s a deep can of worms.
You are correct that the device still works, excluding the cloud services, not denying it.
Why would you care about an insecure device connecting to your servers if the server is connected to the internet?
Any packet can be from an attacker and your server has to deal with that regardless if the computer you’ve sold is the one attacking.
Sounds like security through obscurity. Or some shit manufacturer says to force users to upgrade.
You might argue it’s there to protect the user from state actors attacking during winter. Which would be fair. But they did not disclose the actual reason why they EoL’d the device as insecure, seems shady.
Still the correct response should be retuning probably half of the money for the device to any user that proves ownership, instead of this entrapment. No one buying a thermostat expects it to work for only 5-11 years.
I don’t think you should be downvoted tho. Reasonable and correct opinion from a (guessing) security professional.
The 20 year smart devices argument should be the norm, imho. We have way too much e-waste as it is. Although that would also mean that smart devices should include that in sales calculations.
The firmware flashing before EoL brings a tear to my eye from the elegance of a solution. Also manufacturers would have to stop with other anti-consumer practices like serialization and scrubbing identity markings, otherwise reversing could be too costly.