IoT Security Updates

The cluster centers on the lack of firmware security updates for IoT and embedded devices, with debates on manufacturer responsibilities, vulnerabilities from unpatched devices, and risks of internet connectivity.

📉 Falling 0.5x Security

2,864

Comments

Years Active

Top Authors

#8562

Topic ID

Activity Over Time

2008

2009

2010

2011

2012

2013

2014

2015

125

2016

371

2017

344

2018

201

2019

245

2020

177

2021

258

2022

178

2023

359

2024

215

2025

242

2026

Top Contributors

AnthonyMouse (19) mindslight (12) userbinator (10) jeroenhd (10) kube-system (10)

Keywords

MS OP WPA FalseStart EOL TP CI ASUS FUD FCC devices iot security device firmware security updates updates manufacturers internet iot devices

Sample Comments

paulmd • Nov 16, 2021 • View on HN

The lack of ongoing support from device manufacturers is really awful. There were some major UPnP vulnerabilities (last year, as well as some previous ones iirc) and a parade of attacks against WPA of various levels and very few devices ever get patched for them - including high-spec devices.Running open-source firmware is basically necessary to have any chance against all these attacks, because manufacturers simply won't do the work.There really really needs to be some regulation on

swiley • Aug 15, 2017 • View on HN

These things really shouldn't be internet connected, and the firmware should be controlled by the owner.

tcd • Jan 18, 2020 • View on HN

That's a very idealistic but unrealistic perspective. Often times the source code can't or won't be released - it could put further customers at risk if a vulnerability is found and the update servers have gone away.Some devices might not be possible to update due to hardware/software configuration (perhaps certain variables are hard coded?).Whilst what you're saying is right it just doesn't work that way. I'd love for all the Android devices to get years

adrianN • Dec 17, 2019 • View on HN

Security updates need to be supplied for anything that can connect to a network. Vulnerabilities are anything that allows remote read or write access to the device without the user's explicit consent. Companies need to open source everything needed for supplying security updates before going bankrupt (perhaps setting up a suitable insurance to make sure there is money for work needed to do so). You can't import products that don't meet these requirements, just like you can't

charcircuit • Sep 5, 2023 • View on HN

No. As long as their iot device is still working consumers could care less about security updates.

hot_gril • Sep 6, 2023 • View on HN

Just requiring security updates doesn't guarantee much; they have to actually stop the threats. I'd like some opt-in qualification guaranteeing support similar to what autos have. There are recalls for safety issues, refunds for negligence, etc for a reasonable amount of time. Behind the scenes, this requires some kind of fund or insurance to back up the liability, which does have a cost. It's fine if not all products meet this high bar, but it'd be good for highly-committed

ethbro • Jun 8, 2016 • View on HN

Frighteningly possible counter-alternative: continue to ship bad software on embedded devices and just toss network connectivity in there in the event the device becomes popular / customers demand an update.

account42 • Oct 21, 2024 • View on HN

Well how else would you get security updates for your insecure devices if not by connecting them to the internet. /s

Tepix • Nov 26, 2015 • View on HN

I wouldn't call it FUD. Embedded devices tend to get updated less frequently than PCs. Connecting them all to the internet is not helping.

dncornholio • Dec 13, 2022 • View on HN

Something so critical shouldn't be build with needing to have security updates. It's a design flaw. Make the device physically secure instead.