EoL devices are a huge liability. We need laws that require vendors to equip smart devices with remote hardkill switches, so they can be permanently disabled by the vendor when they reach EoL. A disabled smart device is better than one that can be weaponized by threat actors.
That is insane. I mostly buy and use “EOL” devices because they’re cheaper and have no issues. Recently bought my son an old Intel Mac Mini and he loves it.
You can easily still secure an EOL device- with the old Mac I just use it with the firewall on, no ports open, and a modern secure browser. There is really no attack surface from the OS which is EOL, and this old device has aged past being worth developing attacks for.
Tell that to the recent windows bug where even if you block ipv6 in your device firewall or was it even turn off the stack your device is vulnerable to specially crafted ipv6 packet
Much better legislation would be requiring that the firmware/software source be released at EOL, so that users can maintain the hardware they purchased for as long as they like.
Probably we need both. Hardkill all devices, and let determined users resurrect their own devices with the open source firmware if needed. The point is that millions of vulnerable devices won't stay online by default.
Auto-applying security updates is actually a major threat vector. It's often easier to compromise a cloud deployment system/key rather than thousands of edge-deployed devices.
An EOL device that has withstood the test of time, and has had many security patches but is no longer connected if often one of the most secure devices.
