That's really impressive finger pointing.

If the vendor can't even secure their update server; how long do you think it would be until some RCE on these 100k un-patchable routers gets exploited?

The only people to blame for this is the vendor, and they failed on multiple levels here. It's not hard to sign a firmware, or even just fetch checksums from a different site than you serve the files from...

the problem is that these laws just make the problem bigger - instead of having to compromise 100 thousand routers they can just compromise a single update server from a vendor that doesn't care about security.

the fallout is some companies losing their revenue: https://status.neoprotect.net/ and other headaches for people all over the world

But that's already true for most cases and devices. Most people using most devices let auto updates just happen.

And the other option isn't that much better, because "don't do autoupdates because maybe the update server is compromised" leads to a bunch of unsecured devices everywhere.

The only "real" solution is also completely unrealistic: Every private person disables auto updates, then reads the change log, downloads updates manually, and checks them against some checksum.

The better solution would be to simply increase fines until morale improves.

I tried to read this page, but it keeps refreshing itself and resetting the scroll position to the very top. Since I'm on mobile, I can't do anything about this easily and it's worse because it takes longer to figure out where to scroll to to continue.

Or the law makes the problem smaller, by making the routers secure, and makes outcomes just, by penalizing the responsible companies.

ok, let's redo this: instead of routers it's an IoT device. The router protects the IoT device from direct access so it is secure from majority of attack vectors - now an IoT device provider gets their server compromised and hundreds of thousands of IoT devices are now bots in a botnet due to the ability to forcefully push a security update.

I understand the risk, but the existance of risks doesn't mean they outweigh the benefits. Everything has risks.

I don't think it does outweigh the benefits, the real benefits would be punishing or/and banning vendors that do not secure their devices since using laws such as "timely updates" just promotes them to include sloppy (insecure) implementations for pushing said updates just to do bare minimum to comply with the law.

relevant law here: EU Cyber Resilience Act (CRA).

> I don't think it does outweigh the benefits

Fine, but that is the real discussion to have. Not 'it has this risk and therefore is bad'.

> banning vendors that do not secure their devices

I think the goal is to encourage positive behavior, not try to monitor everyone and evaluate their updates.

> promotes them to include sloppy (insecure) implementations for pushing said updates just to do bare minimum to comply with the law

I imagine the law is more than just one clause ?

That's just not true. I'm in Europe and all of my routers allow me to disable unattended updates and most don't enable it by default.

Wait when was this?? Did it fly under the news??

it's one of the (i believe) hundreds (at this point) of zero-days that is used to build this botnet, at this point they are using funds that they get from selling this botnet to purchase new zero days