"This server could run on the wireless access point, or be an online service on the public internet run by the maker of the gadget."
Therein lays the problem, I have been reducing the need for my custom built IoT systems to communicate with the internet, (in the main weather API calls) and replacing them with locally sensed data. outbound API calls are handled by one server and API responses are evaluated to ensure they conform to the expected response. The problem lays with the unending addiction of device manufacturers to have anything from your printer to the light bulb in the hall communicate with their backend servers. The reason is by and large to collect aggregatable data to sell on.Eliminating that extra income stream from manufacturers wold eliminate much of the attack surface. It was this "calling home" that lead me to build my own devices. relying on manufacturer to continue to secure your long ago bough IoT can opener requires trusting in the company to value your security over share holder value , the later being protected by law. . Got burnt by Synology obsoleting a recently bought NAS. If they do that with thick profit margins on a NAS box what hope for a sub £5 IoT device?
Biting the hand that feeds IT
