>"All I have to do is buy the company that owns the central server (or compromise it in some other less visible way) and I now have the ability to introduce malicious code to all devices that are receiving 'security updates.' You won't be able to make a rule to prevent asset transfer (correct me if I'm wrong) so you won't be able to close this hole."
Has this actually been a problem in the past? I do not know of any examples of this, do you?
I hate having to create and maintain accounts and subscriptions for so many devices, but I'm not sure it's a huge security problem.
Google's acquisitions of Nest and Dropcam are the two which impacted me personally. Data ended up in the hands of people I didn't want, features were removed that I found essential. Perhaps others can volunteer their stories, I've largely opted out of IoT because of these experiences and concerns.
Suppose you buy a car from manufacturer A. You lose both keys (perhaps you and your partner each bring one on a canoe trip and capsize) so you have no choice but to ask the dealer to assign new ones. You find that Google now owns the entire brand A including its dealer network, and they only offer rekeying service in conjunction with an update that installs what you consider spyware. Do you opt out of the motor vehicle industry?
There are reports about Saudi stakeholders co-owning few billion stake Twitter with Elon just to be able to install people who exfiltrate data used for tracking and arresting journalists and activists, for example.
Has this actually been a problem in the past? I do not know of any examples of this, do you?
I hate having to create and maintain accounts and subscriptions for so many devices, but I'm not sure it's a huge security problem.