Absolutely, I’m an embedded systems programmer and you can certainly make things dumb enough to be invulnerable to most types of attack. The problem is that computing power is so cheap these days and there’s so much pressure to get to market fast that it’s easy to throw in a bunch of garbage you don’t really need and maybe don’t understand or haven’t looked at closely.
With a device like this clock, there’s no need to have it even listen to any incoming traffic, and it only needs to do NTP and maybe DHCP. You can set up some microcontrollers so that they won’t execute code from RAM, and that alone makes them invulnerable to many types of vulnerabilities.
Without the ability to pass executable code to the MCU, an attacker is limited to subverting the device using the code it’s already running. That can still leave things like DoS amplification attacks where the attacker is exploiting what might be the normal behavior of a protocol or service, but the narrower the scope of the device, the easier it is to secure it.
