CB FI 414

Circuit Break Podcast #414

Net Running the Nut Runners with Joe Grand

Related Topics
No David Here, Chris Gammell with Golioth.io

We welcome Chris Gammell, Developer Relations Lead at Golioth, to explore the exciting world of IoT (Internet of Things) and hardware.

A Joe Grand MFG Adventure: What You are Designed to Do

The KINGPIN returns after two years to discuss off-shore versus on-shore manufacturing, Tariffs and Chinese Customs, and Defcon Badge designs.

Brandon Satrom and the LANoT

Parker talks with Brandon Satrom of Particle about the future of IoT and then design and prototype an IoT device.

Other Resources

Circuit Break Podcast
Webinars
Videos
Tour MacroFab's ITAR-Compliant Facility

January 23, 2024, Episode #414

This week Parker and Stephen welcome Joe Grand to the show to discuss insecure IoT devices. Inspired by a recent incident where Bosch wrenches were infected by ransomware called DRILLCRYPT, the guys asked Joe to join them to talk about how attackers could compromise the safety of the wrench and cause safety issues for users. Of course, this kind of breach could impact almost any company and its products, and so many topics were covered, including:

About Our Guest:

Joe Grand, also known as Kingpin, is a computer engineer, hardware hacker, teacher, advisor, daddy, honorary doctor, and occasional video maker. He has been creating, exploring, and manipulating electronic systems since the 1980s. This is his third appearance on our show and first since 2019!

Joe Grand

Joe Grand

About the Hosts

Parker Dillmann
  Parker Dillmann

Parker is an Electrical Engineer with backgrounds in Embedded System Design and Digital Signal Processing. He got his start in 2005 by hacking Nintendo consoles into portable gaming units. The following year he designed and produced an Atari 2600 video mod to allow the Atari to display a crisp, RF fuzz free picture on newer TVs. Over a thousand Atari video mods where produced by Parker from 2006 to 2011 and the mod is still made by other enthusiasts in the Atari community.

In 2006, Parker enrolled at The University of Texas at Austin as a Petroleum Engineer. After realizing electronics was his passion he switched majors in 2007 to Electrical and Computer Engineering. Following his previous background in making the Atari 2600 video mod, Parker decided to take more board layout classes and circuit design classes. Other areas of study include robotics, microcontroller theory and design, FPGA development with VHDL and Verilog, and image and signal processing with DSPs. In 2010, Parker won a Ti sponsored Launchpad programming and design contest that was held by the IEEE CS chapter at the University. Parker graduated with a BS in Electrical and Computer Engineering in the Spring of 2012.

In the Summer of 2012, Parker was hired on as an Electrical Engineer at Dynamic Perception to design and prototype new electronic products. Here, Parker learned about full product development cycles and honed his board layout skills. Seeing the difficulties in managing operations and FCC/CE compliance testing, Parker thought there had to be a better way for small electronic companies to get their product out in customer's hands.

Parker also runs the blog, longhornengineer.com, where he posts his personal projects, technical guides, and appnotes about board layout design and components.

Stephen Kraig
  Stephen Kraig

Stephen Kraig is a component engineer working in the aerospace industry. He has applied his electrical engineering knowledge in a variety of contexts previously, including oil and gas, contract manufacturing, audio electronic repair, and synthesizer design. A graduate of Texas A&M, Stephen has lived his adult life in the Houston, TX, and Denver, CO, areas.

Stephen has never said no to a project. From building guitar amps (starting when he was 17) to designing and building his own CNC table to fine-tuning the mineral composition of the water he uses to brew beer, he thrives on testing, experimentation, and problem-solving. Tune into the podcast to learn more about the wacky stuff Stephen gets up to.

Transcript

Parker Dillmann
We have an update from Macrofab. Misha and Brendan of Macrofab are doing a webinar on January 30th at 12 PM CST. The topic is enhancing operational safety through cyber resilient approaches for physically secure PCB designs. Participants will learn about the typical vulnerabilities and electronic hardware and discover advanced design and production strategies, prioritizing security, including material and layout considerations. There is also a local event happening at Macrofab HQ.

Parker Dillmann
Become a part of the Bright Minds Brighter Future event on February 1st from 11 AM to 4:30 PM CST. Join us for a day of innovation and networking. Step into our state of the art factory where the future of electronics manufacturing is being shaped. Please pause the episode and head on over to macfab.com/events and register right now before you forget. There is also a link in our show notes if you want to go there as well.

Parker Dillmann
We will be right back here waiting for you, our listener, when you return. Welcome to circuit break from MacroFab, a weekly show about all things engineering, DIY projects, manufacturing, industry news, and insecure IoT devices. We're your hosts, electrical engineers, Parker Dillmann.

Stephen Kraig
And Steven Kraig.

Parker Dillmann
This is episode 414. Circuit break from Macrofab. This week, we have a guest, Joe Grand.

Stephen Kraig
Joe Grand, also known as Kingpin, is a computer engineer, hardware hacker, teacher, advisor, daddy, honorary honorary doctor, and occasional video maker.

Parker Dillmann
He has been creating, exploring, and manipulating electronic systems since 19 eighties.

Stephen Kraig
This is his 3rd appearance on our show and first since 2019. So welcome back, Joe.

Joe Grand
Thank you. Wow. You guys did that so so well. Thank you. Nice to be back.

Parker Dillmann
I'd hope so after 414 up well, how many what episode was were you last on, Joe? It's been

Stephen Kraig
I think the last one was the Defcon badge with the little, with the gemstones. Right?

Parker Dillmann
Yeah. It

Joe Grand
was the gemstones. That was Defcon 27. I feel like the first one was around the seventies. Yeah. You're right.

Joe Grand
Episode seventies and then 100 Yeah.

Parker Dillmann
First episode was in 2017, episode 73, and that was your origin story.

Joe Grand
Right.

Parker Dillmann
And then, yeah, then we talked about manufacturing adventure of the of the watch, the NFC no. No. Let me see. The, Near Field watch.

Joe Grand
Yeah. The NFMI. Yeah. Which was the DEFCON badge. The DEFCON 27 badge was was Near Field magnetic induction with the quartz crystal element on it and everything.

Joe Grand
Right. So we talked about that. What episode was that?

Parker Dillmann
185. Wow. It's amazing. Well, good job.

Joe Grand
Thanks for having me back.

Stephen Kraig
Well, thanks for coming back.

Parker Dillmann
Yeah. And, so I actually have a question. What what are you an honorary doctor of?

Joe Grand
I think you're the first person that's ever asked me that. My wife always rolls her eyes because sometimes, you know, people are like, hello, mister Grand. And I'm like, actually, it's doctor Grand. I don't don't actually do that very often, but in certain places, you know, where they're very, like, uppity or they they require or or enjoy people with larger titles. I'll call myself doctor.

Parker Dillmann
You could pull it out. Yeah.

Joe Grand
Let me actually look. So I have it on my wall. So let me give you the actual accurate name. Okay. So it's an honorary degree of doctor of science in technology from the University of Advancing Technology, which is sort of a technology video game security university in Arizona who's done a bunch of stuff with DEFCON and BlackHat over the years.

Joe Grand
So So I got involved with them ages ago now, probably 15 years ago, if not more. Was, like, an online professor for a couple classes. A lot of their students ended up going to DEF CON and doing stuff at DEF CON, running the hardware hacking village. Like, people we all know, a lot of them came from that community. And, at some point, I think it was 2,000, yeah, 2010, one of the main people there reached out, and they're like, we wanna give you an honorary degree.

Joe Grand
And I was like, Wow, that's so cool. And it was awesome. So, I got to do the commencement speech and go there, and it was definitely a surprise, but super cool. And, when I first told my dad about it, I was like, the school wants to give me an honorary degree. He's like, you know, there's a lot of scams out there of schools trying to sell you degrees.

Joe Grand
So no. It's not a scam. It's real. But, yeah, super super cool. And and, no, I don't really call myself doctor that often.

Joe Grand
Only when needed. If you

Parker Dillmann
were at, like, a fancy restaurant, I and they asked said mister Grand, I'd be like doctor Grand.

Joe Grand
Well, certain airlines too take titles very seriously. So I've actually gotten upgraded on airlines just by correcting them and saying that I'm a doctor.

Stephen Kraig
It's like, yes.

Joe Grand
I'm a doctor. I'm just not the kind that helps somebody. I don't know. Don't look, don't

Parker Dillmann
look, this person's having a heart attack. You're like, is it a pacemaker?

Joe Grand
Right. Yeah. Is it electronics? Like, can I hack it? Yeah.

Parker Dillmann
Oh, cool. So the reason why we're having you on here, Joe, is there's been a big news story that came out last couple of weeks about drill crypts. And drillcrypt is like, if you try to Google drillcrypt, not a lot of stuff comes up. I think it's just coined online.

Joe Grand
Every vulnerability now has to have a name. Right? So it's easy to search for and and and get your logo. You can make your stickers and t shirts and website and everything. So, yeah, that's not a bad sounding name.

Parker Dillmann
Yeah. But it's a vulnerability or exploits of these Bosch torque wrenches, basically. They actually call them nutrunners, which I thought was really funny because hackers are also known as netrunners. So, yeah, we got our our title there. Netrunning, then

Joe Grand
the Net Runners. Clever. Who did you come up with that, or was that something on the Internet?

Parker Dillmann
No. I came up yeah. I actually came up

Joe Grand
with that. Really good. Yeah. Oh, that's wow. You should be in marketing.

Stephen Kraig
Actually, aren't you, Parker?

Joe Grand
Yes.

Parker Dillmann
Yeah. I was talking with Joe before the podcast, and I've moved over to marketing full time at Macrofab.

Stephen Kraig
So Now you can just start

Parker Dillmann
naming everything. These, these are like pneumatic smart wrenches where you can, like, set the torque, and they can figure out what position they're in and that kind of stuff. Well, apparently, they were just completely unsecure IoT devices as well, and you can just unauthorized change the torque settings. You can change, basically, all the settings just on the fly. Or you can also just, like, ransomware it, which is what JoelCrypt does and make the operators pay in Bitcoin to unlock that.

Joe Grand
I mean, that's it's funny. Like, that's really where things are heading. And, you know, a problem like this, none of this is really new, right? It's just everybody kind of is making these same mistakes of network connected devices and this and that. And, like, the end result ends up being the same of something getting hacked.

Joe Grand
A lot of times it's the same sort of problems, but the use of ransomware in this case is sort of interesting of, like, ransomwareing an actual embedded system or, like, a product and not a computer really is genius if you think about it. Right? If somebody's gonna ransomware these things and these devices are used on a manufacturing line or in a facility where time is money, and if the line goes down, your cuss you know, the customers of that facility have problems. Right? And that facility has problems.

Joe Grand
So it's just another way of kinda holding people to the fire. You know, do I condone it? Like, I mean, no. But it's, it does prove a point, right, of, like, security needs to be taken seriously and and vendors, a company as big as Bosch or any other large company really has no excuse to not design things securely or to make better attempts of security. Everybody's gonna make mistakes and you're always going to have some way that somebody could hack a system, but it just seems like so many things are what what we used to call at the loft, low hanging fruit.

Joe Grand
So, you know, very easy sorts of attacks that don't require jumping through a lot of hoops. Like, we just saw with the iPhone recently, I don't remember, just a couple weeks ago, this ridiculous exploit chain of, like, using 4 zero day vulnerabilities and all these other things to do something like zero click attacks on phones, on iPhones, which was like state sponsored level, ridiculously complicated attacks. You don't need to do that on most devices, especially IoT devices. So good security can be done well enough to make it so difficult to attack. It's probably not worth it.

Joe Grand
But the fact that if somebody's gonna run ransomware on these devices or prove that they can run ransomware on the devices just shows that the IoT industry, if you will, and engineers still have a long way to go to sort of raise that level or raise that bar, if we're gonna use another cliche, just to make devices better. But it's like, this is this is the same type of crap we've been seeing for, I don't know, since episode 73 or, like, the first time we talked or since I got into this stuff. Like, there will always be problems. They seem to maybe just get hyped up more. But the more connected devices we have, the more technology we have For every one company or one engineer that has leveled up with security or vendors have leveled up with different ships offering security, you have so many other groups where security either hasn't been considered or it's been implemented wrong or whatever it is, and something like this happens.

Parker Dillmann
Yeah. When you look at the exploits, especially on these wrenches, a lot of them are just like their hard coded credentials. So it's like

Joe Grand
Yeah.

Parker Dillmann
It's not really an export in terms of they went to the probably the PDF or the wrench and then looked up what the passwords were.

Stephen Kraig
Admin password. Right?

Joe Grand
Yeah. Right. The maintenance manual or if it's hard coded, you just grab the firmware off or get the code or get the contents out of whatever memory is there and and look for it. Like, we've seen companies leave private keys in firmware update packages and all sorts of stuff. So, you know, if you're on the attack side, it's great because you can learn a lot of really interesting attacks.

Joe Grand
Even if you're on the design side, you should be paying attention to these types of attacks and say, okay. Let's design our systems and not make that same mistake. The problem is it's really hard to remember history, and this is why we're seeing over and over and over again the same sorts of stuff. Even with, like, the CVE, common common vulnerability database, and, like, all of these things to try to track different types of vulnerabilities, it's really hard to to learn from history because there isn't really a great database of every historical hardware attack and problem and IoT problem and embedded system problem and everything. So if you're not paying attention every day, it's easy to to miss something and easy to miss some new attack that might make your device vulnerable.

Joe Grand
And as an engineer, and I'm sure you guys know this too, like, engineering products is hard, and it's hard enough without having to worry about getting hacked when you're dealing with, you know, part shortages and getting systems to work and manufacturing issues and shipping and customer support, all of the supply chain, all the logistics, everything, getting the product, you know, built on time and under budget is really, really hard. And then when you throw security into it, it's a whole other story.

Stephen Kraig
Well and given what you just said, a lot of times security takes the back seat compared to all of those things. I've got a manufacturing issue that I gotta take care of. That's number 1. Like, security I'm not saying this personally, but but but but security could easily take a backseat too. Oh, I gotta fix this manufacturing issue that's right in front

Joe Grand
of me. Oh, for sure. Or it's like we know we need, you know, some programming interface or some way to make it easy for manufacturers to load code in. Yeah. You could do code signing and have some secure boot, but then you have to deal with key management and all these other things that come along with it that you have to work with your factory, and it's all secondary to getting the thing working and getting your yield up and getting your products out there to your customers and making your investors happy and all of these things.

Joe Grand
So it's a reason where or a reason why I don't really teach people how to design things securely or even I sometimes I'll make recommendations, but it's so, so hard to get proper security into a design, and it's way easier, not necessarily always easy, but way easier to break a product because from the hacker side, we're basically looking for that one problem or a couple, you know, in this case of, drillcrypt. You know, they use a couple of vulnerabilities or whatever, but hackers really only need to find the mistakes or the problems where engineers and designers have to kind of anticipate not only current state of the art of why people might attack their devices and what they're gonna attack on the device, but then potentially future attacks as well. And they're also kind of reliant on the chip vendors. And in the case of Drillcrypt, they were using the, you know, some embedded Wi Fi module. So now you're integrating somebody else's Wi Fi module product into your own product.

Joe Grand
So now you've inherited all the vulnerabilities that come along with that that may or may not have been discovered yet either. So it's really a tricky problem. And for me, the enjoyment of being on the hacker side is getting to think a lot about lots of different products and lots of different approaches and break things in different ways. But there is something very satisfying too in designing a product, especially if you've taken into account the security aspects. It's just significantly harder.

Joe Grand
So, thumbs up to, you know, anybody working in that space for sure.

Parker Dillmann
Yeah. It's interesting what you said where where the hackers are looking for mistakes, whereas on the engineering side, it's not even considered a mistake. It's a it's a maybe maybe you even call an oversight or they or it was just not in your design documents.

Joe Grand
Right? That's right. And if you have, like, if you have a backdoor in there or hard coded credentials, like, maybe there was a business reason or during development, somebody needed those credentials in there to make development easier or manufacturing or they have a UR interface or a debug interface or whatever it is to make engineering's job easier, to make manufacturing's job easier. And that's the trade off of, like, maybe they thought about it, maybe they didn't, but the things that are useful for the designers can also be useful for the attackers. And I personally have sat in on meetings where there is that battle between engineering and security, and the engineers are like, well, we need these features.

Joe Grand
And security is is like, well, that's gonna put you at risk. And then there's the business decision of, like, weighing the the risk of getting hacked versus the need for these certain features. You know, security versus convenience, and a lot of times, convenience wins out. Maybe over time, security will start to become more integrated, but it's still again, it's still really difficult, and you could spend a lot of time designing some secure mechanism in a system. It gets hacked, and now your executives are like, well, you just spent all this time and money on a security system that didn't work.

Joe Grand
It would be better if we just don't even bother and then deal with the fallout like in this case. I haven't seen Bosch's response other than, you know, we take security seriously, which is kind of like the common thing everybody says. So it's it's hard to know what's actually happening internally in the organization when something like this happens.

Parker Dillmann
Yeah. Yeah. Convenience, at least for product development, always runs the fastest, Right? A

Joe Grand
lot of us are using password managers now, which is the ultimate convenience. Right? A lot of us are using password managers now, which is the ultimate convenience. And that sort of changes the risk or the threat model a little bit, But convenience is always there of, like, let's choose a simple password so we can get into our accounts. That just flows through.

Joe Grand
It's human nature. Right? And that flows through to everything that we're designing. If designing systems was difficult, people will always find a way to sort of circumvent the difficulty to make their job easier and get the thing out the door, and that's gonna potentially leave things vulnerable.

Parker Dillmann
You know, it might be there's still a promise, but we've made a lot of strides in, like, software development in terms of security, especially recently. I wonder if it's because security on hardware devices and IoT devices is just inherently more difficult, which is why it doesn't get doesn't happen as

Joe Grand
often. Yeah. I mean, I feel like yes and no. So, like, the software space, you know, back when I was at the loft in the starting in the early nineties, basically, for, like, the first 10 years of being involved in that hacker group, we were trying to show software vendors, mostly Microsoft and, you know, bigger software companies of, like, look. We found a vulnerability in your software.

Joe Grand
This is what somebody could do if they were malicious, and we'd show them some exploit code, and they'd be like, oh, well, that's probably not a problem. And we'll be like, okay. Well, we're gonna release this work so other people can learn from it and protect themselves, and then they go, oh, we better fix the problem. So in the security world now, I mean, in the software world now, we have, you know, security teams, we have patches every week, Software updates all the time. Applications on phones, on desktops constantly being updated, whether it's, you know, for security features or other things.

Joe Grand
It's very easy, and it's kind of part of our psyche now of, like, oh, we gotta do an update. So it sort of become this inherent part of of software of, like, okay. Something might be vulnerable, but it gets patched. Sometimes even when you update your phone, you know, the the change log doesn't say specifically what it's fixing. It just says security fixes, which is great, right?

Joe Grand
Because we don't have to think about that as end users. Hardware has always been different even though, yes, sometimes we have firmware running on the hardware, which we could do firmware updates and and fix things. Sometimes firmware attacks require hardware attacks require physical access. So people go, oh, we don't have to worry about security. It's only if somebody gets physical access, which is a problem because you can get physical access to pretty much everything unless it's, you know, something that's being guarded by people with giant weapons.

Joe Grand
Or even there, you might be able to get physical access through an insider threat or something. So there's kind of these excuses around hardware. And the hardware industry, I'll say, just isn't as well versed as the software industry is. And it might take many more years of this sort of I wouldn't call it public shaming, but it's sort of this public awareness of, like, look, we found a vulnerability in your hardware product, just like we were doing back in the day. You have to navigate that stuff very carefully because hardware sometimes can't be patched.

Joe Grand
If it's, for example, like some of the some of the work I did on the STM 32 that's the Trezor hardware where you can, you know, do fault injection against the chip, and that can only be fixed by respinning the silicon, potentially only be fixed by re respinning the silicon. And vendors might not wanna spend 1,000,000 and 1,000,000 and 1,000,000 of dollars to do that. So with hardware products, it's harder. And having devices, if you have 10,000 devices, a 100,000 devices in the field, not everybody's gonna do the updates on those. So I think it's just going to take more time before hardware devices and IoT products and all of these kind of resource constrained computing devices get to that same level of update capability as software, which doesn't necessarily get rid of all of the threats, but the more we can get rid of, the better, Right?

Joe Grand
And the faster we can upgrade that stuff, the better. If you look at so much like home network consumer device, things that are running old versions of Linux and all of this stuff that hasn't been patched, like there's no patch or update mechanism or anything, we're gonna keep seeing that unless there's just some way to make it more, you know, part of the design itself to do these updates, which may or may not be possible. But, yeah, most hardware companies are like, you know, if you tell them they have a problem with something, like, they tend to not be as appreciative as software companies. And you do have some companies like HackerOne that help you with these sort of bug bounties or helping you work with companies that maybe don't have a policy in place to deal with security vulnerabilities, but it's hard. And big companies can sue you into oblivion, you know, gag order you.

Joe Grand
You have all these things as a researcher, these sort of concerns of, like, do I wanna go public with this? Like, do I wanna tell the vendor, or am I gonna get sued? And that's a conscious effort even with software. Like, there's a a video, that we just filmed recently that's coming out probably in end of February ish about a new attack that we worked on for a project. And that company did fix the problem in a later version, but we're still sort of like, do we wanna tell them in advance just to let them know this video is coming out?

Joe Grand
And it's like, well, they look like nice people, but what if their lawyer, like, tries to prevent us from releasing the video? So we're we're making the conscious choice of, like, we're gonna release the video first because they've already fixed the problem, and then at least the information's out there. People who are susceptible to this problem can fix it. Then if we get sued later, that's okay. But that's a, you know, that's a choice you kinda have to deal with.

Joe Grand
Back in the day when I'd hacked the the parking meter in San Francisco, I think that was 2,000 9 or something like that. So a smart card based parking meter, stored value. That was a similar situation where myself and the guys involved in doing that research, we made a conscious effort or conscious decision to give the talk at Black Hat and DEF CON first before notifying the parking meter company and before notifying the city of San Francisco about the problem. Because a year earlier, some students had done some research and found some vulnerabilities in the Boston Public Transit System, the t, and went to the MBTA, the company that runs the transit system, showed them all of their research, and they were like, that's great. This is great information.

Joe Grand
Thanks for thanks for helping us and, you know, making us more secure. And the next day, the FBI shows up at these kids' dorm room and arrest them. So it's like even if you're trying to do the right thing and come out with an advisory or some vulnerability or release information to let people, you know, be aware of the vulnerabilities and products they're using, you can still get sued for it. So at the parking meter, we're like, well, we don't want that to happen to us because those kids got sued. They couldn't release their research except sort of a side product of of things going to court as everything became public even more than just the information they were gonna end up releasing.

Joe Grand
But nobody wants to go through that process. So we figured, well, let's just give the talk. And then if we get sued, you know, whatever. It'll happen afterwards. It's good press.

Joe Grand
A friend of mine, Jason Scott, who runs, he works at the Internet Archive and runs textfiles.com, was like, If you're not being sued, you're not working hard enough. And I was like, oh, that's kind of interesting. But anyway, yeah, it puts a lot of it puts pressure on people to release information or engage with companies for fear of getting sued. And maybe the approach is like drill grip and like some of these other bugs. You know, I was joking about, oh, you name everything and you give it a logo.

Joe Grand
That's what that's what happens. Maybe the the side effect of doing that and going to the press every time you find a problem is the work is out there, so there's maybe more pressure to not sue the the, the messenger.

Parker Dillmann
Yeah. The whistleblower.

Joe Grand
Yeah. Yeah. But it's an interesting world for sure. And, you know, the older I get, then, like, the more responsibility I have. Like, when I was younger, I was like, I don't care, we get sued, go to court, whatever.

Joe Grand
And now it's like, well, I have kids. Like, I don't wanna spend all my time in court or jail or whatever it is. So companies can get pretty nasty. And I think that it would just be nice if more companies and I think it will happen eventually. Like, you know, security is talked about much, much more.

Joe Grand
But when you're giving when you're making these articles about, like, this thing can be hacked and this can be hacked and and maybe without showing sort of recommendations, maybe these researchers did show some recommendations too. But basically just calling somebody's baby ugly without having some sort of solution is a problem. Right? And then you're going head to head instead of sort of working together. So I just hope that over time, you know, hardware manufacturers and hardware engineers take security more seriously.

Joe Grand
It's okay if they have problems. What's the most important is if somebody finds a vulnerability or offers you some insight into the product, don't hold them to the fire, but be gracious about it. Be like, oh, that's an interesting I didn't know about this. Right? So Bosch can look at this and say, well, you know, now it's in the public, so they have to do something, but they could really use it as a learning example.

Joe Grand
And I don't I can't imagine them going after the company. If it was a smaller company maybe or if they didn't get press, maybe they'd get you know, have some sort of legal action. But, really, it's the it's it would be nice if this continues of vendors being appreciative of work that's happening and using that to make the products better instead of having researchers be sort of scared about releasing this stuff. Because the problems exist anyway, just the researchers are sort of doing what they feel and what I feel is an ethically correct thing to do of letting vendors know and letting people know about these problems, the problems are gonna exist whether we talk about them or not.

Parker Dillmann
Yeah. It's interesting. A couple of weeks ago, we were talking about components, like microcontrollers that will have tons of errata, additional PDFs of information of stuff that's bad, basically bad about the device. Like, it doesn't work in this edge case. And we were commenting on there's not a really easy way to go find that information.

Parker Dillmann
You kinda have to dig because, you know, manufacturers don't want to they don't wanna call their own baby ugly

Joe Grand
Right.

Parker Dillmann
To use your words. Yeah. So a a way a way where you could go look up if you're an engineer. Okay? So like what you're saying is, okay, these products, let's say that STM chip you're talking about

Joe Grand
Yeah.

Parker Dillmann
Is out in the wild. Well, if most engineers won't even know to go look and see if that chip has a specific vulnerability. But maybe if there was a database where you could go look up a part and be like, oh, these these is all your errata for this component, and this is some security exploits that have been found against that that component. It would be amazing. That would probably go a long way.

Joe Grand
It would be amazing. Right? I mean, sort of like I don't know if I if I'm allowed to plug other things here, but it's like, you know, using OctoPark to see, like, what distributors have stock. It would be great to be like, what component, you know, has problems based on known public vulnerabilities? You know, a lot of times, vendors are gonna or engineers are gonna read the data sheets, and the chip says, we have code protection.

Joe Grand
You're fine. No one's gonna steal your firmware. It's gonna lock the debug interface. It has cryptographic hardware support. It has secure memory, like, all of these things that on paper read great, but the implementation of those might not be correct, leading to all of these errata, basically bugs in the silicon.

Joe Grand
And I think a lot of a lot of engineers aren't even aware that they might be building in a product that has known vulnerabilities already. Exactly. Right? And, like, that's something where you can't blame the engineers. It would be great if there was some resource of of looking that stuff up.

Joe Grand
Maybe Macrofab should do it. It's more work for you. But, yeah, I mean, that would be say. I'm like, it's a lot of work. For those, I know people can't see faces, but that was that was a classic.

Joe Grand
A classic like, no. Sounds like a lot of work.

Stephen Kraig
I feel like, Macrofab is fantastic, but, perhaps there's a different set of, specialties that need to be involved in something like that.

Parker Dillmann
You you know, it's it's something about that though is I I this is slightly a tangent, I guess, because it's a different topic, but also including the country of origin. Mhmm. Because a lot of times when you go to, like, a distributor like Mauser or Digi Key, they don't tell you where the the thing is manufactured at. It's printed on the real components because it has to be, but Right. Mauser or Digi Key don't won't tell you that until it gets to you.

Parker Dillmann
I think there's, like, I think Arrow, I think is the only distributor I've seen that actually will say country of origin is wherever, like, before you even buy it. Yeah. Because I think They

Joe Grand
know for sure. It's also on the backside of the chip packages too usually.

Parker Dillmann
Yeah. Yeah.

Joe Grand
Maybe not for for for chip scales, you know, for small stuff, but usually it's on the back of the plastic injection molded stuff.

Parker Dillmann
So I wonder if, combining that might be an idea is try to combine all that. And if if you did it as a crowdsourcing where people can submit stuff so you don't have to do it all yourself, someone that's not Parker, go build that.

Joe Grand
What's funny though, is if it's too Wikipedia style where anybody can do it, then you're gonna have vendors taking their stuff off.

Parker Dillmann
Yeah. Take

Joe Grand
prevent them from being found. Right? So it has to be some vendor neutral body that's sort of controlling these things. I don't know, maybe that's a future project or something, but it would be really helpful to people that don't wanna pay attention to security all day, right? It's like when you're spec ing parts for something, that would definitely be nice to know.

Joe Grand
You throw your whole your whole bomb into into the website, and it's like, this has known things, this has known things. And then the engineer can make a decision of, like, alright. Is that a risk to me? Yes or no?

Parker Dillmann
And on that, this is another layer of the that component onion is supply chain security too. Because there's there's a couple groups out there that compile all that data, but you have to go dig for it yourself. It'll be nice if you, like, just type in the part number and go, oh, this part had issues with supply chain on this date and this lot, And, you know, this this manufacturer found, let's say, like, counterfeit parts

Joe Grand
Yeah.

Parker Dillmann
Of that component. Right.

Joe Grand
Yeah. I mean, that's right.

Parker Dillmann
It's just it's all it go it all goes down to what you would just brought up, though, as risk management and risk assessment.

Joe Grand
And Yeah. But we haven't even talked about that. That side of the supply chain is terrifying. Right? It's like even if your even if your design is properly secure, you're still sourcing parts.

Joe Grand
And you have the counterfeit problems, and you have the the gray market problems, and you have all of these hands touching all these products at all these different points, then it's really hard to track some of that stuff. And, yeah, I mean, just counterfeits on their own. Right? Not even talking about, like, Trojan horse hardware modification inside of silicon, but just counterfeit parts get into supply chains. And, you know, of course, FTDI Gate comes to mind because that was just an epic journey back.

Joe Grand
I think it was, what, 2006 or 2,008 when FTDI Yeah. I was on that. FT232 was counterfeit, and they blasted all of the the known counterfeits with, like, a, software update that would Yeah. That would kind of brick them all or set the VID and PID all to zeros, which I thought was just a a bold move. Like, I know a lot of people got really mad at FTDI for doing that, but what it did unintentionally is proved that counterfeit parts were getting into legitimate supply chains Mhmm.

Joe Grand
Because a lot of people didn't know they were using counterfeit parts. Like, yes, a lot of people were buying stuff on AliExpress and all these places that had questionable origin, but a lot of people that got burned by that FTDI update were buying it through legitimate distributors. So that proves that even if you are going and following the right pathway for your supply chain, you could still get burned. And that's, like, a really scary thing when you're when you're responsible for a product being manufactured and for the the lifespan of it and the the behavior of it and everything.

Parker Dillmann
What comes to mind is how Amazon warehouses work. And so when you buy something on Amazon, and usually, there's will be multiple people who have or multiple companies that have supplied that product to Amazon, and they just throw all those products into one big bin because it's Yeah. Off the same skew. Right.

Joe Grand
Well So why do you ship it by Amazon?

Parker Dillmann
Yeah. But at that point, you just completely wiped away the entire, like, life cycle, I guess, you can say.

Joe Grand
The provenance.

Parker Dillmann
Yeah. Of that product. Because you have at that point, you have no idea where it came from. It just went into a bucket.

Joe Grand
Right. Well, I think for you know, I'm thinking I don't really know, but I'm guessing because they do such huge volumes, they'll just ship something out. If a customer doesn't like it, they return it. It gets thrown into a big pile, and they just get another one. So from Amazon's perspective, as just the distributor, if you will, the, you know, the losses that they take on mixing questionable items with good items, like, they probably don't even care.

Joe Grand
It's such a minimal thing. Yeah. But for most people that are running companies with slightly smaller volumes than Amazon, like, making hardware products, you don't really have that luxury. Right? And if you end up unknowingly designing in a part that's counterfeit or that's that that doesn't meet spec that you're expecting to, and now all of your products are going bad or some portion of your products are not functioning properly, like, that's the scariest thing as an engineer to have to deal with and to try to figure out if you can even repeat the problem.

Joe Grand
And that's where sort of then you have your customer confidence problems, your customer support problems, people are like, oh, that product sucks. It's really hard to deal with where Amazon is like, well, whatever we'll just, you know,

Parker Dillmann
ship the person another one. Another counterfeit.

Joe Grand
And people know, Amazon knows people are gonna keep going back to Amazon anyway.

Parker Dillmann
So Joe wrote down some examples here, like product examples that I guess hit you at in your heart, Joe? Yeah. I mean,

Joe Grand
it's funny because, I mean, you can search for IoT hack or whatever, and there's a 1,000,000,000 things. Or you can go use the Shodan, you know, search engine to find IoT connected things. But these particular examples just kinda made my eyes roll, and, you know, we can sort of talk about, like, the Ford firmware update. Right? There was that image that was being passed around recently of a car doing a firmware update, and the firmware update crashed, and it was like firmware update, incomplete, bring your car to a dealer.

Joe Grand
And it's like, who wants to see that if they're trying to get to work or pick up their kids or whatever? And it's just such a shitty implementation. Like, that should never happen in an automobile. It should never happen in any product where you buy it. No nowhere is there a good reason that it says you cannot be used because of a problem.

Joe Grand
Right? Like, why is there not some backup version of firmware? Why is there not some subset? Why is there not a bootloader that can that can bring you back up? Like, it doesn't make any sense, and it's those sorts of examples is crazy.

Joe Grand
And, also, related to that one, I think you have it here too of, like, Ford had filed a patent application. It happens to be Ford. I'm not just picking on Ford. It's every car company, but in this case, it happens to be Ford. Patent application for self driving cars that will drive back to some, location if you miss your car payments.

Parker Dillmann
Well, they're just putting repo people out of jobs.

Joe Grand
Yeah. Well, that but it's horrible. I mean, it's like, do these companies have have any empathy for their actual customers? Right? Like, usually, people who aren't making their car payments are in serious dire straits.

Joe Grand
Right? They have some challenges. Most people are not missing car payments on purpose.

Parker Dillmann
And usually, they rely on their car to get money, basically, or

Joe Grand
or Exactly. Right. If you have to take a bus or 2 buses or 3 buses to get to your job instead of being able to drive. Like, you might not be able to get to your job, or there might not be a public transportation route, so you rely on your car. It's just pure evil.

Joe Grand
Like, it doesn't make any sense to me to do that yet. Companies are starting to patent things like that. And then the news article I read about it was like, well, Ford also suggested, like, maybe it's not you know, drive it back to the repo, man. It's, disable the air conditioning or have the audio system play unpleasant sounds. Like, you're basically trolling your customer and blaming them.

Joe Grand
Like, it's just so not human. It just seems so wrong. And the fact that engineers would design this stuff and think it's a good idea is infuriating to me. And I, you know, I would love to sit in on some of those meetings, and it would be great. It would be hilarious to brainstorm all this stuff.

Joe Grand
Right? Like Mark Rober making his package delivery system to, you know, spray somebody with fart spray. Like, that's hilarious. But somebody that's a customer of your product and driving, like, it's a different thing. So it'd be amazing to you know, you can brain storm all sorts of really funny things you could do to somebody, but is it ethically correct, or is it caring for your customer?

Joe Grand
No. It's ridiculous. So I don't know the reasoning.

Parker Dillmann
I'm just trying to imagine how much engineering effort that would take where you could be spent doing more creative and better things to the car.

Joe Grand
Or if the engineers are like, I don't I I don't really wanna do this, but I'm gonna do it anyway. Right? But, yeah, I mean, it just seems it's just mind boggling of the of these things where you could, yeah, maybe maybe do something a little more useful with with the engineering effort. But it's all the IoT stuff. Like, I I've said this for years.

Joe Grand
Like, I'm I'm kind of a technology curmudgeon, and the older I get, the more of a curmudgeon I become. I think there are certain reasons for things to be network connected sometimes or maybe to have some smart capability to it, and we're gonna see that more and more with with, you know, AI machine learning stuff and blah blah blah. But not everything needs to be smart. And I feel like things have like, products have existed for a long time without being smart, like a toilet. I, you know

Parker Dillmann
I this is good.

Joe Grand
I just don't understand, like, this Kohler Connect app that let you know, it says, the new me 2.0 smart toilet marks a new standard of excellence in the bathroom. It's your bathroom. It's a toilet. Like, what are you gonna do with your thing? Maybe, you know, if it's one of the you know, a fancy toilet that has the the spray and you can adjust the temperature and the water and this and that, You can use buttons for that.

Joe Grand
Somebody's gonna hack it, obviously, but it's sort of like tech putting technology in things for technology's sake has just never sat well with me. Using technology where there's a purpose to actually help, not just because it's a trend or a fad or it needs an app or it needs to be IoT. As an engineer and as a consumer and as a hacker, it is really infuriating. Especially as somebody who teaches people how to hack this stuff, it shouldn't be this easy, and it just shouldn't be this ridiculous. So I would say, like, if people are gonna hack the toilet, they should.

Joe Grand
Right? Because that's gonna show Kohler, okay. You know, why is this being done? You could probably do some pretty funny stuff, but it's just, I don't know, it's ridiculous. And this this is new stuff.

Joe Grand
Right? Some this has been going on, I would say, like the Mire botnet from 2016 with all of the, you know, Internet connected cameras, basically using default passwords and password reuse to get access to these things. LG had a robot that was like a a surveillance robot. I don't even know if it would vacuum also, but it would, like, go around your house, and it would, like, send live video. Like, all this stuff, I don't know why anybody would actually want that in their house.

Joe Grand
But that got hacked, and people could, like, remotely view what's going on. And we hear about the baby monitor stuff. Like, every single IoT connected thing has been hacked. And it's like what is the practical purpose of having some Internet connected thing worth it? Like, I don't know.

Joe Grand
Like, I don't even have Amazon like, you know, Alexa, whatever. I don't have any I try to reduce the amount of things with microphones in my home anyway, cell phone excluded, which, yes, I'm aware of that. But it it's just like what the benefit trade off. Right? That's what it is.

Joe Grand
And it's techno technology doesn't have to be in everything. But yeah. Anyway, you could say that I that it that it gets to me a little bit.

Stephen Kraig
That sounds like it.

Parker Dillmann
You know, what's interesting about this Noomi Noomi 2.0 toilet is it's it's behind the times. It doesn't have any AI. It's not chat g p t connected.

Joe Grand
Oh, it will be. It will be. Like, the you know, companies are gonna start off with something simpler with an app, and then it's like, oh, okay. Joe sits on the toilet for 5 minutes a day, so we're gonna prepare it. You know, usually, it's 8 AM.

Joe Grand
So we're gonna preheat the thing, and we're gonna do the you know, it's all gonna be that, and then we're gonna sell that information to something else, and that's gonna it's all it's all just data harvesting in in the name or or the guys of a customer experience.

Parker Dillmann
You start getting fiber fiber pills advertised to you because you sit on the toilet

Joe Grand
for too long. Yeah. For sure. Right. Or it's like, oh, you have COVID.

Joe Grand
Yeah. Exactly.

Parker Dillmann
I I I

Stephen Kraig
I do find it kind of funny that big toilet needs, like, enhancements like that. Right?

Joe Grand
Like, what's the yeah. Like, so

Parker Dillmann
so I mean, are

Stephen Kraig
we really struggling to sell toilets?

Joe Grand
Big plumbing. Yeah. You're right. Yeah. But it it maybe they're just trying to keep up with with the times, right, of, like, everybody else is connecting to the Internet.

Joe Grand
Why not? Like, refrigerators too. We've seen refrigerators. We've seen coffee makers. All of these things, Internet connected, that have either been hacked or people have found problems with or bugs during firmware updates.

Joe Grand
If companies are going to take the effort to design IoT things, they should really spend more time designing them properly.

Parker Dillmann
Are you are you sure caller is just not like, well, we need to design something to get hacked, so we're in the news.

Joe Grand
You may it could be. Right? I mean, it's like No. No like, any news is good news. Right?

Joe Grand
So maybe it's that. You did say, Parker, when we were when we were emailing back and forth before the podcast, you had said, well, there are some uses of of IoT connected things. So I'm curious what your thoughts are on, you know, practical uses.

Parker Dillmann
Yeah. So one that I really like is are, like, IoT connected, like, gate openers and, like, garage door openers. Because it's very, convenient to when, like, if you have, like, someone to come mow your lawn and you need to open the gate and you're not there. You can just open the gate remotely for them, that kind of stuff. That's the kind of stuff that I may mostly use it for.

Joe Grand
Access. Are you worried about other people opening your gate or closing it and locking you in?

Parker Dillmann
Well, I guess. But what I did do is did look at openers and see which ones were were hacked before and that kind of stuff. Yeah. So I did do some research before I

Joe Grand
called them. Right. The first step. I mean, what what worries me is, like, the, you know, the I mean, the the the Nest cams and all that stuff, like, those external facing cameras and devices are concerning for a different reason. Those are mostly surveillance related, law enforcement, you know, gathering of data.

Joe Grand
But the internal cameras, things that are inside of your home, those freak me out

Parker Dillmann
Oh, yeah.

Joe Grand
To no end. Airbnb is for sure. Like, again, we don't have that stuff in our house, but a lot of people do. And to even think that something has a camera that could be on or following us around, or like you have your camera on so you can see your pets at home, but what, you know, is somebody looking while you're at home? Like, that to me is just so freaky.

Joe Grand
I value my privacy enough where if I'm in public and have no expectation of privacy, that's fine. Or if I'm on stage in public, that's fine. When I'm in my home, I don't want a camera you know, of some robot staring at me and sending that data somewhere. I don't know. It's just like, yeah.

Joe Grand
I'm surprised again. It's a trade off. It's the convenience and security trade off Yeah. Of what's it worth for you to be able to see inside your house versus what's it worth somebody to to, you know, spread nude videos of you.

Parker Dillmann
I'm just surprised the toilet doesn't have a webcam.

Joe Grand
We don't know that yet.

Parker Dillmann
That's true. I do wanna know what the built in audio speaker system is used for, though.

Joe Grand
What if it's for, like, bone conduction? You know? But, like, through your butt. So when you're sitting on the toilet, you can actually hear music. You feel the music through your, what are they, the sitz bones or something?

Joe Grand
Like, that'd be amazing.

Parker Dillmann
That would be

Joe Grand
I bet you, the listeners, were not expecting IoT connected toilet engineering discussion.

Parker Dillmann
It's actually been a while since we've talked about toilets.

Stephen Kraig
I'm not sure our listeners expect anything at this point. They just they're along for the ride.

Joe Grand
Along for the ride. Yeah.

Parker Dillmann
Ambient colored lighting. I wonder where that light is it, like, when you open the bowl, the light water is different color? Oh, whatever. It's a freaking $10,000 toilet.

Joe Grand
That I would actually get. I might have to do that on my toilet. Lighting everybody loves LEDs. They don't have to be Internet connected.

Stephen Kraig
Ground effects on your toilet?

Joe Grand
Yeah.

Stephen Kraig
I you know, we've talked about this before, but but above and beyond security issues, there's the problem of of the potential of whatever company sells you the product going under, and now your product's not supported. Or if it has some kind of server connection, well, that's Toast, and now your product is Toast, and now whatever you need is Toast. So it's not only just security in your location, but perhaps even security issues at the company themselves that can cause them to tank and then everyone's SOL.

Joe Grand
Yeah. It's sort of a it's just a user and a company relationship that maybe puts too much responsibility onto the company. But we've seen this already. I I can't of the examples, but there have been companies that have built up communities of people using some Internet connected thing or some smart device. Those companies go under, and then people are left kind of holding the bag.

Joe Grand
Actually, there is one I remember because I was part of it, but this was a long time ago with a product called Chumby, which is one of the first, like, Internet connected open source. I call it a beanbag. It's sort of like the, what is it, the the dash or the echo or these modern, you know, devices that show things on a screen. I don't remember, but it was

Parker Dillmann
It was kinda like a it's like a Furby kind of too.

Joe Grand
It was like a Furby with no mouth. Like, it wasn't as annoying as a Furby, but it would show you we called them widgets. And, basically, the iPhone came out and completely crushed it. But this was an open source hardware device, one of the first, if not the first open source hardware. No.

Joe Grand
That's not true because the Apple originally was. But this was a device where we had a net, you know, a whole community of users building these different apps and widgets running on the chubby network. And when the company ended up getting sold, I left the company. I was doing consulting for them, and I left. I think they ended up selling everything to Best Buy, and the Chumby network went down.

Joe Grand
And our software engineer took over the Chumby network and ran it on his own because the community was so in love with with the Chumby as he was. He ran this network for a long time, and then I think other people might still be running it. But this was an open source product with an open source network, and people could see what's going on behind the scenes. Most companies don't do that. Right?

Joe Grand
So, like, Chumby lives on with the open source community. Other products, if it's this black box environment where you don't know what's happening on the server side and you're relying on communication to the server that's now not there, that's a problem. And even with video games, I think that happens with, like, games that go under and, like, all of the online worlds disappear and nobody can play it. And some people have tried to build those back up. But, yeah, reliance on corporations, it changes your relationship, and it it's lame, like, to rely on a company.

Joe Grand
And I was like, oh, you can't make coffee because we can't communicate with our back end to see if you have legitimate coffee in your coffee maker or whatever it is. But it is Or

Parker Dillmann
or your Internet goes down because of a snowstorm.

Joe Grand
Yeah. Right. Well, at least that's, like, physical fiber that has been, you know, torn off the pole. But, yeah, I mean, I'm still reliant on that. Right?

Joe Grand
But it's it's, companies maybe I mean, they don't care, and but I feel like they should have sort of a responsibility to customers that they sell things to, but maybe I'm thinking too nice about it.

Parker Dillmann
I think some engineers care. I would like to see a lot more of the, like, like okay. So I'm working on a controller for a fan, actually for automotive, Joe. And, it's not IoT, but it does connect Bluetooth. It does connect Bluetooth to your phone so you can adjust the settings.

Parker Dillmann
Mostly so because that way you don't have to put like an LCD screen underneath the hood of your car and, you know, it melts. But it's one of those more direct connectivity like let's take the garage door opener. Does it really need to talk to AWS server somewhere? Probably not. It could probably you can probably set up just a direct connection to whatever app is on your phone.

Parker Dillmann
Right? Well, that way, they they can't collect the data that way. That's that's why.

Joe Grand
Well, yeah. I mean, you know, all these companies really, like, there's value in building a community because you make them dependent on your product. I mean, it's just like I'm gonna totally go out there now. This is, like, a horrible thing, and and people might disagree. But it's like the drug epidemic that we're dealing with.

Joe Grand
Right? With fentanyl, drug dealers are putting fentanyl in other softer drugs to get users of those softer drugs addicted to the harder drugs. Everybody knows building communities of people that are dependent on your product is good business. Whether it's ethical or reasonable is a different store or legal is a different story. But it's that sort of thing of, like, you get people you build a product that's so great.

Joe Grand
Everybody's using it. You you're connecting to their network. You're beholden to their network. They can do whatever they want. And if it's data harvesting, whatever, people will be fine with it.

Joe Grand
I mean, look at what we deal with with Google and Amazon, every other website right now. And then they could just walk away and shut things down, and now products don't work. And I feel like on a serious note, like, we're probably gonna start seeing that more and more. Just like on the software side, we're seeing subscription models for everything. You can't buy a piece of software and use it as long as you want without paying some exorbitant amount of money in some cases.

Joe Grand
In other cases, you have to pay a subscription. You're beholden to that particular company and we're paying subscriptions for every piece of software we need. We're paying subscriptions for every online streaming service we need. We're paying subscriptions for every game we're playing or in in game content. So why is that gonna be any different for hardware?

Joe Grand
It's not. You're gonna have to start renting things. I think BMW, I've been involved a little bit with the right to repair movement over the past couple years, and I think it was BMW that was, like, gonna upsell heated seats or something. Or it was some feature that shouldn't have been up sold. And it's like, well, you can if you pay your subscription, your car runs better or or whatever it is.

Joe Grand
Like, the subscription model is going to take off everywhere. And I think it probably already has in Tesla. Like, I'm not a Tesla user, but I think we're seeing that already. Customers, users, humans are getting used to it and it puts so much trust into the corporations, the companies that are making the products. And it's a really hard thing to escape from once you're in it.

Joe Grand
And these corporations know that, and the companies know that. And, again, it comes back to the trade off. Right? Like, you could live outside the fringes of society and not participate in any of this stuff, or you can grudgingly get involved in it, and now you're now you're in it. So it's hard to escape once it's there.

Joe Grand
But I feel like we're gonna see more and more hardware devices become Internet connected, more and more hardware devices having subscription models, more and more hardware devices getting hacked, hopefully, to raise awareness of of the problems. And it's something that, like, is just going to happen, and you can try to fight against it by not going in and using those services or using those products, but you're gonna end up on the outside for sure. And I'm trying to do that, and it's like I'm already on the outside.

Stephen Kraig
Well, I think it kind of to tie it all the way back to the Bosch thing. I guarantee you now that because of the black eye they're receiving from this kind of press, Bosch is for sure going to be implementing a DFS or a design for security measure to their engineering team for any of the products that they do that have this kind of connectivity. And I think that's something that if you're designing a product, build in time for that. Build in time to think about it. Build in time to contemplate it and to look for security issues.

Stephen Kraig
I think that's it's just it's just another layer of design that you now have to consider for anything that connects.

Joe Grand
Yeah. I think that's that's a 100% true. And, you know, I've been saying that for years, and it's a lot easier to say it than actually do it. But you're right of, like, building in some time to analyze your device. You know, it's like what we do design reviews, and we make sure our our schematics are correct.

Joe Grand
We make sure that the design of our power supply circuitry is right and implementation of things, blah blah blah. Like, you can tabletop some of that. Well, I've never actually used that in a sentence before. You but you can tabletop, like, security threats. Right?

Joe Grand
And say, okay. If I was an attacker, I'm going in through the network. I'm gonna try this. We have a debug interface. What could they do?

Joe Grand
And you create, you know, what would be called a threat model and determine, like, what's a risk, what isn't. But for sure, like, building time into your design cycle for security, for designing security, for testing security, and and testing iterations of things because as the device development changes, somebody might add code that opens up some other vulnerability. Like, all of that's great if the company has the the time and resources to do it. I'm not convinced that companies who have been hacked all of a sudden become huge believers in security. I think they do a minimum to show that they care in air quotes.

Joe Grand
They're gonna they'll update their product. They'll issue a statement. But I don't see a lot of companies all of a sudden changing into, like, massive security companies where they're actually implementing, you know, redesigning their entire products to be more secure, because then it comes all the way back to what we talked about before of cost and difficulty. There's other things to worry about. It's really a lot of times now getting hacked is more of a marketing problem than an engineering problem and a PR problem.

Joe Grand
It's unfortunate that it's that way, but I I feel like as much as I would like to think that companies take security seriously, I'm still on the skeptical side. But I do agree that, like, products will become more secure. The more devices get hacked, the more black eyes, if you will, you know, that get out there for different companies and different products. People will realize that they need to take security, maybe even slightly more seriously. And there are things you can do to try to make your devices more secure.

Joe Grand
It's a huge, difficult problem like we talked about. Breaking systems is significantly easier. There's a couple of things I just want to mention. One of them is I'd worked on a presentation a couple years ago called every cloud has a silver lining, and it completely has nothing to do with cloud as in, like, IoT cloud stuff, which is another thing I try to avoid of, like, cloud based services. You know, not your computer, not your data kind of thing.

Joe Grand
And that was really, I put that together to kind of show as an engineering kind of resource guide of, like, even with the what I would consider, like, a a not great state of embedded security, there are still steps you could take. There are still vendors starting to sell products that claim to have more security. Like, there are things you can do to maybe make your design a little more secure, make it not so easy for somebody to hack it? Of course, a lot of it comes down to the implementation because humans are still implementing those things. So on in that presentation, there's, like, links to a lot of common practices.

Joe Grand
There are even some standards that exist of recommendations of embedded security. There are some organizations like Common Criteria for cryptographic systems and, even FIPS compliance in the US for, sort of government certification for cryptographic systems. So anything that has encryption capabilities of of any sort or security capabilities, those are good kind of check boxes of things you can do. Even if you don't get the certification, you can still see what's recommended. So there are things you can do.

Joe Grand
It's just you still wanna take it with a grain of salt. And as you're implementing, even if you're implementing with some something where a vendor says, oh, we're secure. You should use this version of our chip. You should still, if you can, try to break it on your own or find some people to try to break it to understand what your risks are before you put it into your product. But, again, that takes time and money, and maybe people don't wanna do that, but there are ways to start.

Joe Grand
I also found this other thing over the weekend. I think I sent it to you. It's kind of a strange URL, but the gotchas.salusa.dev, which is a collection of common cryptographic mistakes and learning resources. So a lot of times it's like, you know, the recommendation is, well, you should use Secure Boot to make sure your code is authenticated and verified before it runs in your system. Like, that's really easy to say.

Joe Grand
Really, really difficult to implement properly because you do have code signing and cryptography and things involved and key management. So I think this website's kind of interesting. It's not really hardware based. It's just more overall cryptographic related, but there could be things in there that you learn from and say, if we are if we are trying to implement some encryption or some maybe not encryption of data at rest or maybe, but encryption of data over IoT for something. Like, maybe you can learn some stuff from that.

Joe Grand
That's definitely one that I that I bookmarked for future reference. So there are bits and pieces. Right? There are things that you can try to do. Even if you try to do those, you could still make mistakes.

Joe Grand
I think we don't wanna blame vendors for problems unless they are completely negligent. And in the case of Bosch, I don't know if they were negligent. I think it's a really cool example and a cool hack and something that's sort of a prelude to what we're gonna see more of. But But I don't think companies should be blamed for that stuff unless they're completely blowing off security altogether. The engineers for sure can't be blamed for that because we know how hard it is to design and we know how hard it is to keep track of security.

Joe Grand
Also, like being a hacker and an engineer at the same time is hard to do. And most people don't go into engineering to be hackers. They go into engineering because they want to design stuff and hackers don't necessarily want to be engineers. So I feel like you can't really blame as much as you can learn from the experiences in other companies. Right?

Joe Grand
Bosch competitors should not be like, My competitor got hacked. They should say, okay, how did that happen? Let's make our products more secure so that doesn't happen. And maybe these companies even work together and share some information about secure hardware design of certain types of products so these things don't happen. So eventually things get more secure, customers don't get screwed over when things get hacked and, you know, maybe everything will will end up just fine.

Parker Dillmann
I think what it really boils down to is expanding your when you start doing your risk analysis on your product is you can't just look at it as just a circuit anymore. You have to take a lot more into account. And what I mean by the circuit is a lot like, let's say you're designing something for automotive. There's like some standards that you do for, like, the input power. And it's like you have to handle this much of range of the input power.

Parker Dillmann
You have to handle this much of like fluctuation, that kind of stuff. Go into like an IOT device, like minimal, like an opera the the consumer can just plug the cable in and out really fast. Right? That's something you should make sure your device does not blow up when you do when when someone does that. Right.

Joe Grand
Right.

Parker Dillmann
Right? Which is funny, that's kinda like what a glitching attack is. Yep. Kinda. But engineers are already thinking about that kind of stuff of like these base level risk managements, but now we have to go further and, like, let's say these torque wrenches, for example.

Parker Dillmann
It's like, well, especially since they're IT well, it's like, what happens if there was an unauthorized change to the torque settings? What would happen there? I don't think anyone ever thought someone would do a a ransomware attack on a torque wrench.

Joe Grand
Yeah.

Parker Dillmann
But I the first thing I saw when I saw drill crypt, I thought it was actually they were changing the torque settings, like, so you would assemble things incorrectly. That's my where I first went.

Joe Grand
Which is also equally terrifying.

Parker Dillmann
That's way more in my opinion, way more terrifying than it just locking out the the drill torque

Joe Grand
ring. Except that that yeah. That lock out the drill makes money, not tightening bolts properly leads to Boeing doors

Parker Dillmann
line off.

Joe Grand
Floor plugs being pulled off of aircraft. Right? So Yeah. It's a different model of, like, what your end goal is. And I think we, you know, we see it with medical stuff also of ransomware and hospitals and things.

Joe Grand
And, yeah, it's, it's really it's it's really scary. I do wanna mention talking about automotive is, yeah, there are so many of these standards, medical as well. Like, there are standards of how to do certain things, but safety doesn't equal security. So a lot of times, these standards are around safety, but it doesn't mean something is secure. But people say, oh, we follow the ASOL standard for automotive whatever, like safety.

Joe Grand
And it's like, yeah. That's that's great. You should, but security isn't really part of that. And maybe it's just like we're at such an early stage where there needs to be more accessible standards in what engineers need to do. Right?

Joe Grand
Like, more resource guides of you're an engineer. You're trying to build an IoT connected device. What are the things you need to do? And I mentioned these resources in my presentation, but maybe that's even too complicated. Like, maybe it needs to be some defined thing from one organization or something.

Joe Grand
But, again, the implementation is where there tends to be problems. So, yeah, it's, it's good job security being a hacker. I can tell you that.

Parker Dillmann
I wonder if at Bosch, one of the things of the in because because they had hard coded credentials, and they might have thought that would've been fine because they're air gapped. Because because I I actually hear that argument a lot with hardware, especially with, like, when you have older machines that are running like OS 2 warp or they're running Windows XP. And they're like, oh, nothing can happen to it because it's off the network. Right. But then you have stuff like Stuxnet, which was Stuxnet.

Joe Grand
Yeah.

Parker Dillmann
Which actually I knew about it, and I'd actually decided just to read up about it. It was kind of the first weaponized malware, at least attributed weaponized.

Joe Grand
Yeah. Yeah. I think you're right. And sort of a sneaker net approach. Right?

Joe Grand
Because it it was offline in a secure facility. But that excuse doesn't really hold anymore. I mean, it never really held, but the human threat is a significant threat. People can be bribed. People can be blackmailed.

Joe Grand
People can be convinced to do things that they may not normally do. So getting physical access to something or something air gapped, you know, people still pick up USB thumb drives and plug them into their computer. They might not know any better.

Parker Dillmann
You know what's really scary about that one, Joe? So my parents just hand me a whole bag of thumb drives that were my grandparents'. And I'm like, I do not wanna plug these in where near you. Wow. That

Joe Grand
That could be just for sure.

Parker Dillmann
It's like it's like a bag of 20 of them.

Joe Grand
Yeah. But you're aware of that. Right? Like, most people, I feel like, would take those and they would plug them in and and see what happens, but there are people that would use those in some malicious purpose to get access to something or get to a secure facility. So, yeah, I mean, that that's something where even if something is network connected, but it's an internal network that doesn't get connected to the outside world.

Joe Grand
Somebody could still get into the facility and still connect to the internal network. We see this with, like, penetration testers that that break in the buildings and get access to networks. It's something you know, if there's a product, you have to take security seriously. I I feel like regardless of the product nowadays and regardless of where it's used, how it's implemented, if it even has network connectivity or not.

Parker Dillmann
And I'm I'm really glad, Joe, that you brought up, like, the ethics problems too of, like, re doing this kind of research because, actually, the previous episode we talked about was engineering ethics.

Joe Grand
Nice.

Parker Dillmann
So it's kind of a cool way to wrap that all around. Yeah.

Joe Grand
I mean, I think I I think it's important. I remember engineering ethics from from from college where that was actually a class, and we learned about, some of the massive engineering disasters and were the engineers responsible and what were the ethical dilemmas of things. I I haven't been involved in product development in in large companies for a really long time, so I don't know the conversations that go on there. But there is an ethical dilemma when it comes to designing anything that a customer uses, especially if it's network connected. Are you putting the user at risk?

Joe Grand
Are you putting the company at risk? Are you locking your customers out if something goes wrong? Do you care? Yes or no? You know, it was like the guy that that created the thumbs up, the like button on Facebook.

Joe Grand
Like, didn't anticipate the negative consequences of the mental health problems that would come with the desire, the human need for gratification, where if you don't get a thumbs up, how that affects you and all these things. So there are a lot of, ethical things that maybe engineers aren't thinking about. And even if they are, are they able to speak those to executives, to management, to the companies? Do the companies care? Are they ethical?

Joe Grand
I can't speak to any of that. I I just hope that there's some conversations going on about that stuff.

Parker Dillmann
So, Joe, thank you so much for coming back on the podcast for it's been 4 years. 5 almost 5 years.

Joe Grand
It's amazing. It's amazing. Yeah. Thank you again for having me and and for everybody out there listening. This was super fun.

Stephen Kraig
It's always fun.

Parker Dillmann
So, Joe, where can people find out more about you or, again, contact with you?

Joe Grand
So okay. That's kind of a loaded question. I would say the easiest way what is the easiest way? So the problem is there's a lot of, like, Joe Grand impersonators and everything. So finding me, probably the easiest way, if you go to joegrand.com, it's probably the easiest because that's gonna redirect to my Linktree page, and that has all of my social media, all of the different websites that I run, and and things on there.

Joe Grand
So that's probably the easiest way is just go to joegrand.com. And then from there, you can check other stuff out. I will say stay tuned for, a new video coming out that I'm super proud of in probably a month or so. And, yeah, if people I also have a Discord server, so if people wanna just come on and talk about engineering stuff or hacking stuff, it's pretty low volume, but it's open to everybody. And, you it's just a place, hopefully, just that people can learn and trade information and share things, with no pressure.

Joe Grand
Like, you don't have to know stuff to be on there. And yeah. But yeah. Just go to joegrand.com. Check stuff out.

Parker Dillmann
And with that, thank you for listening to circuit break from MacroFab. We're your hosts, Parker Dillman.

Stephen Kraig
And Steve and Craig. Later, everyone. Take it easy.

Parker Dillmann
Thank you. Yes. You are listener for downloading our podcast. Tell your friends and coworkers about circuit break from Macrofab. If you have a cool idea, project, or topic, or want us to discuss, let Steven and I and the community know.

Parker Dillmann
Our community where you can find personal projects, discussions about the podcast, and engineering topics and news is located at circuit hyphenbrake.macfab.com.

Related Podcasts

Brandon satrom lanot

Brandon Satrom and the LANoT

Parker talks with Brandon Satrom of Particle about the future of IoT and then design and prototype an IoT device.

Joe grand hero

A Joe Grand MFG Adventure: What You are Designed to Do

The KINGPIN returns after two years to discuss off-shore versus on-shore manufacturing, Tariffs and Chinese Customs, and Defcon Badge designs.

CB FI 416

No David Here, Chris Gammell with Golioth.io

We welcome Chris Gammell, Developer Relations Lead at Golioth, to explore the exciting world of IoT (Internet of Things) and hardware.

One man entertainment machine

The One Man Entertainment Machine

John Adams joins Parker and Stephen to discuss IoT Security, Crappy IoT Devices, and WS2812B LEDs.

Internet mothers

The Internet of Mothers

Agustin Pelaez and Cameron Klotz of Ubidots talk about what is IoT and how to start an IoT Project.

Joe grand origin story

Joe Grand: The Origin Story

Guest Joe Grand aka "Kingpin" discusses the beginnings of DEF CON electronic badges.