Circuit Break - A MacroFab Podcast

This week Parker and Stephen welcome Joe Grand to the show to discuss insecure IoT devices. Inspired by a recent incident where Bosch wrenches were infected by ransomware called DRILLCRYPT, the guys asked Joe to join them to talk about how attackers could compromise the safety of the wrench and cause safety issues for users. Of course, this kind of breach could impact almost any company and its products, and so many topics were covered, including:
  • “Actually, it’s Dr. Grand…”
  • If you’re in attack mode, firmware updates are great
  • Supply chain issues are hard enough to manage without these security breaches
  • A lack of security can be a business decision
  • Give me convenience or give me threats
  • The hardware industry isn’t as well-versed as the software industry is
  • How to update 10,000 devices in the field
  • Hacking is problem-solving (someone tell the FBI)
  • “If you’re not being sued, you’re not working hard enough’
  • Sourcing parts and the risk of getting counterfeit parts
  • Why a firmware update shouldn’t disable your car
  • Resisting Big Toilet
  • Subscription models for…everything…
  • The importance of Design For Security measures
  • Is getting hacked more of a marketing problem than an engineering issue?
  • Engineering ethics and hacking and design
About our guest:

Joe Grand, also known as Kingpin, is a computer engineer, hardware hacker, teacher, advisor, daddy, honorary doctor, and occasional video maker. He has been creating, exploring, and manipulating electronic systems since the 1980s. This is his third appearance on our show and first since 2019!

Relevant links:
Thank you for listening to the MacroFab Engineering Podcast!  We’d love to hear what you think of the show so please tweet at us @MacroFab and join our Circuit Break Community for discussions or email us at podcast@macrofab.com.

Creators and Guests

Host
Parker Dillmann
A Founder @MacroFab.Builds Electronics, Cars, & Jeeps.
Host
Stephen Kraig
EE
CM
Producer
Chris Martin
Guest
Joe Grand
Joe Grand, also known as Kingpin, is a computer engineer, hardware hacker, teacher, advisor, daddy, honorary doctor, and occasional video maker. He has been creating, exploring, and manipulating electronic systems since the 1980s.

What is Circuit Break - A MacroFab Podcast?

Dive into the electrifying world of electrical engineering with Circuit Break, a MacroFab podcast hosted by Parker Dillmann and Stephen Kraig. This dynamic duo, armed with practical experience and a palpable passion for tech, explores the latest innovations, industry news, and practical challenges in the field. From DIY project hurdles to deep dives with industry experts, Parker and Stephen's real-world insights provide an engaging learning experience that bridges theory and practice for engineers at any stage of their career.

Whether you're a student eager to grasp what the job market seeks, or an engineer keen to stay ahead in the fast-paced tech world, Circuit Break is your go-to. The hosts, alongside a vibrant community of engineers, makers, and leaders, dissect product evolutions, demystify the journey of tech from lab to market, and reverse engineer the processes behind groundbreaking advancements. Their candid discussions not only enlighten but also inspire listeners to explore the limitless possibilities within electrical engineering.

Presented by MacroFab, a leader in electronics manufacturing services, Circuit Break connects listeners directly to the forefront of PCB design, assembly, and innovation. MacroFab's platform exemplifies the seamless integration of design and manufacturing, catering to a broad audience from hobbyists to professionals.

About the hosts: Parker, an expert in Embedded System Design and DSP, and Stephen, an aficionado of audio electronics and brewing tech, bring a wealth of knowledge and a unique perspective to the show. Their backgrounds in engineering and hands-on projects make each episode a blend of expertise, enthusiasm, and practical advice.

Join the conversation and community at our online engineering forum, where we delve deeper into each episode's content, gather your feedback, and explore the topics you're curious about. Subscribe to Circuit Break on your favorite podcast platform and become part of our journey through the fascinating world of electrical engineering.

Parker Dillmann:

We have an update from Macrofab. Misha and Brendan of Macrofab are doing a webinar on January 30th at 12 PM CST. The topic is enhancing operational safety through cyber resilient approaches for physically secure PCB designs. Participants will learn about the typical vulnerabilities and electronic hardware and discover advanced design and production strategies, prioritizing security, including material and layout considerations. There is also a local event happening at Macrofab HQ.

Parker Dillmann:

Become a part of the Bright Minds Brighter Future event on February 1st from 11 AM to 4:30 PM CST. Join us for a day of innovation and networking. Step into our state of the art factory where the future of electronics manufacturing is being shaped. Please pause the episode and head on over to macfab.com/events and register right now before you forget. There is also a link in our show notes if you want to go there as well.

Parker Dillmann:

We will be right back here waiting for you, our listener, when you return. Welcome to circuit break from MacroFab, a weekly show about all things engineering, DIY projects, manufacturing, industry news, and insecure IoT devices. We're your hosts, electrical engineers, Parker Dillmann.

Stephen Kraig:

And Steven Kraig.

Parker Dillmann:

This is episode 414. Circuit break from Macrofab. This week, we have a guest, Joe Grand.

Stephen Kraig:

Joe Grand, also known as Kingpin, is a computer engineer, hardware hacker, teacher, advisor, daddy, honorary honorary doctor, and occasional video maker.

Parker Dillmann:

He has been creating, exploring, and manipulating electronic systems since 19 eighties.

Stephen Kraig:

This is his 3rd appearance on our show and first since 2019. So welcome back, Joe.

Joe Grand:

Thank you. Wow. You guys did that so so well. Thank you. Nice to be back.

Parker Dillmann:

I'd hope so after 414 up well, how many what episode was were you last on, Joe? It's been

Stephen Kraig:

I think the last one was the Defcon badge with the little, with the gemstones. Right?

Parker Dillmann:

Yeah. It

Joe Grand:

was the gemstones. That was Defcon 27. I feel like the first one was around the seventies. Yeah. You're right.

Joe Grand:

Episode seventies and then 100 Yeah.

Parker Dillmann:

First episode was in 2017, episode 73, and that was your origin story.

Joe Grand:

Right.

Parker Dillmann:

And then, yeah, then we talked about manufacturing adventure of the of the watch, the NFC no. No. Let me see. The, Near Field watch.

Joe Grand:

Yeah. The NFMI. Yeah. Which was the DEFCON badge. The DEFCON 27 badge was was Near Field magnetic induction with the quartz crystal element on it and everything.

Joe Grand:

Right. So we talked about that. What episode was that?

Parker Dillmann:

185. Wow. It's amazing. Well, good job.

Joe Grand:

Thanks for having me back.

Stephen Kraig:

Well, thanks for coming back.

Parker Dillmann:

Yeah. And, so I actually have a question. What what are you an honorary doctor of?

Joe Grand:

I think you're the first person that's ever asked me that. My wife always rolls her eyes because sometimes, you know, people are like, hello, mister Grand. And I'm like, actually, it's doctor Grand. I don't don't actually do that very often, but in certain places, you know, where they're very, like, uppity or they they require or or enjoy people with larger titles. I'll call myself doctor.

Parker Dillmann:

You could pull it out. Yeah.

Joe Grand:

Let me actually look. So I have it on my wall. So let me give you the actual accurate name. Okay. So it's an honorary degree of doctor of science in technology from the University of Advancing Technology, which is sort of a technology video game security university in Arizona who's done a bunch of stuff with DEFCON and BlackHat over the years.

Joe Grand:

So So I got involved with them ages ago now, probably 15 years ago, if not more. Was, like, an online professor for a couple classes. A lot of their students ended up going to DEF CON and doing stuff at DEF CON, running the hardware hacking village. Like, people we all know, a lot of them came from that community. And, at some point, I think it was 2,000, yeah, 2010, one of the main people there reached out, and they're like, we wanna give you an honorary degree.

Joe Grand:

And I was like, Wow, that's so cool. And it was awesome. So, I got to do the commencement speech and go there, and it was definitely a surprise, but super cool. And, when I first told my dad about it, I was like, the school wants to give me an honorary degree. He's like, you know, there's a lot of scams out there of schools trying to sell you degrees.

Joe Grand:

So no. It's not a scam. It's real. But, yeah, super super cool. And and, no, I don't really call myself doctor that often.

Joe Grand:

Only when needed. If you

Parker Dillmann:

were at, like, a fancy restaurant, I and they asked said mister Grand, I'd be like doctor Grand.

Joe Grand:

Well, certain airlines too take titles very seriously. So I've actually gotten upgraded on airlines just by correcting them and saying that I'm a doctor.

Stephen Kraig:

It's like, yes.

Joe Grand:

I'm a doctor. I'm just not the kind that helps somebody. I don't know. Don't look, don't

Parker Dillmann:

look, this person's having a heart attack. You're like, is it a pacemaker?

Joe Grand:

Right. Yeah. Is it electronics? Like, can I hack it? Yeah.

Parker Dillmann:

Oh, cool. So the reason why we're having you on here, Joe, is there's been a big news story that came out last couple of weeks about drill crypts. And drillcrypt is like, if you try to Google drillcrypt, not a lot of stuff comes up. I think it's just coined online.

Joe Grand:

Every vulnerability now has to have a name. Right? So it's easy to search for and and and get your logo. You can make your stickers and t shirts and website and everything. So, yeah, that's not a bad sounding name.

Parker Dillmann:

Yeah. But it's a vulnerability or exploits of these Bosch torque wrenches, basically. They actually call them nutrunners, which I thought was really funny because hackers are also known as netrunners. So, yeah, we got our our title there. Netrunning, then

Joe Grand:

the Net Runners. Clever. Who did you come up with that, or was that something on the Internet?

Parker Dillmann:

No. I came up yeah. I actually came up

Joe Grand:

with that. Really good. Yeah. Oh, that's wow. You should be in marketing.

Stephen Kraig:

Actually, aren't you, Parker?

Joe Grand:

Yes.

Parker Dillmann:

Yeah. I was talking with Joe before the podcast, and I've moved over to marketing full time at Macrofab.

Stephen Kraig:

So Now you can just start

Parker Dillmann:

naming everything. These, these are like pneumatic smart wrenches where you can, like, set the torque, and they can figure out what position they're in and that kind of stuff. Well, apparently, they were just completely unsecure IoT devices as well, and you can just unauthorized change the torque settings. You can change, basically, all the settings just on the fly. Or you can also just, like, ransomware it, which is what JoelCrypt does and make the operators pay in Bitcoin to unlock that.

Joe Grand:

I mean, that's it's funny. Like, that's really where things are heading. And, you know, a problem like this, none of this is really new, right? It's just everybody kind of is making these same mistakes of network connected devices and this and that. And, like, the end result ends up being the same of something getting hacked.

Joe Grand:

A lot of times it's the same sort of problems, but the use of ransomware in this case is sort of interesting of, like, ransomwareing an actual embedded system or, like, a product and not a computer really is genius if you think about it. Right? If somebody's gonna ransomware these things and these devices are used on a manufacturing line or in a facility where time is money, and if the line goes down, your cuss you know, the customers of that facility have problems. Right? And that facility has problems.

Joe Grand:

So it's just another way of kinda holding people to the fire. You know, do I condone it? Like, I mean, no. But it's, it does prove a point, right, of, like, security needs to be taken seriously and and vendors, a company as big as Bosch or any other large company really has no excuse to not design things securely or to make better attempts of security. Everybody's gonna make mistakes and you're always going to have some way that somebody could hack a system, but it just seems like so many things are what what we used to call at the loft, low hanging fruit.

Joe Grand:

So, you know, very easy sorts of attacks that don't require jumping through a lot of hoops. Like, we just saw with the iPhone recently, I don't remember, just a couple weeks ago, this ridiculous exploit chain of, like, using 4 zero day vulnerabilities and all these other things to do something like zero click attacks on phones, on iPhones, which was like state sponsored level, ridiculously complicated attacks. You don't need to do that on most devices, especially IoT devices. So good security can be done well enough to make it so difficult to attack. It's probably not worth it.

Joe Grand:

But the fact that if somebody's gonna run ransomware on these devices or prove that they can run ransomware on the devices just shows that the IoT industry, if you will, and engineers still have a long way to go to sort of raise that level or raise that bar, if we're gonna use another cliche, just to make devices better. But it's like, this is this is the same type of crap we've been seeing for, I don't know, since episode 73 or, like, the first time we talked or since I got into this stuff. Like, there will always be problems. They seem to maybe just get hyped up more. But the more connected devices we have, the more technology we have For every one company or one engineer that has leveled up with security or vendors have leveled up with different ships offering security, you have so many other groups where security either hasn't been considered or it's been implemented wrong or whatever it is, and something like this happens.

Parker Dillmann:

Yeah. When you look at the exploits, especially on these wrenches, a lot of them are just like their hard coded credentials. So it's like

Joe Grand:

Yeah.

Parker Dillmann:

It's not really an export in terms of they went to the probably the PDF or the wrench and then looked up what the passwords were.

Stephen Kraig:

Admin password. Right?

Joe Grand:

Yeah. Right. The maintenance manual or if it's hard coded, you just grab the firmware off or get the code or get the contents out of whatever memory is there and and look for it. Like, we've seen companies leave private keys in firmware update packages and all sorts of stuff. So, you know, if you're on the attack side, it's great because you can learn a lot of really interesting attacks.

Joe Grand:

Even if you're on the design side, you should be paying attention to these types of attacks and say, okay. Let's design our systems and not make that same mistake. The problem is it's really hard to remember history, and this is why we're seeing over and over and over again the same sorts of stuff. Even with, like, the CVE, common common vulnerability database, and, like, all of these things to try to track different types of vulnerabilities, it's really hard to to learn from history because there isn't really a great database of every historical hardware attack and problem and IoT problem and embedded system problem and everything. So if you're not paying attention every day, it's easy to to miss something and easy to miss some new attack that might make your device vulnerable.

Joe Grand:

And as an engineer, and I'm sure you guys know this too, like, engineering products is hard, and it's hard enough without having to worry about getting hacked when you're dealing with, you know, part shortages and getting systems to work and manufacturing issues and shipping and customer support, all of the supply chain, all the logistics, everything, getting the product, you know, built on time and under budget is really, really hard. And then when you throw security into it, it's a whole other story.

Stephen Kraig:

Well and given what you just said, a lot of times security takes the back seat compared to all of those things. I've got a manufacturing issue that I gotta take care of. That's number 1. Like, security I'm not saying this personally, but but but but security could easily take a backseat too. Oh, I gotta fix this manufacturing issue that's right in front

Joe Grand:

of me. Oh, for sure. Or it's like we know we need, you know, some programming interface or some way to make it easy for manufacturers to load code in. Yeah. You could do code signing and have some secure boot, but then you have to deal with key management and all these other things that come along with it that you have to work with your factory, and it's all secondary to getting the thing working and getting your yield up and getting your products out there to your customers and making your investors happy and all of these things.

Joe Grand:

So it's a reason where or a reason why I don't really teach people how to design things securely or even I sometimes I'll make recommendations, but it's so, so hard to get proper security into a design, and it's way easier, not necessarily always easy, but way easier to break a product because from the hacker side, we're basically looking for that one problem or a couple, you know, in this case of, drillcrypt. You know, they use a couple of vulnerabilities or whatever, but hackers really only need to find the mistakes or the problems where engineers and designers have to kind of anticipate not only current state of the art of why people might attack their devices and what they're gonna attack on the device, but then potentially future attacks as well. And they're also kind of reliant on the chip vendors. And in the case of Drillcrypt, they were using the, you know, some embedded Wi Fi module. So now you're integrating somebody else's Wi Fi module product into your own product.

Joe Grand:

So now you've inherited all the vulnerabilities that come along with that that may or may not have been discovered yet either. So it's really a tricky problem. And for me, the enjoyment of being on the hacker side is getting to think a lot about lots of different products and lots of different approaches and break things in different ways. But there is something very satisfying too in designing a product, especially if you've taken into account the security aspects. It's just significantly harder.

Joe Grand:

So, thumbs up to, you know, anybody working in that space for sure.

Parker Dillmann:

Yeah. It's interesting what you said where where the hackers are looking for mistakes, whereas on the engineering side, it's not even considered a mistake. It's a it's a maybe maybe you even call an oversight or they or it was just not in your design documents.

Joe Grand:

Right? That's right. And if you have, like, if you have a backdoor in there or hard coded credentials, like, maybe there was a business reason or during development, somebody needed those credentials in there to make development easier or manufacturing or they have a UR interface or a debug interface or whatever it is to make engineering's job easier, to make manufacturing's job easier. And that's the trade off of, like, maybe they thought about it, maybe they didn't, but the things that are useful for the designers can also be useful for the attackers. And I personally have sat in on meetings where there is that battle between engineering and security, and the engineers are like, well, we need these features.

Joe Grand:

And security is is like, well, that's gonna put you at risk. And then there's the business decision of, like, weighing the the risk of getting hacked versus the need for these certain features. You know, security versus convenience, and a lot of times, convenience wins out. Maybe over time, security will start to become more integrated, but it's still again, it's still really difficult, and you could spend a lot of time designing some secure mechanism in a system. It gets hacked, and now your executives are like, well, you just spent all this time and money on a security system that didn't work.

Joe Grand:

It would be better if we just don't even bother and then deal with the fallout like in this case. I haven't seen Bosch's response other than, you know, we take security seriously, which is kind of like the common thing everybody says. So it's it's hard to know what's actually happening internally in the organization when something like this happens.

Parker Dillmann:

Yeah. Yeah. Convenience, at least for product development, always runs the fastest, Right? A

Joe Grand:

lot of us are using password managers now, which is the ultimate convenience. Right? A lot of us are using password managers now, which is the ultimate convenience. And that sort of changes the risk or the threat model a little bit, But convenience is always there of, like, let's choose a simple password so we can get into our accounts. That just flows through.

Joe Grand:

It's human nature. Right? And that flows through to everything that we're designing. If designing systems was difficult, people will always find a way to sort of circumvent the difficulty to make their job easier and get the thing out the door, and that's gonna potentially leave things vulnerable.

Parker Dillmann:

You know, it might be there's still a promise, but we've made a lot of strides in, like, software development in terms of security, especially recently. I wonder if it's because security on hardware devices and IoT devices is just inherently more difficult, which is why it doesn't get doesn't happen as

Joe Grand:

often. Yeah. I mean, I feel like yes and no. So, like, the software space, you know, back when I was at the loft in the starting in the early nineties, basically, for, like, the first 10 years of being involved in that hacker group, we were trying to show software vendors, mostly Microsoft and, you know, bigger software companies of, like, look. We found a vulnerability in your software.

Joe Grand:

This is what somebody could do if they were malicious, and we'd show them some exploit code, and they'd be like, oh, well, that's probably not a problem. And we'll be like, okay. Well, we're gonna release this work so other people can learn from it and protect themselves, and then they go, oh, we better fix the problem. So in the security world now, I mean, in the software world now, we have, you know, security teams, we have patches every week, Software updates all the time. Applications on phones, on desktops constantly being updated, whether it's, you know, for security features or other things.

Joe Grand:

It's very easy, and it's kind of part of our psyche now of, like, oh, we gotta do an update. So it sort of become this inherent part of of software of, like, okay. Something might be vulnerable, but it gets patched. Sometimes even when you update your phone, you know, the the change log doesn't say specifically what it's fixing. It just says security fixes, which is great, right?

Joe Grand:

Because we don't have to think about that as end users. Hardware has always been different even though, yes, sometimes we have firmware running on the hardware, which we could do firmware updates and and fix things. Sometimes firmware attacks require hardware attacks require physical access. So people go, oh, we don't have to worry about security. It's only if somebody gets physical access, which is a problem because you can get physical access to pretty much everything unless it's, you know, something that's being guarded by people with giant weapons.

Joe Grand:

Or even there, you might be able to get physical access through an insider threat or something. So there's kind of these excuses around hardware. And the hardware industry, I'll say, just isn't as well versed as the software industry is. And it might take many more years of this sort of I wouldn't call it public shaming, but it's sort of this public awareness of, like, look, we found a vulnerability in your hardware product, just like we were doing back in the day. You have to navigate that stuff very carefully because hardware sometimes can't be patched.

Joe Grand:

If it's, for example, like some of the some of the work I did on the STM 32 that's the Trezor hardware where you can, you know, do fault injection against the chip, and that can only be fixed by respinning the silicon, potentially only be fixed by re respinning the silicon. And vendors might not wanna spend 1,000,000 and 1,000,000 and 1,000,000 of dollars to do that. So with hardware products, it's harder. And having devices, if you have 10,000 devices, a 100,000 devices in the field, not everybody's gonna do the updates on those. So I think it's just going to take more time before hardware devices and IoT products and all of these kind of resource constrained computing devices get to that same level of update capability as software, which doesn't necessarily get rid of all of the threats, but the more we can get rid of, the better, Right?

Joe Grand:

And the faster we can upgrade that stuff, the better. If you look at so much like home network consumer device, things that are running old versions of Linux and all of this stuff that hasn't been patched, like there's no patch or update mechanism or anything, we're gonna keep seeing that unless there's just some way to make it more, you know, part of the design itself to do these updates, which may or may not be possible. But, yeah, most hardware companies are like, you know, if you tell them they have a problem with something, like, they tend to not be as appreciative as software companies. And you do have some companies like HackerOne that help you with these sort of bug bounties or helping you work with companies that maybe don't have a policy in place to deal with security vulnerabilities, but it's hard. And big companies can sue you into oblivion, you know, gag order you.

Joe Grand:

You have all these things as a researcher, these sort of concerns of, like, do I wanna go public with this? Like, do I wanna tell the vendor, or am I gonna get sued? And that's a conscious effort even with software. Like, there's a a video, that we just filmed recently that's coming out probably in end of February ish about a new attack that we worked on for a project. And that company did fix the problem in a later version, but we're still sort of like, do we wanna tell them in advance just to let them know this video is coming out?

Joe Grand:

And it's like, well, they look like nice people, but what if their lawyer, like, tries to prevent us from releasing the video? So we're we're making the conscious choice of, like, we're gonna release the video first because they've already fixed the problem, and then at least the information's out there. People who are susceptible to this problem can fix it. Then if we get sued later, that's okay. But that's a, you know, that's a choice you kinda have to deal with.

Joe Grand:

Back in the day when I'd hacked the the parking meter in San Francisco, I think that was 2,000 9 or something like that. So a smart card based parking meter, stored value. That was a similar situation where myself and the guys involved in doing that research, we made a conscious effort or conscious decision to give the talk at Black Hat and DEF CON first before notifying the parking meter company and before notifying the city of San Francisco about the problem. Because a year earlier, some students had done some research and found some vulnerabilities in the Boston Public Transit System, the t, and went to the MBTA, the company that runs the transit system, showed them all of their research, and they were like, that's great. This is great information.

Joe Grand:

Thanks for thanks for helping us and, you know, making us more secure. And the next day, the FBI shows up at these kids' dorm room and arrest them. So it's like even if you're trying to do the right thing and come out with an advisory or some vulnerability or release information to let people, you know, be aware of the vulnerabilities and products they're using, you can still get sued for it. So at the parking meter, we're like, well, we don't want that to happen to us because those kids got sued. They couldn't release their research except sort of a side product of of things going to court as everything became public even more than just the information they were gonna end up releasing.

Joe Grand:

But nobody wants to go through that process. So we figured, well, let's just give the talk. And then if we get sued, you know, whatever. It'll happen afterwards. It's good press.

Joe Grand:

A friend of mine, Jason Scott, who runs, he works at the Internet Archive and runs textfiles.com, was like, If you're not being sued, you're not working hard enough. And I was like, oh, that's kind of interesting. But anyway, yeah, it puts a lot of it puts pressure on people to release information or engage with companies for fear of getting sued. And maybe the approach is like drill grip and like some of these other bugs. You know, I was joking about, oh, you name everything and you give it a logo.

Joe Grand:

That's what that's what happens. Maybe the the side effect of doing that and going to the press every time you find a problem is the work is out there, so there's maybe more pressure to not sue the the, the messenger.

Parker Dillmann:

Yeah. The whistleblower.

Joe Grand:

Yeah. Yeah. But it's an interesting world for sure. And, you know, the older I get, then, like, the more responsibility I have. Like, when I was younger, I was like, I don't care, we get sued, go to court, whatever.

Joe Grand:

And now it's like, well, I have kids. Like, I don't wanna spend all my time in court or jail or whatever it is. So companies can get pretty nasty. And I think that it would just be nice if more companies and I think it will happen eventually. Like, you know, security is talked about much, much more.

Joe Grand:

But when you're giving when you're making these articles about, like, this thing can be hacked and this can be hacked and and maybe without showing sort of recommendations, maybe these researchers did show some recommendations too. But basically just calling somebody's baby ugly without having some sort of solution is a problem. Right? And then you're going head to head instead of sort of working together. So I just hope that over time, you know, hardware manufacturers and hardware engineers take security more seriously.

Joe Grand:

It's okay if they have problems. What's the most important is if somebody finds a vulnerability or offers you some insight into the product, don't hold them to the fire, but be gracious about it. Be like, oh, that's an interesting I didn't know about this. Right? So Bosch can look at this and say, well, you know, now it's in the public, so they have to do something, but they could really use it as a learning example.

Joe Grand:

And I don't I can't imagine them going after the company. If it was a smaller company maybe or if they didn't get press, maybe they'd get you know, have some sort of legal action. But, really, it's the it's it would be nice if this continues of vendors being appreciative of work that's happening and using that to make the products better instead of having researchers be sort of scared about releasing this stuff. Because the problems exist anyway, just the researchers are sort of doing what they feel and what I feel is an ethically correct thing to do of letting vendors know and letting people know about these problems, the problems are gonna exist whether we talk about them or not.

Parker Dillmann:

Yeah. It's interesting. A couple of weeks ago, we were talking about components, like microcontrollers that will have tons of errata, additional PDFs of information of stuff that's bad, basically bad about the device. Like, it doesn't work in this edge case. And we were commenting on there's not a really easy way to go find that information.

Parker Dillmann:

You kinda have to dig because, you know, manufacturers don't want to they don't wanna call their own baby ugly

Joe Grand:

Right.

Parker Dillmann:

To use your words. Yeah. So a a way a way where you could go look up if you're an engineer. Okay? So like what you're saying is, okay, these products, let's say that STM chip you're talking about

Joe Grand:

Yeah.

Parker Dillmann:

Is out in the wild. Well, if most engineers won't even know to go look and see if that chip has a specific vulnerability. But maybe if there was a database where you could go look up a part and be like, oh, these these is all your errata for this component, and this is some security exploits that have been found against that that component. It would be amazing. That would probably go a long way.

Joe Grand:

It would be amazing. Right? I mean, sort of like I don't know if I if I'm allowed to plug other things here, but it's like, you know, using OctoPark to see, like, what distributors have stock. It would be great to be like, what component, you know, has problems based on known public vulnerabilities? You know, a lot of times, vendors are gonna or engineers are gonna read the data sheets, and the chip says, we have code protection.

Joe Grand:

You're fine. No one's gonna steal your firmware. It's gonna lock the debug interface. It has cryptographic hardware support. It has secure memory, like, all of these things that on paper read great, but the implementation of those might not be correct, leading to all of these errata, basically bugs in the silicon.

Joe Grand:

And I think a lot of a lot of engineers aren't even aware that they might be building in a product that has known vulnerabilities already. Exactly. Right? And, like, that's something where you can't blame the engineers. It would be great if there was some resource of of looking that stuff up.

Joe Grand:

Maybe Macrofab should do it. It's more work for you. But, yeah, I mean, that would be say. I'm like, it's a lot of work. For those, I know people can't see faces, but that was that was a classic.

Joe Grand:

A classic like, no. Sounds like a lot of work.

Stephen Kraig:

I feel like, Macrofab is fantastic, but, perhaps there's a different set of, specialties that need to be involved in something like that.

Parker Dillmann:

You you know, it's it's something about that though is I I this is slightly a tangent, I guess, because it's a different topic, but also including the country of origin. Mhmm. Because a lot of times when you go to, like, a distributor like Mauser or Digi Key, they don't tell you where the the thing is manufactured at. It's printed on the real components because it has to be, but Right. Mauser or Digi Key don't won't tell you that until it gets to you.

Parker Dillmann:

I think there's, like, I think Arrow, I think is the only distributor I've seen that actually will say country of origin is wherever, like, before you even buy it. Yeah. Because I think They

Joe Grand:

know for sure. It's also on the backside of the chip packages too usually.

Parker Dillmann:

Yeah. Yeah.

Joe Grand:

Maybe not for for for chip scales, you know, for small stuff, but usually it's on the back of the plastic injection molded stuff.

Parker Dillmann:

So I wonder if, combining that might be an idea is try to combine all that. And if if you did it as a crowdsourcing where people can submit stuff so you don't have to do it all yourself, someone that's not Parker, go build that.

Joe Grand:

What's funny though, is if it's too Wikipedia style where anybody can do it, then you're gonna have vendors taking their stuff off.

Parker Dillmann:

Yeah. Take

Joe Grand:

prevent them from being found. Right? So it has to be some vendor neutral body that's sort of controlling these things. I don't know, maybe that's a future project or something, but it would be really helpful to people that don't wanna pay attention to security all day, right? It's like when you're spec ing parts for something, that would definitely be nice to know.

Joe Grand:

You throw your whole your whole bomb into into the website, and it's like, this has known things, this has known things. And then the engineer can make a decision of, like, alright. Is that a risk to me? Yes or no?

Parker Dillmann:

And on that, this is another layer of the that component onion is supply chain security too. Because there's there's a couple groups out there that compile all that data, but you have to go dig for it yourself. It'll be nice if you, like, just type in the part number and go, oh, this part had issues with supply chain on this date and this lot, And, you know, this this manufacturer found, let's say, like, counterfeit parts

Joe Grand:

Yeah.

Parker Dillmann:

Of that component. Right.

Joe Grand:

Yeah. I mean, that's right.

Parker Dillmann:

It's just it's all it go it all goes down to what you would just brought up, though, as risk management and risk assessment.

Joe Grand:

And Yeah. But we haven't even talked about that. That side of the supply chain is terrifying. Right? It's like even if your even if your design is properly secure, you're still sourcing parts.

Joe Grand:

And you have the counterfeit problems, and you have the the gray market problems, and you have all of these hands touching all these products at all these different points, then it's really hard to track some of that stuff. And, yeah, I mean, just counterfeits on their own. Right? Not even talking about, like, Trojan horse hardware modification inside of silicon, but just counterfeit parts get into supply chains. And, you know, of course, FTDI Gate comes to mind because that was just an epic journey back.

Joe Grand:

I think it was, what, 2006 or 2,008 when FTDI Yeah. I was on that. FT232 was counterfeit, and they blasted all of the the known counterfeits with, like, a, software update that would Yeah. That would kind of brick them all or set the VID and PID all to zeros, which I thought was just a a bold move. Like, I know a lot of people got really mad at FTDI for doing that, but what it did unintentionally is proved that counterfeit parts were getting into legitimate supply chains Mhmm.

Joe Grand:

Because a lot of people didn't know they were using counterfeit parts. Like, yes, a lot of people were buying stuff on AliExpress and all these places that had questionable origin, but a lot of people that got burned by that FTDI update were buying it through legitimate distributors. So that proves that even if you are going and following the right pathway for your supply chain, you could still get burned. And that's, like, a really scary thing when you're when you're responsible for a product being manufactured and for the the lifespan of it and the the behavior of it and everything.

Parker Dillmann:

What comes to mind is how Amazon warehouses work. And so when you buy something on Amazon, and usually, there's will be multiple people who have or multiple companies that have supplied that product to Amazon, and they just throw all those products into one big bin because it's Yeah. Off the same skew. Right.

Joe Grand:

Well So why do you ship it by Amazon?

Parker Dillmann:

Yeah. But at that point, you just completely wiped away the entire, like, life cycle, I guess, you can say.

Joe Grand:

The provenance.

Parker Dillmann:

Yeah. Of that product. Because you have at that point, you have no idea where it came from. It just went into a bucket.

Joe Grand:

Right. Well, I think for you know, I'm thinking I don't really know, but I'm guessing because they do such huge volumes, they'll just ship something out. If a customer doesn't like it, they return it. It gets thrown into a big pile, and they just get another one. So from Amazon's perspective, as just the distributor, if you will, the, you know, the losses that they take on mixing questionable items with good items, like, they probably don't even care.

Joe Grand:

It's such a minimal thing. Yeah. But for most people that are running companies with slightly smaller volumes than Amazon, like, making hardware products, you don't really have that luxury. Right? And if you end up unknowingly designing in a part that's counterfeit or that's that that doesn't meet spec that you're expecting to, and now all of your products are going bad or some portion of your products are not functioning properly, like, that's the scariest thing as an engineer to have to deal with and to try to figure out if you can even repeat the problem.

Joe Grand:

And that's where sort of then you have your customer confidence problems, your customer support problems, people are like, oh, that product sucks. It's really hard to deal with where Amazon is like, well, whatever we'll just, you know,

Parker Dillmann:

ship the person another one. Another counterfeit.

Joe Grand:

And people know, Amazon knows people are gonna keep going back to Amazon anyway.

Parker Dillmann:

So Joe wrote down some examples here, like product examples that I guess hit you at in your heart, Joe? Yeah. I mean,

Joe Grand:

it's funny because, I mean, you can search for IoT hack or whatever, and there's a 1,000,000,000 things. Or you can go use the Shodan, you know, search engine to find IoT connected things. But these particular examples just kinda made my eyes roll, and, you know, we can sort of talk about, like, the Ford firmware update. Right? There was that image that was being passed around recently of a car doing a firmware update, and the firmware update crashed, and it was like firmware update, incomplete, bring your car to a dealer.

Joe Grand:

And it's like, who wants to see that if they're trying to get to work or pick up their kids or whatever? And it's just such a shitty implementation. Like, that should never happen in an automobile. It should never happen in any product where you buy it. No nowhere is there a good reason that it says you cannot be used because of a problem.

Joe Grand:

Right? Like, why is there not some backup version of firmware? Why is there not some subset? Why is there not a bootloader that can that can bring you back up? Like, it doesn't make any sense, and it's those sorts of examples is crazy.

Joe Grand:

And, also, related to that one, I think you have it here too of, like, Ford had filed a patent application. It happens to be Ford. I'm not just picking on Ford. It's every car company, but in this case, it happens to be Ford. Patent application for self driving cars that will drive back to some, location if you miss your car payments.

Parker Dillmann:

Well, they're just putting repo people out of jobs.

Joe Grand:

Yeah. Well, that but it's horrible. I mean, it's like, do these companies have have any empathy for their actual customers? Right? Like, usually, people who aren't making their car payments are in serious dire straits.

Joe Grand:

Right? They have some challenges. Most people are not missing car payments on purpose.

Parker Dillmann:

And usually, they rely on their car to get money, basically, or

Joe Grand:

or Exactly. Right. If you have to take a bus or 2 buses or 3 buses to get to your job instead of being able to drive. Like, you might not be able to get to your job, or there might not be a public transportation route, so you rely on your car. It's just pure evil.

Joe Grand:

Like, it doesn't make any sense to me to do that yet. Companies are starting to patent things like that. And then the news article I read about it was like, well, Ford also suggested, like, maybe it's not you know, drive it back to the repo, man. It's, disable the air conditioning or have the audio system play unpleasant sounds. Like, you're basically trolling your customer and blaming them.

Joe Grand:

Like, it's just so not human. It just seems so wrong. And the fact that engineers would design this stuff and think it's a good idea is infuriating to me. And I, you know, I would love to sit in on some of those meetings, and it would be great. It would be hilarious to brainstorm all this stuff.

Joe Grand:

Right? Like Mark Rober making his package delivery system to, you know, spray somebody with fart spray. Like, that's hilarious. But somebody that's a customer of your product and driving, like, it's a different thing. So it'd be amazing to you know, you can brain storm all sorts of really funny things you could do to somebody, but is it ethically correct, or is it caring for your customer?

Joe Grand:

No. It's ridiculous. So I don't know the reasoning.

Parker Dillmann:

I'm just trying to imagine how much engineering effort that would take where you could be spent doing more creative and better things to the car.

Joe Grand:

Or if the engineers are like, I don't I I don't really wanna do this, but I'm gonna do it anyway. Right? But, yeah, I mean, it just seems it's just mind boggling of the of these things where you could, yeah, maybe maybe do something a little more useful with with the engineering effort. But it's all the IoT stuff. Like, I I've said this for years.

Joe Grand:

Like, I'm I'm kind of a technology curmudgeon, and the older I get, the more of a curmudgeon I become. I think there are certain reasons for things to be network connected sometimes or maybe to have some smart capability to it, and we're gonna see that more and more with with, you know, AI machine learning stuff and blah blah blah. But not everything needs to be smart. And I feel like things have like, products have existed for a long time without being smart, like a toilet. I, you know

Parker Dillmann:

I this is good.

Joe Grand:

I just don't understand, like, this Kohler Connect app that let you know, it says, the new me 2.0 smart toilet marks a new standard of excellence in the bathroom. It's your bathroom. It's a toilet. Like, what are you gonna do with your thing? Maybe, you know, if it's one of the you know, a fancy toilet that has the the spray and you can adjust the temperature and the water and this and that, You can use buttons for that.

Joe Grand:

Somebody's gonna hack it, obviously, but it's sort of like tech putting technology in things for technology's sake has just never sat well with me. Using technology where there's a purpose to actually help, not just because it's a trend or a fad or it needs an app or it needs to be IoT. As an engineer and as a consumer and as a hacker, it is really infuriating. Especially as somebody who teaches people how to hack this stuff, it shouldn't be this easy, and it just shouldn't be this ridiculous. So I would say, like, if people are gonna hack the toilet, they should.

Joe Grand:

Right? Because that's gonna show Kohler, okay. You know, why is this being done? You could probably do some pretty funny stuff, but it's just, I don't know, it's ridiculous. And this this is new stuff.

Joe Grand:

Right? Some this has been going on, I would say, like the Mire botnet from 2016 with all of the, you know, Internet connected cameras, basically using default passwords and password reuse to get access to these things. LG had a robot that was like a a surveillance robot. I don't even know if it would vacuum also, but it would, like, go around your house, and it would, like, send live video. Like, all this stuff, I don't know why anybody would actually want that in their house.

Joe Grand:

But that got hacked, and people could, like, remotely view what's going on. And we hear about the baby monitor stuff. Like, every single IoT connected thing has been hacked. And it's like what is the practical purpose of having some Internet connected thing worth it? Like, I don't know.

Joe Grand:

Like, I don't even have Amazon like, you know, Alexa, whatever. I don't have any I try to reduce the amount of things with microphones in my home anyway, cell phone excluded, which, yes, I'm aware of that. But it it's just like what the benefit trade off. Right? That's what it is.

Joe Grand:

And it's techno technology doesn't have to be in everything. But yeah. Anyway, you could say that I that it that it gets to me a little bit.

Stephen Kraig:

That sounds like it.

Parker Dillmann:

You know, what's interesting about this Noomi Noomi 2.0 toilet is it's it's behind the times. It doesn't have any AI. It's not chat g p t connected.

Joe Grand:

Oh, it will be. It will be. Like, the you know, companies are gonna start off with something simpler with an app, and then it's like, oh, okay. Joe sits on the toilet for 5 minutes a day, so we're gonna prepare it. You know, usually, it's 8 AM.

Joe Grand:

So we're gonna preheat the thing, and we're gonna do the you know, it's all gonna be that, and then we're gonna sell that information to something else, and that's gonna it's all it's all just data harvesting in in the name or or the guys of a customer experience.

Parker Dillmann:

You start getting fiber fiber pills advertised to you because you sit on the toilet

Joe Grand:

for too long. Yeah. For sure. Right. Or it's like, oh, you have COVID.

Joe Grand:

Yeah. Exactly.

Parker Dillmann:

I I I

Stephen Kraig:

I do find it kind of funny that big toilet needs, like, enhancements like that. Right?

Joe Grand:

Like, what's the yeah. Like, so

Parker Dillmann:

so I mean, are

Stephen Kraig:

we really struggling to sell toilets?

Joe Grand:

Big plumbing. Yeah. You're right. Yeah. But it it maybe they're just trying to keep up with with the times, right, of, like, everybody else is connecting to the Internet.

Joe Grand:

Why not? Like, refrigerators too. We've seen refrigerators. We've seen coffee makers. All of these things, Internet connected, that have either been hacked or people have found problems with or bugs during firmware updates.

Joe Grand:

If companies are going to take the effort to design IoT things, they should really spend more time designing them properly.

Parker Dillmann:

Are you are you sure caller is just not like, well, we need to design something to get hacked, so we're in the news.

Joe Grand:

You may it could be. Right? I mean, it's like No. No like, any news is good news. Right?

Joe Grand:

So maybe it's that. You did say, Parker, when we were when we were emailing back and forth before the podcast, you had said, well, there are some uses of of IoT connected things. So I'm curious what your thoughts are on, you know, practical uses.

Parker Dillmann:

Yeah. So one that I really like is are, like, IoT connected, like, gate openers and, like, garage door openers. Because it's very, convenient to when, like, if you have, like, someone to come mow your lawn and you need to open the gate and you're not there. You can just open the gate remotely for them, that kind of stuff. That's the kind of stuff that I may mostly use it for.

Joe Grand:

Access. Are you worried about other people opening your gate or closing it and locking you in?

Parker Dillmann:

Well, I guess. But what I did do is did look at openers and see which ones were were hacked before and that kind of stuff. Yeah. So I did do some research before I

Joe Grand:

called them. Right. The first step. I mean, what what worries me is, like, the, you know, the I mean, the the the Nest cams and all that stuff, like, those external facing cameras and devices are concerning for a different reason. Those are mostly surveillance related, law enforcement, you know, gathering of data.

Joe Grand:

But the internal cameras, things that are inside of your home, those freak me out

Parker Dillmann:

Oh, yeah.

Joe Grand:

To no end. Airbnb is for sure. Like, again, we don't have that stuff in our house, but a lot of people do. And to even think that something has a camera that could be on or following us around, or like you have your camera on so you can see your pets at home, but what, you know, is somebody looking while you're at home? Like, that to me is just so freaky.

Joe Grand:

I value my privacy enough where if I'm in public and have no expectation of privacy, that's fine. Or if I'm on stage in public, that's fine. When I'm in my home, I don't want a camera you know, of some robot staring at me and sending that data somewhere. I don't know. It's just like, yeah.

Joe Grand:

I'm surprised again. It's a trade off. It's the convenience and security trade off Yeah. Of what's it worth for you to be able to see inside your house versus what's it worth somebody to to, you know, spread nude videos of you.

Parker Dillmann:

I'm just surprised the toilet doesn't have a webcam.

Joe Grand:

We don't know that yet.

Parker Dillmann:

That's true. I do wanna know what the built in audio speaker system is used for, though.

Joe Grand:

What if it's for, like, bone conduction? You know? But, like, through your butt. So when you're sitting on the toilet, you can actually hear music. You feel the music through your, what are they, the sitz bones or something?

Joe Grand:

Like, that'd be amazing.

Parker Dillmann:

That would be

Joe Grand:

I bet you, the listeners, were not expecting IoT connected toilet engineering discussion.

Parker Dillmann:

It's actually been a while since we've talked about toilets.

Stephen Kraig:

I'm not sure our listeners expect anything at this point. They just they're along for the ride.

Joe Grand:

Along for the ride. Yeah.

Parker Dillmann:

Ambient colored lighting. I wonder where that light is it, like, when you open the bowl, the light water is different color? Oh, whatever. It's a freaking $10,000 toilet.

Joe Grand:

That I would actually get. I might have to do that on my toilet. Lighting everybody loves LEDs. They don't have to be Internet connected.

Stephen Kraig:

Ground effects on your toilet?

Joe Grand:

Yeah.

Stephen Kraig:

I you know, we've talked about this before, but but above and beyond security issues, there's the problem of of the potential of whatever company sells you the product going under, and now your product's not supported. Or if it has some kind of server connection, well, that's Toast, and now your product is Toast, and now whatever you need is Toast. So it's not only just security in your location, but perhaps even security issues at the company themselves that can cause them to tank and then everyone's SOL.

Joe Grand:

Yeah. It's sort of a it's just a user and a company relationship that maybe puts too much responsibility onto the company. But we've seen this already. I I can't of the examples, but there have been companies that have built up communities of people using some Internet connected thing or some smart device. Those companies go under, and then people are left kind of holding the bag.

Joe Grand:

Actually, there is one I remember because I was part of it, but this was a long time ago with a product called Chumby, which is one of the first, like, Internet connected open source. I call it a beanbag. It's sort of like the, what is it, the the dash or the echo or these modern, you know, devices that show things on a screen. I don't remember, but it was

Parker Dillmann:

It was kinda like a it's like a Furby kind of too.

Joe Grand:

It was like a Furby with no mouth. Like, it wasn't as annoying as a Furby, but it would show you we called them widgets. And, basically, the iPhone came out and completely crushed it. But this was an open source hardware device, one of the first, if not the first open source hardware. No.

Joe Grand:

That's not true because the Apple originally was. But this was a device where we had a net, you know, a whole community of users building these different apps and widgets running on the chubby network. And when the company ended up getting sold, I left the company. I was doing consulting for them, and I left. I think they ended up selling everything to Best Buy, and the Chumby network went down.

Joe Grand:

And our software engineer took over the Chumby network and ran it on his own because the community was so in love with with the Chumby as he was. He ran this network for a long time, and then I think other people might still be running it. But this was an open source product with an open source network, and people could see what's going on behind the scenes. Most companies don't do that. Right?

Joe Grand:

So, like, Chumby lives on with the open source community. Other products, if it's this black box environment where you don't know what's happening on the server side and you're relying on communication to the server that's now not there, that's a problem. And even with video games, I think that happens with, like, games that go under and, like, all of the online worlds disappear and nobody can play it. And some people have tried to build those back up. But, yeah, reliance on corporations, it changes your relationship, and it it's lame, like, to rely on a company.

Joe Grand:

And I was like, oh, you can't make coffee because we can't communicate with our back end to see if you have legitimate coffee in your coffee maker or whatever it is. But it is Or

Parker Dillmann:

or your Internet goes down because of a snowstorm.

Joe Grand:

Yeah. Right. Well, at least that's, like, physical fiber that has been, you know, torn off the pole. But, yeah, I mean, I'm still reliant on that. Right?

Joe Grand:

But it's it's, companies maybe I mean, they don't care, and but I feel like they should have sort of a responsibility to customers that they sell things to, but maybe I'm thinking too nice about it.

Parker Dillmann:

I think some engineers care. I would like to see a lot more of the, like, like okay. So I'm working on a controller for a fan, actually for automotive, Joe. And, it's not IoT, but it does connect Bluetooth. It does connect Bluetooth to your phone so you can adjust the settings.

Parker Dillmann:

Mostly so because that way you don't have to put like an LCD screen underneath the hood of your car and, you know, it melts. But it's one of those more direct connectivity like let's take the garage door opener. Does it really need to talk to AWS server somewhere? Probably not. It could probably you can probably set up just a direct connection to whatever app is on your phone.

Parker Dillmann:

Right? Well, that way, they they can't collect the data that way. That's that's why.

Joe Grand:

Well, yeah. I mean, you know, all these companies really, like, there's value in building a community because you make them dependent on your product. I mean, it's just like I'm gonna totally go out there now. This is, like, a horrible thing, and and people might disagree. But it's like the drug epidemic that we're dealing with.

Joe Grand:

Right? With fentanyl, drug dealers are putting fentanyl in other softer drugs to get users of those softer drugs addicted to the harder drugs. Everybody knows building communities of people that are dependent on your product is good business. Whether it's ethical or reasonable is a different store or legal is a different story. But it's that sort of thing of, like, you get people you build a product that's so great.

Joe Grand:

Everybody's using it. You you're connecting to their network. You're beholden to their network. They can do whatever they want. And if it's data harvesting, whatever, people will be fine with it.

Joe Grand:

I mean, look at what we deal with with Google and Amazon, every other website right now. And then they could just walk away and shut things down, and now products don't work. And I feel like on a serious note, like, we're probably gonna start seeing that more and more. Just like on the software side, we're seeing subscription models for everything. You can't buy a piece of software and use it as long as you want without paying some exorbitant amount of money in some cases.

Joe Grand:

In other cases, you have to pay a subscription. You're beholden to that particular company and we're paying subscriptions for every piece of software we need. We're paying subscriptions for every online streaming service we need. We're paying subscriptions for every game we're playing or in in game content. So why is that gonna be any different for hardware?

Joe Grand:

It's not. You're gonna have to start renting things. I think BMW, I've been involved a little bit with the right to repair movement over the past couple years, and I think it was BMW that was, like, gonna upsell heated seats or something. Or it was some feature that shouldn't have been up sold. And it's like, well, you can if you pay your subscription, your car runs better or or whatever it is.

Joe Grand:

Like, the subscription model is going to take off everywhere. And I think it probably already has in Tesla. Like, I'm not a Tesla user, but I think we're seeing that already. Customers, users, humans are getting used to it and it puts so much trust into the corporations, the companies that are making the products. And it's a really hard thing to escape from once you're in it.

Joe Grand:

And these corporations know that, and the companies know that. And, again, it comes back to the trade off. Right? Like, you could live outside the fringes of society and not participate in any of this stuff, or you can grudgingly get involved in it, and now you're now you're in it. So it's hard to escape once it's there.

Joe Grand:

But I feel like we're gonna see more and more hardware devices become Internet connected, more and more hardware devices having subscription models, more and more hardware devices getting hacked, hopefully, to raise awareness of of the problems. And it's something that, like, is just going to happen, and you can try to fight against it by not going in and using those services or using those products, but you're gonna end up on the outside for sure. And I'm trying to do that, and it's like I'm already on the outside.

Stephen Kraig:

Well, I think it kind of to tie it all the way back to the Bosch thing. I guarantee you now that because of the black eye they're receiving from this kind of press, Bosch is for sure going to be implementing a DFS or a design for security measure to their engineering team for any of the products that they do that have this kind of connectivity. And I think that's something that if you're designing a product, build in time for that. Build in time to think about it. Build in time to contemplate it and to look for security issues.

Stephen Kraig:

I think that's it's just it's just another layer of design that you now have to consider for anything that connects.

Joe Grand:

Yeah. I think that's that's a 100% true. And, you know, I've been saying that for years, and it's a lot easier to say it than actually do it. But you're right of, like, building in some time to analyze your device. You know, it's like what we do design reviews, and we make sure our our schematics are correct.

Joe Grand:

We make sure that the design of our power supply circuitry is right and implementation of things, blah blah blah. Like, you can tabletop some of that. Well, I've never actually used that in a sentence before. You but you can tabletop, like, security threats. Right?

Joe Grand:

And say, okay. If I was an attacker, I'm going in through the network. I'm gonna try this. We have a debug interface. What could they do?

Joe Grand:

And you create, you know, what would be called a threat model and determine, like, what's a risk, what isn't. But for sure, like, building time into your design cycle for security, for designing security, for testing security, and and testing iterations of things because as the device development changes, somebody might add code that opens up some other vulnerability. Like, all of that's great if the company has the the time and resources to do it. I'm not convinced that companies who have been hacked all of a sudden become huge believers in security. I think they do a minimum to show that they care in air quotes.

Joe Grand:

They're gonna they'll update their product. They'll issue a statement. But I don't see a lot of companies all of a sudden changing into, like, massive security companies where they're actually implementing, you know, redesigning their entire products to be more secure, because then it comes all the way back to what we talked about before of cost and difficulty. There's other things to worry about. It's really a lot of times now getting hacked is more of a marketing problem than an engineering problem and a PR problem.

Joe Grand:

It's unfortunate that it's that way, but I I feel like as much as I would like to think that companies take security seriously, I'm still on the skeptical side. But I do agree that, like, products will become more secure. The more devices get hacked, the more black eyes, if you will, you know, that get out there for different companies and different products. People will realize that they need to take security, maybe even slightly more seriously. And there are things you can do to try to make your devices more secure.

Joe Grand:

It's a huge, difficult problem like we talked about. Breaking systems is significantly easier. There's a couple of things I just want to mention. One of them is I'd worked on a presentation a couple years ago called every cloud has a silver lining, and it completely has nothing to do with cloud as in, like, IoT cloud stuff, which is another thing I try to avoid of, like, cloud based services. You know, not your computer, not your data kind of thing.

Joe Grand:

And that was really, I put that together to kind of show as an engineering kind of resource guide of, like, even with the what I would consider, like, a a not great state of embedded security, there are still steps you could take. There are still vendors starting to sell products that claim to have more security. Like, there are things you can do to maybe make your design a little more secure, make it not so easy for somebody to hack it? Of course, a lot of it comes down to the implementation because humans are still implementing those things. So on in that presentation, there's, like, links to a lot of common practices.

Joe Grand:

There are even some standards that exist of recommendations of embedded security. There are some organizations like Common Criteria for cryptographic systems and, even FIPS compliance in the US for, sort of government certification for cryptographic systems. So anything that has encryption capabilities of of any sort or security capabilities, those are good kind of check boxes of things you can do. Even if you don't get the certification, you can still see what's recommended. So there are things you can do.

Joe Grand:

It's just you still wanna take it with a grain of salt. And as you're implementing, even if you're implementing with some something where a vendor says, oh, we're secure. You should use this version of our chip. You should still, if you can, try to break it on your own or find some people to try to break it to understand what your risks are before you put it into your product. But, again, that takes time and money, and maybe people don't wanna do that, but there are ways to start.

Joe Grand:

I also found this other thing over the weekend. I think I sent it to you. It's kind of a strange URL, but the gotchas.salusa.dev, which is a collection of common cryptographic mistakes and learning resources. So a lot of times it's like, you know, the recommendation is, well, you should use Secure Boot to make sure your code is authenticated and verified before it runs in your system. Like, that's really easy to say.

Joe Grand:

Really, really difficult to implement properly because you do have code signing and cryptography and things involved and key management. So I think this website's kind of interesting. It's not really hardware based. It's just more overall cryptographic related, but there could be things in there that you learn from and say, if we are if we are trying to implement some encryption or some maybe not encryption of data at rest or maybe, but encryption of data over IoT for something. Like, maybe you can learn some stuff from that.

Joe Grand:

That's definitely one that I that I bookmarked for future reference. So there are bits and pieces. Right? There are things that you can try to do. Even if you try to do those, you could still make mistakes.

Joe Grand:

I think we don't wanna blame vendors for problems unless they are completely negligent. And in the case of Bosch, I don't know if they were negligent. I think it's a really cool example and a cool hack and something that's sort of a prelude to what we're gonna see more of. But But I don't think companies should be blamed for that stuff unless they're completely blowing off security altogether. The engineers for sure can't be blamed for that because we know how hard it is to design and we know how hard it is to keep track of security.

Joe Grand:

Also, like being a hacker and an engineer at the same time is hard to do. And most people don't go into engineering to be hackers. They go into engineering because they want to design stuff and hackers don't necessarily want to be engineers. So I feel like you can't really blame as much as you can learn from the experiences in other companies. Right?

Joe Grand:

Bosch competitors should not be like, My competitor got hacked. They should say, okay, how did that happen? Let's make our products more secure so that doesn't happen. And maybe these companies even work together and share some information about secure hardware design of certain types of products so these things don't happen. So eventually things get more secure, customers don't get screwed over when things get hacked and, you know, maybe everything will will end up just fine.

Parker Dillmann:

I think what it really boils down to is expanding your when you start doing your risk analysis on your product is you can't just look at it as just a circuit anymore. You have to take a lot more into account. And what I mean by the circuit is a lot like, let's say you're designing something for automotive. There's like some standards that you do for, like, the input power. And it's like you have to handle this much of range of the input power.

Parker Dillmann:

You have to handle this much of like fluctuation, that kind of stuff. Go into like an IOT device, like minimal, like an opera the the consumer can just plug the cable in and out really fast. Right? That's something you should make sure your device does not blow up when you do when when someone does that. Right.

Joe Grand:

Right.

Parker Dillmann:

Right? Which is funny, that's kinda like what a glitching attack is. Yep. Kinda. But engineers are already thinking about that kind of stuff of like these base level risk managements, but now we have to go further and, like, let's say these torque wrenches, for example.

Parker Dillmann:

It's like, well, especially since they're IT well, it's like, what happens if there was an unauthorized change to the torque settings? What would happen there? I don't think anyone ever thought someone would do a a ransomware attack on a torque wrench.

Joe Grand:

Yeah.

Parker Dillmann:

But I the first thing I saw when I saw drill crypt, I thought it was actually they were changing the torque settings, like, so you would assemble things incorrectly. That's my where I first went.

Joe Grand:

Which is also equally terrifying.

Parker Dillmann:

That's way more in my opinion, way more terrifying than it just locking out the the drill torque

Joe Grand:

ring. Except that that yeah. That lock out the drill makes money, not tightening bolts properly leads to Boeing doors

Parker Dillmann:

line off.

Joe Grand:

Floor plugs being pulled off of aircraft. Right? So Yeah. It's a different model of, like, what your end goal is. And I think we, you know, we see it with medical stuff also of ransomware and hospitals and things.

Joe Grand:

And, yeah, it's, it's really it's it's really scary. I do wanna mention talking about automotive is, yeah, there are so many of these standards, medical as well. Like, there are standards of how to do certain things, but safety doesn't equal security. So a lot of times, these standards are around safety, but it doesn't mean something is secure. But people say, oh, we follow the ASOL standard for automotive whatever, like safety.

Joe Grand:

And it's like, yeah. That's that's great. You should, but security isn't really part of that. And maybe it's just like we're at such an early stage where there needs to be more accessible standards in what engineers need to do. Right?

Joe Grand:

Like, more resource guides of you're an engineer. You're trying to build an IoT connected device. What are the things you need to do? And I mentioned these resources in my presentation, but maybe that's even too complicated. Like, maybe it needs to be some defined thing from one organization or something.

Joe Grand:

But, again, the implementation is where there tends to be problems. So, yeah, it's, it's good job security being a hacker. I can tell you that.

Parker Dillmann:

I wonder if at Bosch, one of the things of the in because because they had hard coded credentials, and they might have thought that would've been fine because they're air gapped. Because because I I actually hear that argument a lot with hardware, especially with, like, when you have older machines that are running like OS 2 warp or they're running Windows XP. And they're like, oh, nothing can happen to it because it's off the network. Right. But then you have stuff like Stuxnet, which was Stuxnet.

Joe Grand:

Yeah.

Parker Dillmann:

Which actually I knew about it, and I'd actually decided just to read up about it. It was kind of the first weaponized malware, at least attributed weaponized.

Joe Grand:

Yeah. Yeah. I think you're right. And sort of a sneaker net approach. Right?

Joe Grand:

Because it it was offline in a secure facility. But that excuse doesn't really hold anymore. I mean, it never really held, but the human threat is a significant threat. People can be bribed. People can be blackmailed.

Joe Grand:

People can be convinced to do things that they may not normally do. So getting physical access to something or something air gapped, you know, people still pick up USB thumb drives and plug them into their computer. They might not know any better.

Parker Dillmann:

You know what's really scary about that one, Joe? So my parents just hand me a whole bag of thumb drives that were my grandparents'. And I'm like, I do not wanna plug these in where near you. Wow. That

Joe Grand:

That could be just for sure.

Parker Dillmann:

It's like it's like a bag of 20 of them.

Joe Grand:

Yeah. But you're aware of that. Right? Like, most people, I feel like, would take those and they would plug them in and and see what happens, but there are people that would use those in some malicious purpose to get access to something or get to a secure facility. So, yeah, I mean, that that's something where even if something is network connected, but it's an internal network that doesn't get connected to the outside world.

Joe Grand:

Somebody could still get into the facility and still connect to the internal network. We see this with, like, penetration testers that that break in the buildings and get access to networks. It's something you know, if there's a product, you have to take security seriously. I I feel like regardless of the product nowadays and regardless of where it's used, how it's implemented, if it even has network connectivity or not.

Parker Dillmann:

And I'm I'm really glad, Joe, that you brought up, like, the ethics problems too of, like, re doing this kind of research because, actually, the previous episode we talked about was engineering ethics.

Joe Grand:

Nice.

Parker Dillmann:

So it's kind of a cool way to wrap that all around. Yeah.

Joe Grand:

I mean, I think I I think it's important. I remember engineering ethics from from from college where that was actually a class, and we learned about, some of the massive engineering disasters and were the engineers responsible and what were the ethical dilemmas of things. I I haven't been involved in product development in in large companies for a really long time, so I don't know the conversations that go on there. But there is an ethical dilemma when it comes to designing anything that a customer uses, especially if it's network connected. Are you putting the user at risk?

Joe Grand:

Are you putting the company at risk? Are you locking your customers out if something goes wrong? Do you care? Yes or no? You know, it was like the guy that that created the thumbs up, the like button on Facebook.

Joe Grand:

Like, didn't anticipate the negative consequences of the mental health problems that would come with the desire, the human need for gratification, where if you don't get a thumbs up, how that affects you and all these things. So there are a lot of, ethical things that maybe engineers aren't thinking about. And even if they are, are they able to speak those to executives, to management, to the companies? Do the companies care? Are they ethical?

Joe Grand:

I can't speak to any of that. I I just hope that there's some conversations going on about that stuff.

Parker Dillmann:

So, Joe, thank you so much for coming back on the podcast for it's been 4 years. 5 almost 5 years.

Joe Grand:

It's amazing. It's amazing. Yeah. Thank you again for having me and and for everybody out there listening. This was super fun.

Stephen Kraig:

It's always fun.

Parker Dillmann:

So, Joe, where can people find out more about you or, again, contact with you?

Joe Grand:

So okay. That's kind of a loaded question. I would say the easiest way what is the easiest way? So the problem is there's a lot of, like, Joe Grand impersonators and everything. So finding me, probably the easiest way, if you go to joegrand.com, it's probably the easiest because that's gonna redirect to my Linktree page, and that has all of my social media, all of the different websites that I run, and and things on there.

Joe Grand:

So that's probably the easiest way is just go to joegrand.com. And then from there, you can check other stuff out. I will say stay tuned for, a new video coming out that I'm super proud of in probably a month or so. And, yeah, if people I also have a Discord server, so if people wanna just come on and talk about engineering stuff or hacking stuff, it's pretty low volume, but it's open to everybody. And, you it's just a place, hopefully, just that people can learn and trade information and share things, with no pressure.

Joe Grand:

Like, you don't have to know stuff to be on there. And yeah. But yeah. Just go to joegrand.com. Check stuff out.

Parker Dillmann:

And with that, thank you for listening to circuit break from MacroFab. We're your hosts, Parker Dillman.

Stephen Kraig:

And Steve and Craig. Later, everyone. Take it easy.

Parker Dillmann:

Thank you. Yes. You are listener for downloading our podcast. Tell your friends and coworkers about circuit break from Macrofab. If you have a cool idea, project, or topic, or want us to discuss, let Steven and I and the community know.

Parker Dillmann:

Our community where you can find personal projects, discussions about the podcast, and engineering topics and news is located at circuit hyphenbrake.macfab.com.