Path: ...!local-2.nntp.ord.giganews.com!local-3.nntp.ord.giganews.com!Xl.tags.giganews.com!local-1.nntp.ord.giganews.com!news.giganews.com.POSTED!not-for-mail NNTP-Posting-Date: Sun, 26 May 2024 16:01:51 +0000 From: Joe Gwinn Newsgroups: sci.electronics.design Subject: Re: Offshore firmware management Date: Sun, 26 May 2024 12:01:50 -0400 Message-ID: <8cm65jl2t7tfbaf46l88aue2vbdaeks7gs@4ax.com> References: <7ld65j55ogderkv4r18jrgshlirkbtcluk@4ax.com> User-Agent: ForteAgent/8.00.32.1272 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Lines: 58 X-Usenet-Provider: http://www.giganews.com X-Trace: sv3-SonqC7/UmBKuzHVg/4oPVkf2JINVKkUhfwZRRDkE6ykn1CvDDo/3GZmlDY/u+3qXRoqGlohIX1nkHeZ!PE5ju6aoBnt6AKe5K1RN+lU7YBIHCEs7/n31YAUXwGGMEoHrNKUnfYoK6iHa7zwSAOi86Qs= X-Complaints-To: abuse@giganews.com X-DMCA-Notifications: http://www.giganews.com/info/dmca.html X-Abuse-and-DMCA-Info: Please be sure to forward a copy of ALL headers X-Abuse-and-DMCA-Info: Otherwise we will be unable to process your complaint properly X-Postfilter: 1.3.40 Bytes: 3724 On Sun, 26 May 2024 07:14:54 -0700, Don Y wrote: >On 5/26/2024 6:20 AM, Joe Gwinn wrote: >>>>> When outsourcing manufacture, what steps are you taking to protect >>>>> your IP (in the form of firmware) from unauthorized copying/counterfeiting >>>>> by the selected vendor *or* parties that may have access to their systems? >>>> >>>> What is the capability and desire level of the threat actors? If it's >>>> an intelligence agency of reasonable large country, you probably >>>> cannot do anything effective. >>> >>> No. The concern is that the contracted manufacturer (or, anyone with >>> access to his information systems) decides to go into business in >>> direct competition, simply by selling YOUR device at a cut-rate price >>> (not having to recover the engineering/development/warranty/support >>> costs that you have) >> >> OK. Also, what does the device sell for? This will dominate the >> choice. > >Nominally $100. But, one would typically buy a selection of a few hundred per >end user. "One" would have very little value. > >Hardware "unit" costs are reasonably insignificant; they are designed to be >easy/inexpensive to produce. No precision components, manufacturing >tolerances, etc. If you are committed to "copying at scale", then there >is little standing in your way (i.e., molds, boards, packaging, etc. >are just "costs of doing business") > >*ALL* of the value lies in the software. > [good summary, but big snip] It sound like you really have only one kind of possible solution. First, as Phil H suggests, do not provide the firmware to the contract manufacturer at all, instead install it back home. Now "install" can mean a number of things. If you just install a common firmware image, that contract manufacturer can simply buy a copy in the US, and reverse engineer it, so that isn't going to work for very long. If the hardware has a unique and large hardware serial number (there are chips that do this), the installed firmware can be adjusted to know its target serial number, and refuse to work anywhere else. This is done with a crypto checksum scheme of some kind, complicating and delaying reverse engineering. Next stronger is to also require the product to contact the mother ship to complete the serial number. How far to go is an economic decision - all you need to do is to make cloning your product economically pointless. It is not necessary for the locking scheme to be bulletproof. Joe Gwinn