Path: ...!local-2.nntp.ord.giganews.com!local-3.nntp.ord.giganews.com!Xl.tags.giganews.com!local-1.nntp.ord.giganews.com!news.giganews.com.POSTED!not-for-mail
NNTP-Posting-Date: Sun, 26 May 2024 16:01:51 +0000
From: Joe Gwinn <joegwinn@comcast.net>
Newsgroups: sci.electronics.design
Subject: Re: Offshore firmware management
Date: Sun, 26 May 2024 12:01:50 -0400
Message-ID: <8cm65jl2t7tfbaf46l88aue2vbdaeks7gs@4ax.com>
References: <v2ts06$333m5$1@dont-email.me> <kbv45jt7q50qedejctj6f30h23hukoepdk@4ax.com> <v2u8n8$38jkf$1@dont-email.me> <7ld65j55ogderkv4r18jrgshlirkbtcluk@4ax.com> <v2vg5a$3eene$1@dont-email.me>
User-Agent: ForteAgent/8.00.32.1272
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Lines: 58
X-Usenet-Provider: http://www.giganews.com
X-Trace: sv3-SonqC7/UmBKuzHVg/4oPVkf2JINVKkUhfwZRRDkE6ykn1CvDDo/3GZmlDY/u+3qXRoqGlohIX1nkHeZ!PE5ju6aoBnt6AKe5K1RN+lU7YBIHCEs7/n31YAUXwGGMEoHrNKUnfYoK6iHa7zwSAOi86Qs=
X-Complaints-To: abuse@giganews.com
X-DMCA-Notifications: http://www.giganews.com/info/dmca.html
X-Abuse-and-DMCA-Info: Please be sure to forward a copy of ALL headers
X-Abuse-and-DMCA-Info: Otherwise we will be unable to process your complaint properly
X-Postfilter: 1.3.40
Bytes: 3724

On Sun, 26 May 2024 07:14:54 -0700, Don Y
<blockedofcourse@foo.invalid> wrote:

>On 5/26/2024 6:20 AM, Joe Gwinn wrote:
>>>>> When outsourcing manufacture, what steps are you taking to protect
>>>>> your IP (in the form of firmware) from unauthorized copying/counterfeiting
>>>>> by the selected vendor *or* parties that may have access to their systems?
>>>>
>>>> What is the capability and desire level of the threat actors?  If it's
>>>> an intelligence agency of reasonable large country, you probably
>>>> cannot do anything effective.
>>>
>>> No.  The concern is that the contracted manufacturer (or, anyone with
>>> access to his information systems) decides to go into business in
>>> direct competition, simply by selling YOUR device at a cut-rate price
>>> (not having to recover the engineering/development/warranty/support
>>> costs that you have)
>> 
>> OK.  Also, what does the device sell for?  This will dominate the
>> choice.
>
>Nominally $100.  But, one would typically buy a selection of a few hundred per
>end user.  "One" would have very little value.
>
>Hardware "unit" costs are reasonably insignificant; they are designed to be
>easy/inexpensive to produce.  No precision components, manufacturing
>tolerances, etc.  If you are committed to "copying at scale", then there
>is little standing in your way (i.e., molds, boards, packaging, etc.
>are just "costs of doing business")
>
>*ALL* of the value lies in the software.
>
[good summary, but big snip]

It sound like you really have only one kind of possible solution.

First, as Phil H suggests, do not provide the firmware to the contract
manufacturer at all, instead install it back home.

Now "install" can mean a number of things.  If you just install a
common firmware image, that contract manufacturer can simply buy a
copy in the US, and reverse engineer it, so that isn't going to work
for very long.

If the hardware has a unique and large hardware serial number (there
are chips that do this), the installed firmware can be adjusted to
know its target serial number, and refuse to work anywhere else.  This
is done with a crypto checksum scheme of some kind, complicating and
delaying reverse engineering.  

Next stronger is to also require the product to contact the mother
ship to complete the serial number.  

How far to go is an economic decision - all you need to do is to make
cloning your product economically pointless.  It is not necessary for
the locking scheme to be bulletproof.

Joe Gwinn