Joseph FitzPatrick

Please Connect to the Foreign Entity to Enhance Your User Experience

Electronics – whether toys, tools, or test equipment – have been almost exclusively manufactured overseas for decades at this point, but recently, there’s been a rise in Chinese brands marketing and selling their own products directly to consumers worldwide. DJI is one example that has gotten quite a bit of attention, but in most of these cases, consumers are individually importing goods that are sold by, supported by, and usually want to connect to foreign entities.

I’ll go over a few examples of these tools, highlighting how and why they connect in entirely non-malicious ways, usually to ‘enhance the user experience’. I’ll go into a bit of detail on the hoops you may need to jump through to get things working without connecting – if possible. Then, I’ll propose some scenarios where these non-malicious features could actually be used maliciously. Finally, I’ll explore the question of whether the device’s country of origin is actually even a factor in these scenarios.

Hopefully you’ll come away with things to keep in mind if you find yourself deploying any kind of connected device, but more importantly, an understanding of when you might want to go a step further – or avoid certain devices

Joe FitzPatrick (@securelyfitz) is an Instructor and Researcher at SecuringHardware.com. Joe has spent most of his career working on low-level silicon debug, security validation, and penetration testing of CPUs, SoCs, and microcontrollers. He has spent the past decade developing and delivering hardware security related tools and training, instructing hundreds of security researchers, pen testers, and hardware validators worldwide. When not teaching Applied Physical Attacks training, Joe is busy developing new course content or working on contributions to the NSA Playset and other misdirected hardware projects, which he regularly presents at all sorts of fun conferences.