Public Message to IoT Manufacturers

Dear IoT manufacturers,

Yes, I admit: I like your products and my Geekness does not help! I like to play with them. If some are “gadgets” that finally land in a drawer amongst others with cables and connectors, some of them are really useful and I use them daily. You can probably imagine that, when I receive a new device, it’s not connected “in the wild” just after unboxing it. Wait… You do?

First, I read the provided documentation (you know the famous “RTFM”), I google for some forum or blog articles to see if other people already played with it. Finally, it is connected to a dedicated network without a full Internet connection (Read: “most of the egress traffic being blocked”). And then, the first problems arise… The initial setup fails, I need to restore to factory settings and try again. Basically, the process is:

Connect > Setup > Fail > Check firewall logs > Open ports > Reset > Try again > Drink more coffee

This discovery process is so annoying! Why your customers should sometimes perform something like “network reverse engineering” to understand how your product is working?

I’ve a message for you:

Please be transparent!

Why don’t you provide all the documentation for a safe setup? By example:

  • Required TCP/UDP port(s)
  • Hardcoded IP addresses/hostnames (yes, not everybody is using 8.8.8.8 as a DNS resolver or pool.ntp.org as NTP server!)
  • Specific services (VPN) and their purpose(s)
  • Avoid obscure protocols and stick to standard ones
  • Sometimes, even the device MAC address is not written on the box. To get the MAC you need to boot it a first timeç

Also avoid advices like:

If it does not work, disable the security feature <x>!

Why don’t you allow some critical settings to be customised like DNS, NTP, etc… or use proxy?

Why don’t you explain why this suspicious VPN connection is required? What are the data exchanged? What do you do with them (Ok, I’m dreaming)

I see you coming… You are right on one point: Such very technical pieces of information can’t be understood by many of your customers and your business model requires addressing the largest customers base. I don’t ask you to include this information in the documentation provided with the device but why not keep technical specs online for those that need to review them? The right balance must be found between usability and security and it’s up to me, your customer, to decide where to slide the cursor. If I disable this option, a sexy feature won’t be available? ok, fair enough but it’s my choice.

No, your FAQ does not contain relevant information for me. “Have you tried turning it off and on again” is not the right answer!

Thank you!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.