When outsourcing manufacture, what steps are you taking to protect
your IP (in the form of firmware) from unauthorized copying/counterfeiting
by the selected vendor *or* parties that may have access to their systems?
On 5/25/2024 5:10 PM, Joe Gwinn wrote:
On Sat, 25 May 2024 16:24:42 -0700, Don Y
<blockedofcourse@foo.invalid> wrote:
When outsourcing manufacture, what steps are you taking to protectWhat is the capability and desire level of the threat actors? If it's
your IP (in the form of firmware) from unauthorized copying/counterfeiting >>> by the selected vendor *or* parties that may have access to their systems? >>
an intelligence agency of reasonable large country, you probably
cannot do anything effective.
No. The concern is that the contracted manufacturer (or, anyone with
access to his information systems) decides to go into business in
direct competition, simply by selling YOUR device at a cut-rate price
(not having to recover the engineering/development/warranty/support
costs that you have)
On Sat, 25 May 2024 16:24:42 -0700, Don Y
<blockedofcourse@foo.invalid> wrote:
When outsourcing manufacture, what steps are you taking to protect
your IP (in the form of firmware) from unauthorized copying/counterfeiting >> by the selected vendor *or* parties that may have access to their systems?
What is the capability and desire level of the threat actors? If it's
an intelligence agency of reasonable large country, you probably
cannot do anything effective.
When outsourcing manufacture, what steps are you taking to protect
your IP (in the form of firmware) from unauthorized copying/counterfeiting
by the selected vendor *or* parties that may have access to their systems?
When outsourcing manufacture, what steps are you taking to protect
your IP (in the form of firmware) from unauthorized copying/counterfeiting
by the selected vendor *or* parties that may have access to their systems?
On 5/25/2024 5:10 PM, Joe Gwinn wrote:
On Sat, 25 May 2024 16:24:42 -0700, Don Y
<blockedofcourse@foo.invalid> wrote:
When outsourcing manufacture, what steps are you taking to protectWhat is the capability and desire level of the threat actors? If it's
your IP (in the form of firmware) from unauthorized copying/counterfeiting >>> by the selected vendor *or* parties that may have access to their systems? >>
an intelligence agency of reasonable large country, you probably
cannot do anything effective.
No. The concern is that the contracted manufacturer (or, anyone with
access to his information systems) decides to go into business in
direct competition, simply by selling YOUR device at a cut-rate price
(not having to recover the engineering/development/warranty/support
costs that you have)
On 5/25/2024 5:10 PM, Joe Gwinn wrote:
On Sat, 25 May 2024 16:24:42 -0700, Don Y
<blockedofcourse@foo.invalid> wrote:
When outsourcing manufacture, what steps are you taking to protectWhat is the capability and desire level of the threat actors? If it's
your IP (in the form of firmware) from unauthorized copying/counterfeiting >>> by the selected vendor *or* parties that may have access to their systems? >>
an intelligence agency of reasonable large country, you probably
cannot do anything effective.
No. The concern is that the contracted manufacturer (or, anyone with
access to his information systems) decides to go into business in
direct competition, simply by selling YOUR device at a cut-rate price
(not having to recover the engineering/development/warranty/support
costs that you have)
When outsourcing manufacture, what steps are you taking to protectWhat is the capability and desire level of the threat actors? If it's
your IP (in the form of firmware) from unauthorized copying/counterfeiting >>>> by the selected vendor *or* parties that may have access to their systems? >>>
an intelligence agency of reasonable large country, you probably
cannot do anything effective.
No. The concern is that the contracted manufacturer (or, anyone with
access to his information systems) decides to go into business in
direct competition, simply by selling YOUR device at a cut-rate price
(not having to recover the engineering/development/warranty/support
costs that you have)
OK. Also, what does the device sell for? This will dominate the
choice.
On 5/26/2024 6:20 AM, Joe Gwinn wrote:
When outsourcing manufacture, what steps are you taking to protect
your IP (in the form of firmware) from unauthorized copying/counterfeiting
by the selected vendor *or* parties that may have access to their systems?
What is the capability and desire level of the threat actors? If it's >>>> an intelligence agency of reasonable large country, you probably
cannot do anything effective.
No. The concern is that the contracted manufacturer (or, anyone with
access to his information systems) decides to go into business in
direct competition, simply by selling YOUR device at a cut-rate price
(not having to recover the engineering/development/warranty/support
costs that you have)
OK. Also, what does the device sell for? This will dominate the
choice.
Nominally $100. But, one would typically buy a selection of a few hundred per >end user. "One" would have very little value.
Hardware "unit" costs are reasonably insignificant; they are designed to be >easy/inexpensive to produce. No precision components, manufacturing >tolerances, etc. If you are committed to "copying at scale", then there
is little standing in your way (i.e., molds, boards, packaging, etc.
are just "costs of doing business")
*ALL* of the value lies in the software.
Hardware "unit" costs are reasonably insignificant; they are designed to be >> easy/inexpensive to produce. No precision components, manufacturing
tolerances, etc. If you are committed to "copying at scale", then there
is little standing in your way (i.e., molds, boards, packaging, etc.
are just "costs of doing business")
*ALL* of the value lies in the software.
[good summary, but big snip]
It sound like you really have only one kind of possible solution.
First, as Phil H suggests, do not provide the firmware to the contract manufacturer at all, instead install it back home.
Now "install" can mean a number of things. If you just install a
common firmware image, that contract manufacturer can simply buy a
copy in the US, and reverse engineer it, so that isn't going to work
for very long.
If the hardware has a unique and large hardware serial number (there
are chips that do this), the installed firmware can be adjusted to
know its target serial number, and refuse to work anywhere else. This
is done with a crypto checksum scheme of some kind, complicating and
delaying reverse engineering.
Next stronger is to also require the product to contact the mother
ship to complete the serial number.
How far to go is an economic decision - all you need to do is to make
cloning your product economically pointless. It is not necessary for
the locking scheme to be bulletproof.
The economic aspect is always the kicker. With high product costs,
its easy to add a significant effort/cost to protect a design.
But, when things get "dirt cheap", everything you add SOLELY to
protect your IP is pure overhead; it adds no VALUE to your product!
It's akin to throwing money at lawyers to try to get injunctions
against adversaries (the product doesn't IMPROVE as a result of
those actions. and, you're attention has been diverted from
adding new functionality to *defending* your existing design)
Sysop: | Keyop |
---|---|
Location: | Huddersfield, West Yorkshire, UK |
Users: | 415 |
Nodes: | 16 (2 / 14) |
Uptime: | 41:23:28 |
Calls: | 8,722 |
Calls today: | 5 |
Files: | 13,276 |
Messages: | 5,956,885 |