One user's self is another user's attacker. This attack isn't one-time; if I can break into the hardware and change the keys such that I now control it, then someone else with temporary physical access can then break into my hardware and change the keys again, suborning "my" IoT device into e.g. a subtle wiretap.
A computer anyone—not just the owner—can root given physical access, is like a lock that anyone—not just the owner—can non-tamper-evidently pick open. It really is broken.
Almost all computing devices are broken when given physical access. And if they aren't it's just because someone hasn't worked it out yet or is broken secretly by governments.
This is kind of a myth. There is such thing as tamperproof hardware components and they can protect against plenty of threats.
Security isn’t all or nothing, it’s about understanding what the different threats are and adequately protecting against them. Not everyone is trying to protect against attackers with millions of dollars at their disposal. There is plenty of value to deterring 99% of attackers with physical access.
The idea of security as all or nothing, and that physical access thus defeats all security measures, are security tropes that need to die. You can see how obviously wrong they are when you consider that just about every security system depends on proper behavior by trusted human beings, who are never 100% reliable.
when you consider that just about every security system depends on proper behavior by trusted human beings, who are never 100% reliable
...and I think that's perfectly fine and IMHO required. I've long been a proponent of the philosophy that a little bit of insecurity is what keeps society in general from turning into complete dystopia; but unfortunately, paranoia and the search of "perfect security" is driving it in that direction.
In other words, striving for perfect security is treacherous precisely because humans are not 100% reliable. The same way you would probably not want "perfect" law enforcement by the government.
Yes, but no. I mean you are probably familiar with FIPS-140-2's security levels [0], and the ESP32 is probably on neither. (Not even Level 1. Which is roughly something that you can do almost purely at just in software, that's why OpenSSL has this mode.)
I'd argue that if you want to use some kind of device as part of your security system, and that part has to endure temporary physical access from unauthorized third parties, then you need something that is designed for that. Considering a software broken when it's clearly not designed to withstand physical tampering ... is a bit silly. (Though considering it broken in terms of IP protection is not surprising, it was never really designed for that either.)
Though, of course, you're absolutely correct that compared to its price (or cost), it's a lot more secure than an empty floppy (yet similarly simple - except you can't toggle an efuse with hand), or early smart phones (or early anything, that was complex, ran every kind of software as root, and so naturally was full of holes).
I don't disagree with other parts of your post, but I still think protecting against the scenario where an attacker has physical access to your computer is basically pointless. Especially if it comes with a very significant loss of freedom.
If a malicious person has entered your home or workplace, access to your computer should be low on the list of worries.
Android handles this decently well it allows you to install whatever you want to the device but to unlock the device for custom firmware the device is first wiped so user data is perfectly safe.
This would be more akin to jailbreaking your nintendo switch and installing linux. An IOT platform that's intended to be secure can be tricked into revealing it's key.
Most consumers aren't going to write custom firmware for their lightbulbs.
Of course, I think this exploit is impractical for a lot of cases given how the ESP32 is typically used, but, ymmv.
> Might as well call the PC a broken platform since you can install your own OS.
More like calling a PC broken if you can install your own OS even after you've enabled Secure Boot and a TPM (in which case, the security features are objectively broken)
A computer anyone—not just the owner—can root given physical access, is like a lock that anyone—not just the owner—can non-tamper-evidently pick open. It really is broken.