[cushychicken]

I'm always surprised how infrequently JTAG interfaces are disabled on actual honest to god products that go into the field.

It's not at all hard to blow the JTAG enable fuse in most chips. And you can give away a ton of info from your device if you don't do this. That potentially includes really sensitive info - through backdoors like this. People keep all kinds of stuff on their hard drives.

(Full disclosure: I'm the HW eng who reviewed this design. Hi Matt! Reverse engineering is still magic.)

[londons_explore]

I don't disable JTAG on field hardware because theres a good chance I'll be expected to do failure analysis or bug-hunting on the production hardware. JTAG is going to make that much easier.

And, lets be honest, your smart IoT coffee maker doesn't really have any secrets that need protecting from you, despite whatever the business team thinks.

[foldor]

Hard disagree. That "smart IoT coffee maker" stores your wifi details, including the password so it can reconnect. I appreciate the level of sophistication and effort required for someone to be able to abuse that is beyond the realm of likelihood, it's not unreasonable to believe that there may be higher value targets (like journalists) who are being targeted where this is a reasonable method for dedicated attackers to use to gain access to a targets home network. Better to just secure these things by default.

[crispyambulance]

It really depends on the situation. For a mature, mass-produced product going into sensitive places, sure, disable it before it goes into the field. Same for very security-focused hardware.

But most of the "pizza-box-shaped" things I've worked on in telecom have jtag enabled even when in the field. I've never thought about it much, but to actually get to a jtag interface requires a level of physical access that would be far-fetched unless you're talking about "James-Bond-level" bad actors or "inside-job" people who are already entrusted with an enormous amount of privileges anyway.

JTAG is super useful for troubleshooting and in general, for things that aren't throw aways and that can be repaired, re-calibrated, or re-configured, it makes sense to keep it available.

[londons_explore]

If your attack vector is bad guys with physical access to the circuit board, disabling JTAG will only be a minor speedbump to them.

The vast majority of microcontrollers aren't hardened against physical attack - especially not anything with wifi capability.

"disable jtag" is intended to make it harder to make modchips (ie. bypass the coffee subscription), but doesn't help against someone willing to do a one-off glitching attack or similar to dump secrets.

[OJFord]

You're worried about someone with physical access and time to dump info from a JTAG header gaining the WiFi password?

[bongodongobob]

Target throws out coffee maker. Threat actor goes through trash. They don't have to break into the building to get it.

[buildbot]

If someone is targeting you that precisely they are sorting through your trash for a coffee maker, then I would posit you are already in deep trouble and they'd likely do something easier like wait for you to leave and insert physical access into your network then...

[tverbeure]

The $5 password circumvention device comes to mind. https://xkcd.com/538/

[OJFord]

And you propose what instead, that the target verifies their coffee maker manufacturers disable the JTAG interface on production units so that they can throw it away without worrying about this?

Seems like the wrong solution to an already absurd/niche threat model.

[bongodongobob]

I'd propose not buying wifi coffee makers if you're worried about security.

[numpad0]

That's why lots of companies crush perfectly good Surfaces and 2242 SSDs when recycling.

[yjftsjthsd-h]

The irony, of course, being that those can generally be properly wiped to safely resell. Or, if it matters, the thing should have been using full disk encryption so it's irrelevant.

[beeboobaa3]

People are allowed to throw out a piece of paper with their wifi password written on it as well.

[y04nn]

A plausible scenario I can think of would be in an office space, a shared smart coffee machine that would be stolen to gain WIFI access.

[theamk]

Surely the shared coffee machine would be on a guest network with no access to internal resources?

Having separate "guest wifi" is a great idea and provides much better security than trying to ensure none of your IoT devices expose your password.

[numpad0]

One of items often missing from discussions on security on the Internet is that the first step of security is physical security. Phrases like "once they have it it's over", "DRM is not security" are not just mantras, it's reflecting that.

To secure a thing, you are supposed to literally secure the thing, as in, placing the equipment away from walls, bolted down to the floor, chassis locked and rigged for self destruction, perimeters patrolled and monitored by armed guards.

Software security is additional parts that build on top of that physical security. Hardware root of trust, Secure Boot, code signing, all helps, but physical security has to come first.

If you're throwing out the coffee maker not securely erased(military guys call it zeroizing - cool), or not maintaining custody of it by either keeping it to yourself or having dogs and your grandsons taking part watching it at all times, then the coffee maker is technically not secure, by any of those alone.

[fullspectrumdev]

If someone’s breaking into my house and disassembling my IoT coffee machine to hook up some JTAG cables I have bigger problems than someone getting my WiFi password - such as the fact the pricks in my house.

[boznz]

Lots of vectors don't even require JTAG. Coffee maker type devices are likely to be just a $1 a microcontroller with inbuilt flash which you can fuse when programming to prevent reading but is rarely done in small production runs.

flash for microcontrollers such as ESP, Rpi pico etc is usually saved on an 8-pin flash chip which most people forget about and is easy to unsolder and pop into a reader. bigger devices using bootloaders sometimes store a whole FAT32 filesystem in one of these, you can even unsolder most flash and re-mount it with a little skill and suitable hardware.

I once read an AWS private key stored in plain text from an IOT board once. Go figure!

[ronsor]

If your concern is attackers breaking into your home, opening your coffee maker, and dumping credentials over JTAG, I think your threat model might need serious revisions.

[ProllyInfamous]

Just out of curiosity, what coffee-making function would possess somebody enough to connect their coffeemaker to the internet?

My new water heater came with WiFi, and I just cannot understand why my tank needs-do anything more than just heat water..?

[sunshinesnacks]

For the coffee maker, maybe being able to set a schedule to brew in the morning.

For a water heater, participating in a utility program where they modify your temperature sweeping in exchange for a reduced rate or similar incentive.

Those are the first reasons I can think of.

[Dowwie]

What vendor and model water heater did you get? Useful smart features are of the variety that the manufacturer would never enable off the shelf, such as monitoring magnesium anode deterioration so that it could notify a user when it is time to replace the anode. It's against the interests of the manufacturer because replacing the anode extends the life of the heater.

[ProllyInfamous]

It's a Rheem hybrid 50gal.

Lots of interesting suggestions/applications in response to my initial comment. My local electric utility has a smart grid, but offers me as a consumer none of the so-far-listed reasons to connect to WiFi for electricity savings (e.g. no time of use metering)... but it would be cool if the anode deterioration could be monitored [I'll check the manual].

[Larrikin]

There is an entire operating system and a massive amount of functionality in your home that can be unlocked when devices have features like that. It's one of most active projects on GitHub and there's a huge community that knows the value.

The only downside is companies trying to scoop up that data for their own purposes and when companies disable perfectly working products because they claim the servers are too expensive. The Home Assistant community makes a big point of recommending products that guard against issues like that.

https://www.home-assistant.io/

[margalabargala]

Adding to the other reasons listed here:

Some people have solar installations, but do not have 1-to-1 net metering from their power company. For these people, having a connected hot water heater allows them to use their own solar power for heating water when they can, lowering their power bill.

Essentially any high-consumption electrical device can similarly benefit, especially ones that store energy such as hot water heaters and electric car chargers.

[beeboobaa3]

Yikes. You think people shouldn't be allowed to know their own wifi credentials?

Or do you think that physical access does not mean you own the device?

[Dowwie]

What aren't you capturing by sending coredumps from the device to another machine? Why do you need physical access?

[londons_explore]

Most embedded hardware has no easy way to send/restore core dumps if JTAG is disabled.

And even if it did, a good chunk of debugging involves running the system live in the target environment and looking at traces. Eg. "the device doesn't work properly when on the customers wifi network because their router responds to ARP requests too fast and we miss the response packet because we're still busy reconfiging the radio from TX mode into RX mode"

[mdaniel]

Security is always a spectrum between defense and convenience, and my life experience thus far is a lot closer to "manufactures hate me" than it is "someone gonna break into my house, disassemble some electronic, tap into jtag, exfiltrate all the things" so I would much, much, much prefer if it were advertised as an option that folks who do have considerable threat models could just push a safety pin through the magic "blow jtag fuse" hole and the rest of us could monkey with hardware we legitimately should own