IoT Device White-labeling (Part 1)

TLDR. When you purchase an IoT device from Company X, how do you know that Company X manufacturered the device and not somebody else? In this blog post, we explore this phenomenon — that a device is branded as Company X’s product but in fact made by Company Y, also known as white-labeling — and discuss some of the security and supply chain implications.

Photo by Olena Sergienko on Unsplash

A while ago, I purchased a home security camera from Company X (which I shall not name for now). Based on the company’s website, it appears to be a US camera maker that targets consumers. Reviews on Amazon look nothing out of the ordinary, so I made the purchase.

When I analyzed the network traffic of the camera using IoT Inspector, the hostnames the camera contacted resembled those contacted by Dahua cameras (a Chinese camera maker), accordingly to IoT Inspector’s internal dataset.

I was confused and concerned. Many Dahua’s cameras were compromised in the 2016 Mirai botnet attack; see this 2017 USENIX Security paper. The company’s security practice is opaque, and it is unclear whether and how they have patched the cameras. From a security researcher’s point of view, I had reservation about Dahua’s security standard. However, nowhere in Company X’s website mentioned any relationship with Dahua. The question is: Did Dahua make cameras for Company X?

You may think this is a reindeer, but it’s actually a cat underneath the hood. Photo by Đồng Phục Hải Triều on Unsplash

To find out, I used the live-chat feature on Company X’s website and asked one of the online agents the same question. They confirmed, on the record, that Dahua was the Original Equipment Manufacturer (OEM) for Company X. Effectively, this was white-labeling.

In fact, the practice of white-labeling is not uncommon. TuYa, a China-based company that makes IoT devices and SDKs, offers white-labeling services, according to the company’s website. Customers could choose from “more than 1,000 devices” in TuYa’s database — including “smart plug, light switch, light bulb, sensors, home appliances, IP camera and etc” — and rebrand the devices as their own.

The broader question is: How many such devices use white-labeling? How to use the IoT Inspector dataset to identify white-labeled devices? Stay tuned, as we will write about our analysis in the next week.

Written by:

• Danny Y. Huang. Assistant Professor at New York University.

About All Things Inspected: We are a group of academic researchers who are passionate about security and privacy issues that affect daily lives. For more details, view this post.