Man in the Middle

In today's connected world all there are two roots of trust:

1. A device or a service you want to trust is from a highly valued brand
   or
   
2. It is completely open and has been audited by a broad community

Trust is extremely difficult to establish. It takes years and must be one of the top priorities for a brand owner. It is also very easy to lose. And yes, you have to trust somebody. If you don't then probably the only option is to verify everything yourself,  which, given how complex things are, is simply impossible.

At the same time, most people when buying a product or signing up for a service rarely think in terms of trust. "I bought this cool WiFi - connected light bulb" and you screw it in, not even thinking it may "phone home" and store your WiFi credentials in the open text. Or you grab a utility software application from a website and install it on your computer not even bothering to check the file signature (if provided and can be trusted...).

Malware and man-in-the-middle type of software is almost everywhere now. And it is very easy for bad guys to inject it in legitimate products and applications. Especially if the manufacturing process or the supply chain is not sufficiently protected. This becomes especially important for brand owners. They need their devices to be armed with protection against any means of injecting untrusted / unintended code. The end result must be such that an end user trust the device by trusting the brand behind it has done everything right to make sure the software inside is clean. But the reality is that many consumer devices today happily accept firmware updates without checking for cryptographic signatures and integrity.

After banning default passwords, software integrity and authenticity protection is probably the next legal requirement in many jurisdictions. This is the necessary step that governments must take to protect us against the most basic cybersecurity threats, as not all brands consider it important.