In this episode of the podcast, we bring you the second installment of our interview with Jeremy O’Sullivan of the Internet of Things analytics firm Kytch. (The first part is here.) In this episode Jeremy talks about the launch of Kytch, his second start-up, which helped owners of soft ice cream machines by the manufacturer Taylor to monitor and better manage their equipment. We hear about how what Kytch revealed about Taylor’s hardware put him at odds with the company and its long-time partner: McDonald’s.


We generally view and talk about phenomena like “digital transformation” in a positive light. The world’s growing reliance on software, cloud computing, mobility and Internet connected “things” is remaking everything from how we catch a cab, to how we grow food or educate our children

Jeremy O’Sullivan, co-founder of Kytch
Jeremy O’Sullivan, co-founder of Kytch.

But what happens when that “digital transformation” is transformation to something worse than what came before, not the better? What happens when technology isn’t used to build a “better mousetrap” but to support a racket that enshrines expensive inefficiencies or a monopoly that stifles competition

What the hell is going on?

In his week’s episode, we’re digging deep on that question with the second installment of our interview with Jeremy O’Sullivan, the co-founder of the Internet of Things intelligence start-up Kytch. As we discussed last week, O’Sullivan and his wife, Melissa Nelson, launched the company in an effort to use data analysis to revolutionize the industrial kitchen, starting with one common but troublesome piece of machinery: soft ice cream machines manufactured by the company Taylor and used by the likes of McDonald’s and Burger King. 

Episode 147: Forty Year Old GPS Satellites offer a Warning about securing the Internet of Things

“What the hell is going on with the software on this ice cream machine? Why as the versions increase…is the software getting worse?”

– Jeremy O’Sullivan of Kytch on the Taylor soft ice cream machines.

The Dark Possibilities of Digital Transformations

Kytch-Iphone Display

In this episode, O’Sullivan talks about how – as  McDonald’s franchisees scooped up Kytch devices- his understanding of Taylor’s “business model” changed, even as the relationship with the company soured, culminating in what O’Sullivan alleges was the theft of a Kytch device and the reverse engineering of its proprietary technology. 

Far more than a story about massive, wealthy incumbents crushing a smaller challenger, the Kytch story is one that hints at the dark possibilities of digital transformation, as equipment makers use software to lock out their customers and deliver on “planned obsolescence.”

We start with Jeremy’s account of how his relationship with Taylor, which had been amicable when he was trying to build Fro Bot, a platform for stand-alone yogurt and ice cream kiosks, suddenly soured when he introduced the Kytch product and began giving Taylor customers better control over their equipment. The relationship with Taylor and its partner, McDonald’s, went down hill fast from there, as Taylor’s previously friendly management cut off contact with O’Sullivan and Kytch.

Law Suit Filed

In recent weeks, O’Sullivan and Kytch filed suit against Taylor and one of its major distributors for breach of contract, misappropriation of trade secrets and “tortious interference.” (PDF) Kytch alleges, among other things, that the company – working with a customer who was a prominent McDonald’s franchisee and a Taylor distributor – illegally obtained a Kytch device and reverse engineered it. Soon after, the company announced that it would be launching its own Kytch like device in 2021. At around the same time, McDonald’s warned franchisees using the Kytch device that doing so could violate its warranty with Taylor and put its employees physical safety at risk – a message that many franchisees interpreted as a warning against using the device from McDonald’s corporate leadership.

Seeds of Destruction: Cyber Risk Is Growing in Agriculture

For O’Sullivan, the behaviors reinforced concerns and misgivings he had about Taylor after analyzing data from the large number of Kytch devices deployed in McDonald’s in other restaurants. The company’s software, he said, seemed to get worse over time not better – with each software update introducing more instability – not less- more ways for the ice cream machines to break down, not fewer. Most suspicious of all: Taylor refused to talk about it.

“These people don’t want to have a forthright, open conversation about their software because they’re using for malicious means – to support their healthy service and repair business.”

A Fairytale of the Deflating Variety

In this podcast, we talk with Jeremy about his experience with Taylor and McDonald’s, the role that software can play in creating powerful constraints on customers and the marketplace. We also discuss the lawsuit Kytch filed and some of the other unseemly revelations contained in his suit.

For O’Sullivan, the lessons of his experience aren’t the uplifting kind. “This is a very sad story and a very un-American story,” O’Sullivan told me. If Kytch was a “vaccine” for the virus of software-driven inefficiency, the real story is about the virus and the “McDonald’s industrial complex” that gave rise to it, not his company’s cure for it.

“This is crazy because it’s a story about McDonald’s that is also about the demise of McDonald’s. McDonald’s is supposed to be a symbol for America and a forward thinking tech-oriented company and its really exposes how the company has devolved.”

Check out the podcast by clicking the button below!

In this week’s Security Ledger Podcast, sponsored by Trusted Computing Group, we’re talking about securing the hardware supply chain. We’re joined by Michael Mattioli, a Vice President at Goldman Sachs who heads up that organization’s hardware supply chain security program.


When we think about cyber threats to the hardware supply chain, we often think about defense contractors making missiles and fighter jets. But these days, hardware supply chain security affects a wide range of companies – not just technology giants like Intel or cloud computing providers like Amazon and Google, but banks and financial services companies, healthcare companies, consumer electronics firms and more. 

Despite media attention to the problem, the awareness of hardware supply chain risks is still low within companies. Tools and talent to address it are hard to find and expensive. What’s a company to do? In this episode of the Podcast we welcome Michael Mattioli into the Security Ledger studio. Michael leads the Hardware Engineering team within Goldman Sachs, where he is responsible for the design and engineering of the firm’s digital experiences and technologies. He is also responsible for the overall strategy and execution of hardware innovation both within the firm and within the broader technology industry.

“Grandma deserves to know that her iPhone is genuine in the way that a corporation deserves to know if their $30,000 server is genuine.”

Michael Mattioli, Goldman Sachs

Michael is the co-author of a paper “Consumer Exposure to Counterfeit Hardware” where he notes that many of the methods used to ensure hardware supply chain integrity are manual and fallible – including visual inspection of installed parts or open source research on sellers. He’s trying to sound the alarm about the threat that hardware supply chain insecurity poses to our entire economy. Michael’s part of a new working group at Trusted Computing Group and the GSA that is working to develop standards based technology and tools to enforce hardware integrity at scale. 

In this interview, Michael and I talk about the growing risk of hardware supply chain risk and the need for coordination throughout the industry to address hardware security threats. 

To start off, I asked Michael to describe the work he does at Goldman Sachs and why a financial services company employs a hardware security expert. Goldman Sachs joined the TCG in February as it looks for partners in securing FinTech, where activities like mobile transactions are growing by leaps and bounds.  


(*) Disclosure: This podcast and blog post were sponsored by Trusted Computing Group. For more information on how Security Ledger works with its sponsors and sponsored content on Security Ledger, check out our About Security Ledger page on sponsorships and sponsor relations.

As always,  you can check our full conversation in our latest Security Ledger podcast at Blubrry. You can also listen to it on iTunes and check us out on SoundCloudStitcherRadio Public and more. Also: if you enjoy this podcast, consider signing up to receive it in your email. Just point your web browser to securityledger.com/subscribe to get notified whenever a new podcast is posted. 

Let’s face it, 2020 was a terrible year. The Coronavirus has killed almost two million people globally and caused trillions of dollars in economic disruption. Wildfires, floods and hurricanes have ravaged the United States, central America, Australia and parts of Asia.

But trying times have a way of peeling back the curtains and seeing our world with new eyes. COVID messed up our lives, and focused our attention on what really matters.

Maybe that’s why this very bad year has led to some really good conversations and insights here on The Security Ledger on topics ranging from election security, to security supply chains and the security risks of machine learning.

The Security Risks of Machine Learning

To start off, I pulled a March interview from Episode 180 that i did with security luminary Gary McGraw, the noted entrepreneur, author and now co-founder of the Berryville Institute of Machine Learning.

To wrap up 2020, I went back through 35 episodes that aired this year and selected four interviews that stuck out and, in my mind, captured the 2020 zeitgeist, as we delved into issues as diverse as the security implications of machine learning to the cyber threats to election systems and connected vehicles. We’re excerpting those conversations now in a special end of year edition of the podcast. We hope you enjoy it.

Taking Hardware Off Label to Save Lives

As winter turned to spring this year, the COVID virus morphed from something happening “over there” to a force that was upending life here at home. As ICUs in places like New York City rapidly filled, the U.S. faced shortage of respirators for critically ill patients. As they often do: the hacking community rose to the challenge. In our second segment, I pulled an interview from Episode 182 with Trammell Hudson of Lower Layer Labs. In this conversation, Trammell talks to us about Project Airbreak, his work to jailbreak a CPAP machines and how an NSA hacking tool helped make this inexpensive equipment usable as a makeshift respirator.

Report: Hacking Risk for Connected Vehicles Shows Significant Decline

COVID Spotlights Zoom’s Security Woes

One of the big cyber security themes of 2020 was of the security implications of changes forced by the COVID virus. Chief among them: the rapid shift to remote work and the embrace of technologies, such as Zoom that enabled remote work and remote meetings. For our third segment, I returned to Episode 183 and my interview with security researcher Patrick Wardle, a Principle Security Researcher at the firm JAMF. In April, he made headlines for disclosing a zero day vulnerability in the Zoom client – one that could have been used by an attacker to escalate their privileges on a compromised machines. That earned him a conversation with Zoom’s CEO that took place – to Wardle’s dismay – via Zoom.

Securing Connected Vehicles

Finally, while COVID and the ripple effects of the pandemic dominated the news in 2020, it isn’t as it was the only news. In the shadows of the pandemic, other critical issues continued to bubble. One of them is the increasing tensions about the power held by large companies and technology firms. In our final segment, I’m returning to my conversation with Assaf Harel of Karamba Security in Episode 193. Harel is one of the world’s top experts in the security of connected vehicles. In this conversation, Assaf and I talk about the state of vehicle cyber security: what the biggest cyber risks are to connected cars. We also go deep on the right to repair -and how industries like automobiles can balance consumer rights with security and privacy concerns.


As always,  you can check our full conversation in our latest Security Ledger podcast at Blubrry. You can also listen to it on iTunes and check us out on SoundCloudStitcherRadio Public and more. Also: if you enjoy this podcast, consider signing up to receive it in your email. Just point your web browser to securityledger.com/subscribe to get notified whenever a new podcast is posted. 

The acting head of the U.S. Department of Homeland Security said the agency was assessing the cyber risk of smart TVs sold by the Chinese electronics giant TCL, following reports last month in The Security Ledger and elsewhere that the devices may give the company “back door” access to deployed sets.

Speaking at The Heritage Foundation, a conservative think tank, Acting DHS Secretary Chad Wolf said that DHS is “reviewing entities such as the Chinese manufacturer TCL.”

“This year it was discovered that TCL incorporated backdoors into all of its TV sets exposing users to cyber breaches and data exfiltration. TCL also receives CCP state support to compete in the global electronics market, which has propelled it to the third largest television manufacturer in the world,” Wolf said, according to a version of prepared remarks published by DHS. His talk was entitled “Homeland Security and the China Challenge.”

As reported by The Security Ledger last month, independent researchers John Jackson, (@johnjhacking) -an application security engineer for Shutter Stock – and a researcher using the handle Sick Codes (@sickcodes) identified and described two serious software security holes affecting TCL brand television sets. The first, CVE-2020-27403, would allow an unprivileged remote attacker on the adjacent network to download most system files from the TV set up to and including images, personal data and security tokens for connected applications. The flaw could lead to serious critical information disclosure, the researchers warned.

Episode 197: The Russia Hack Is A 5 Alarm Fire | Also: Shoppers Beware!

The second vulnerability, CVE-2020-28055, would have allowed a local unprivileged attacker to read from- and write to critical vendor resource directories within the TV’s Android file system, including the vendor upgrades folder.

Both flaws affect TCL Android Smart TV series V8-R851T02-LF1 V295 and below and V8-T658T01-LF1 V373 and below, according to the official CVE reports. In an interview with The Security Ledger, the researcher Sick Codes said that a TCL TV set he was monitoring was patched for the CVE-2020-27403 vulnerability without any notice from the company and no visible notification on the device itself.

In a statement to The Security Ledger, TCL disputed that account. By TCL’s account, the patched vulnerability was linked to a feature called “Magic Connect” and an Android APK by the name of T-Cast, which allows users to “stream user content from a mobile device.” T-Cast was never installed on televisions distributed in the USA or Canada, TCL said. For TCL smart TV sets outside of North America that did contain T-Cast, the APK was “updated to resolve this issue,” the company said. That application update may explain why the TCL TV set studied by the researchers suddenly stopped exhibiting the vulnerability.

DHS announces New Cybersecurity Strategy

While TCL denied having a back door into its smart TVs, the company did acknowledge the existence of remote “maintenance” features that could give its employees or others control over deployed television sets, including onboard cameras and microphones. Owners must authorize the company to access cameras and microphones, however, according to a company statement.

The company did not address in its public statements the question of whether prior notification of the update was given to TCL owners or whether TV set owners were given the option to approve the update before it was installed.

Sick Codes, in a phone interview with The Security Ledger, said the company’s ability to push and update code to its deployed sets without owner approval amounted to a back door that could give TCL access to audio and video streams from deployed sets, regardless of the wishes of owners.

“They can update the application and make authorization happen through that. They have full control,” he said.

Such concerns obviously raised alarms within the Department of Homeland Security as well, which has taken steps to ban technology from other Chinese firms from use on federal networks.

In his address on Monday, Acting Secretary Wolf said the warning about TCL will be part of a a broader “business advisory” cautioning against using data services and equipment from firms linked to the People’s Republic of China (PRC).

This advisory will highlight “numerous examples of the PRC government leveraging PRC institutions like businesses, organizations, and citizens to covertly access and obtain the sensitive data of businesses to advance its economic and national security goals,” Wolf said.

“DHS flags instances where Chinese companies illicitly collect data on American consumers or steal intellectual property. CCP-aligned firms rake in tremendous profits as a result,” he said.

The statement is part of escalating tensions between Washington and Beijing. On Friday, Commerce Secretary Wilbur Ross announced export controls on 77 Chinese companies including the country’s biggest chipmaker, SMIC, and drone maker DJI that restrict those firms’ access to US technology. The order cites those firms alleged ties to China’s military.

TCL did not respond to an email request for comment prior to publication of this story. We will update this story as more information becomes available.


Editor’s note: this story was updated to add reference to John Jackson, who helped discover the TCL vulnerabilities. – PFR 12/22/2020

Between Black Friday and Cyber Monday, consumers across the U.S. spent the weekend snapping up deals on home electronics like smart TVs, game consoles and appliances. Total season-to date holiday spending, including Cyber Monday, is over the $100 billion threshold according to data from Adobe. 

Lots of factors drive consumer decisions to buy one product over another: price and features chief among them. But what about cyber security? Unlike, say, the automobile marketplace, concerns about safety and security are not top of mind when consumers step into a Best Buy or Wal Mart looking for a new flat screen TV. And ratings systems for cyber security, from organizations like UL and Consumer Reports, are in their infancy and not widely used.

Episode 170: Cyber Monday is for Hackers

found to have numerous, serious security flaws that could have left it open to remote access and data theft – all without need of a login or password. And TCL acknowledged to Security Ledger that access to on-board cameras and microphones is available to company support personnel, though only with the permission of the owner, according to a company statement.  

This isn’t a new occurrence. Consumer Reports warned in 2018 about vulnerabilities in smart TVs by Samsung, TCL and Roku that used Roku’s smart TV platform.

Expert: Patch Bluekeep Now or Face WannaCry Scenario

But concerns about the cyber security of smart home electronics go way beyond TVs. As our guest this week, Yossi Appleboum of the firm Sepio Systems tells us, software and hardware supply chains are rife with vulnerable – if not compromised components. And companies, like consumers, often have no idea whether a product they’ve deployed might be secretly spying on them, or channeling sensitive data to an unknown party or country. 

While many organizations think the notion of keyboards, monitors and other hardware “spying” on them as the stuff of “James Bond” movies, Appleboum says that the threat is real – and much more common that either companies or consumers are aware.

Podcast Episode 128: Do Security and Privacy have a Booth at CES?

Appleboum’s firm, Sepio Systems, provides visibility, policy enforcement and “rogue” device mitigation capabilities, to organizations concerned about the risks posed by hardware assets.

In this conversation, Yossi and talk about the supply chain security risk and how concerned consumers should be about the security of electronic devices being pushed on them this holiday season. 


As always,  you can check our full conversation in our latest Security Ledger podcast at Blubrry. You can also listen to it on iTunes and check us out on SoundCloudStitcherRadio Public and more. Also: if you enjoy this podcast, consider signing up to receive it in your email. Just point your web browser to securityledger.com/subscribe to get notified whenever a new podcast is posted.