I did some reversing/exploring on a widely used IoT product for fun this week, and here’s what I found:

- embedded Linux on an SD card
- SD card not encrypted
- developed by a third party on behalf of the end customer who makes the actual device this thing is connected too
- runs the code in docker containers from a private container repo
- docker credentials for private repo stored locally
- can use docker credentials to access containers for all of third parties customers, not just the one who makes the device
- GitHub creds in bash history
- can access source code for all customer projects using said creds

So things are going well over there.