The key point here would be "did things correctly" :)

The sign did use AWS IoT for real time configuration updates however initial configuration was pulled from their HTTP server. Using the vulnerability I describe in the article I just remove the connection to AWS IoT.

I’m sorry, but did you actually read the article? The one which details the process and shows a video of it working?

This is just straight up gaslighting. “That thing you said you did isn’t going to work”.

> Taking over their DNS isn't going to help if they did things correctly.

If you had read the post, you would have seen that they did, in fact, not “do things correctly”.

There are other ways to accomplish that (asymmetric cryptography says hi). You don't need AWS IoT for everything. I cringe when people's default solution is to make their company dependent on a niche product of another company, especially when its easily avoidable.

Could you explain this further? How would ensure that when you connect to https://trainsignapi.com that it validates the response is coming from the expected server? Would you hardcode a certificate on the device? What if you needed to upgrade the certificate? I don't quite understand how AWS IoT fits into it either.

If you're doing it "properly", you should have your own CA, not using public CAs, because public CAs will give certificates to anyone who controls servers on your domain or controls the domain; not just you. All it takes is someone to buy your expired domain, and they can get a new, publicly valid cert.

If you needed to update the CA, you'd need a firmware upgrade, served with a certificate signed by something chained to the old CA. And then, more likely than not, you'd want to do further updates on a new hostname, because it's hard to do a single hostname and send the right certs to the right clients.

This is a giant pain, and I don't blame people for using public CA infrastructure instead. Especially if your company goes bust, who cares?