We had a small surprise when a device we didn’t expect was suddenly showing up in our list of devices on notehub.io. It turned out to be innocuous from a reusing of a code sample that contained the product UID, but it did raise a discussion internally.
Is there a way to prevent a malicious actor who has the product UID from adding devices to our project?
Hi @rdimartino and welcome to the Blues community!
In short, no, there isn’t a way to prevent someone from using a known ProductUID with their own Notecard. However, you can disable the device through Notehub and contact our support team should this happen.
Of course, for this reason we recommend that ProductUIDs be kept private (e.g. not stored in public source control etc).
Also, while this doesn’t help with the above scenario, you can reserve a specific prefix for your ProductUID if you are interested (head to the Billing → Prefixes section. This does make sure that other Notehub accounts can’t use the same prefix.
I wanted to post a quick follow up after discussing this with a colleague in more detail. For production deployment scenarios, a best practice is to edit your ProductUID and set a default fleet to which all new devices are assigned. Also, you can enable “temporarily block incoming connections” which still assigns a device to a fleet, but prevents the new devices from adding any events to the project (note that the text provided here is incorrect, but will be corrected):
And this is the result of a new device connecting, allowing you to triage/approve it by moving it to a proper fleet and enabling connectivity on the device:
Hope this helps!