Their server gets compromised - you can do nothing about it.
Useful but only if that server is holding client IP data.
Obviously it does; but it appears you did not understand the scenario I explained.
Obviously their server connects to their devices, that's the definition of IoT. Type and "direction" of the connection does not matter the slightest. Obviously their server can update the firmware of their own devices, I don't think there are many IoT devices which do
not do that. Therefore, it is trivial to inject a backdoor into the compromised devices. Communication to these backdoors happen simply via the compromised server.
Using the backdoor you can just scan the whole subnet and get the local 192.168.x.y addresses of anything connected, including your heating controller. And that same backdoor can connect to those devices; just as easily as our "heating controller" scans the 256 addresses of the subnet to find a battery inverter, connects to it, and starts commanding it. Works fine on all 200+ customers having those battery inverters.
If they were doing their due diligence,
they would notice the weird traffic patterns, but if it is another company where people like you decide, then it will be wide open for months, maybe years.
If I am selling a million boxes, I will get some specialist to design the system, not ask bland one-liner posters on EEVBLOG
It's not that obvious. Maybe your heating controller is the best thing since sliced bread and you get surprised by the sales growth. If it happens at a point where 2-3 years of development already went into the product, you could have a codebase which is large and mostly doing good things (i.e., important features). Such codebase is slow and expensive to rewrite; and while in sudden growth situation, you obviously can't say "sorry, we can't sell, we are redoing the project, please come back in 1.5 years"; no, you must keep selling. So any safety improvements must be something this "specialist" can glue on within a few man-months. But safety as an afterthought is a
colossally bad idea.
That is why you should initially make good fundamental choices. I can assure you, from the experience we are getting
right now, during fast growth even just fixing bugs (even of a relatively well-designed system) and serving customers takes all of your time. Similarly, if you hire a security expert, all of their time is spent fixing bugs and issues even in a well-designed systems (there is no such thing as "perfect").
If you initially decide "oh, we are just selling some tens of units, so no one is important, so safety is not important, so we don't even
try to do it right", then that decision is pretty much set in stone. And I hope everyone involved truly understands this choice and its implications, basically that you can't ever grow as a business, and you can't sell it to others who would like to make it grow. Or -- you can, but then you will become one more horror story we can read in newspapers, and someone might end up in jail. No kidding. And investors specifically do not love being conned; you can't omit the fact hard-limiting decisions like this have been made; -- you can, but again, you might end up in jail.
OTOH, "doing your best" and "being honest", or in legal speak,
due diligence, is surprisingly strong protection,
even if things end up going horribly wrong.