What is Cujo, and what problem is it trying to solve?

In the 'traditional' connected home, the trust boundary was usually defined by the ISP-provided router. The device could be methaphorically seen as a wall of the home - anything on the inside is trusted by default, anything outside is untrusted by default.

For a variety of reasons which I'll save for a future post, that clear boundary has become blurred by people bringing random IoT devices from unknown and untrustworthy manufacturers into their home. Now you've got 'Smart' toasters trying to interface with your phone, laptop and TV. With the traditional trust boundary broken there are several start-ups looking to be the 'police enforcement' in your home network. If a Nest thermostat starts to behave strangely and send large amounts of traffic to the internet, block it. If the toaster hasn't ever tried to talk to my TV and then after six months tries to, block it. You get the idea.

One such company is 'Cujo' who produced a cutesy unit which you sit on a shelve to take care of things for you. It has LED 'eyes' to symbolise when 'bad stuff' is in the network. I did some testing with this unit and long story short its useless (will cover in another post). The unit certainly isn't worth the ~£110 it costs to get one. I've played with other devices from competitors which are far more performant, easy to use, and actually block things as they are supposed to.

Then I thought: "If I shouldn't trust 3rd party devices I bring into my home... Then why should I trust an appliance claiming to protect me? Just like the Smart Kettle, I don't know what hardware is inside." As the consumer, surely I should be able to know what I'm physically connecting to my network? Well there are no bits of documentation online to explain what the internal hardware is, so I tried to look inside for myself...

Getting Inside

Since the Cujo unit was designed to look less like tech and more like a household ornament, there are no screws whatsoever. As I tried to take it apart with my bare hands I found that everything was glue and snap-fit from the factory with no easy way to undo anything.
So I had to improvise...


...not quite through...






To open a Cujo unit you need one hacksaw, chisel, rubber mallet, bench vise and twenty minutes.

So what does £110 actually get you?

Not much. The first suprise was that the unit is not filled throughout its volume (shown in photo above). I was expecting almost solid electronics throughout given the unit's weight (more on weight in a moment). What Cujo have done is manufacture three PCBs, one of which is the mainboard and sits along the length of the unit relative to the eyes. The other two are the LED arrays which make up the eyes themselves. There is a large number of chips across the board but nothing particularly interesting. Pretty much only one side of the PCB is populated too, the other half is all heatsink and mounting space for the RJ45 sockets.


Weight a Minute

The dimensions of the mainboard including heatsink are 10x8x2cm so the volume is 160cm3. The housing has an approximate diameter of 11cm at the widest point and height of 10cm, which makes a cylindrical volume of 950cm3. That means only 16.84% of the device is populated by 'electronic stuff'. So why does it feel so heavy and 'expensive' in hand?

There is a large lump of metal in the base of the unit, so I weighed that along with the electronics to work out how the weight was distributed. Turns out it is 154g in the housing and 321g with the electronics. Just under half the weight of the assembled unit is the enclosure! I want to believe that is due to some desire to stabilise it and stop it falling over but the bottom is flat anyway and the device is hardly top heavy. Briefly, I wondered if it might be an extension of the heatsink but a quick look showed the two pieces of metal don't make contact. Anyway, why would you conduct heat down into what might be a wooden table?

Honestly I do wonder whether the added lump of metal is just to convey the 'weight = value' idea. Whilst it is a cynical view, it also seems a likely one to me.


What now?

Very recently, Cujo quietly announced that they've stopped making these units. Instead, their website is now jumping onto the 'Machine Learning' hype train. They're trying to sell the software into other technologies. We shall see how far it goes! This is the same software that failed to block any Linux PC or Raspberry Pi and when questioned Cujo said it is made that way on purpose. No reason why, just that it is done deliberately...


For the time being, I've got a sawn-in-half Cujo which more or less fits back together. The electronics do still work so perhaps a Serial bus can be tapped onto.

Other notes:

  • Network processing chip on the board is Vitesse VSC8514XMK-11 1706BCZPA
  • Model (on label attached to Ethernet ports) is 1-CU0001-A-R-LT
  • A label on the LED eye PCB has a design date of 25/3/16
  • One Cujo was harmed in the making of this blog post