100%. This is something we are trying to solve with Butter Box (https://likebutter.app/box/) but there aren't great answers.
I've considered shipping a unique-to-device certificate for e.g. box123.comolamantequilla.com with each box. It doesn't solve the evil maid scenario of someone copying it, but it at least provides TLS. Realistically, our users are offline and mostly not going to verify that comolamantequilla is owned by the organization they're intending to trust.
I've considered shipping a unique-to-device certificate for e.g. box123.comolamantequilla.com with each box. It doesn't solve the evil maid scenario of someone copying it, but it at least provides TLS. Realistically, our users are offline and mostly not going to verify that comolamantequilla is owned by the organization they're intending to trust.