the final product to be able to expire and refresh the AccessToken. This will prevent the token
from persisting forever, which increases the chances that it can be compromised.
Let’s add a buzzer module to our prototype. As shown in Figure 7-24, we attach the buz-
zer module by snapping it into the right side of the cloudBit. Now our prototype will be able to
send an SMS message when the button is pressed as well as activate a local audio buzzer, just
like a traditional doorbell. This further illustrates how powerful the littleBits prototyping plat-
form is: designers can add and change functionality based on new ideas in a matter of
seconds.
FIGURE 7-24. Buzzer module added to the SMS doorbell prototype
In order for our prototype to send an SMS message and activate the buzzer, we have to
create an extra IFTTT recipe that will need to select the cloudBit for both the input and output
sections (Figure 7-25).
The final product may include a smartphone app that will have to store the token to the
local filesystem. If the app or the phone is compromised in any way, attackers can gain access
to the token. Another scenario could be the compromise of all issued AccessToken values that
are stored on the littleBits servers. This could allow an attacker to control all cloudBit modules
that are online. Once the initial prototype is complete, thinking through such scenarios will
help designers understand the importance of implementing mechanisms for tokens to expire
and be refreshed. If a malicious entity gains access to the token, a simple command such as
the following will cause the prototype’s buzzer to sound infinitely in a screeching tone:
$ curl -i -XPOST -H "Authorization: Bearer [AccessToken DELETED]:
application/vnd.littlebits.v2+json"
https://api-http.littlebitscloud.cc/devices/[DeviceID DELETED]/output
-d percent=100 -d duration_ms=-1
HTTP/1.1 200 OK
access-control-allow-headers: Authorization, Content-Type, If-None-Match
access-control-allow-methods: GET, HEAD, POST, PUT, PATCH, DELETE, OPTIONS
access-control-allow-origin: *
access-control-expose-headers: WWW-Authenticate, Server-Authorization
access-control-max-age: 86400
cache-control: no-cache
content-type: application/json; charset=utf-8
Date: Thu, 02 Apr 2015 05:49:08 GMT
Content-Length: 16
Connection: keep-alive212 CHAPTER 7: SECURE PROTOTYPING—LITTLEBITS AND CLOUDBIT