FIGURE 7-32. Recent bug bounties paid to researchers on HackerOne
Conclusion
The littleBits platform that we looked at at the beginning of this chapter let us quickly and
easily design our prototype SMS doorbell. We were able to leverage the IFTTT platform to
gain the ability for our device to send SMS messages. Within moments of completing our pro-
totype, we were able to uncover security issues relating to WiFi security, command execution
on the device, and the persistence of the access token used by the cloudBit module to authen-
ticate and authorize queries and commands. Even though the littleBits platform is only
designed to help with initial prototyping, it is also a good way to uncover security concerns
early on. As we’ve learned, it is easier and cheaper to implement countermeasures early in the
design process than it is to try to bake security in at a later stage.
We also looked at ways people could potentially tamper with hardware-based debug inter-
faces to obtain access to functionality that may compromise the integrity or confidentiality of a
product. These situations can put users of the entire product line at risk, as in the case of the
LIFX lighting system that exposed a universal symmetric encryption key found in all of the
company’s devices.
As we saw, even at the prototyping stage it is extremely important to think through how
different threat agents may want to abuse vulnerabilities. For example, a disgruntled employee
working in customer support with access to the locations of connected cars may want to
CONCLUSION 229