devices on the network. LifeThings struck up partnerships with big players like SmartThings,
Philips, Foscam, and many other manufacturers to integrate devices from wireless door locks
to cars to lighting to baby monitors into the LifeThings hub.
Piggybacking on real estate booms in San Francisco and Seattle, LifeThings leveraged
construction of new high-rise condominiums by offering consumers its product for free for
life. Sales reps struck deals with builders to install the hubs in new condos so customers could
use them as soon as they moved in. The presence of the LifeThings hub caused condominium
owners to buy and install wireless lighting, connected door locks, and video monitors to take
advantage of the free service offered by LifeThings. People loved the seamless interoperability
the platform—they could create recipes to control their lighting, share electronic keys with
friends to allow them to enter their homes, and so much more. Based on word of mouth and
positive reviews, LifeThings quickly become a household name, and business skyrocketed.
Simin Powell headed the customer support team for LifeThings. According to a recent
survey, satisfaction with LifeThings customer support was at 99.8 percent, ahead of most
other technology companies. Powell publicly went on record promising that every customer
support issue would be solved within five minutes of the customer initiating the support call.
For the most part, she was able to deliver on her promise. Parents would call LifeThings cus-
tomer support to let their children into their homes upon returning from school, or to check
the status of their main door if they couldn’t recall locking it. A lot of these requests could be
handled by the LifeThings app, but the company always complied with phone requests
because they wanted to provide a concierge service to best serve their customers when they
had issues.
Social Engineering Customer Support by Caller ID Spoofing
A couple of security researchers who were LifeThings users noticed that the customer support
staff would automatically greet them by name. While most customers felt this was a delightful
service experience, the researchers quickly realized that LifeThings trusted the incoming
phone numbers, correlating the caller ID with customer records to identify the user. They
tried calling customer support to report the issue, but the service agents were not able to com-
prehend the problem and insisted that their services were secure from hackers. Without any
avenue to successfully report the issue, the researchers released their findings by blogging
about the vulnerability and demonstrating how easy it is to spoof caller ID information using
a commercial service such as SpoofCard (Figure 9-1).
256 CHAPTER 9: TWO SCENARIOS—INTENTIONS AND OUTCOMES