Big Bugs | Episode 6: API Security and the Internet of Things w/ Fitbit

The unprecedented growth and adoption of connected devices have created innumerable threats for organizations, manufacturers, and consumers, while at the same time creating unprecedented opportunities for hackers. In this episode of Big Bugs, Jason Haddix joins Fitbit’s security team to explore what it takes to effectively hack connected devices through APIs, and how the role of defenders has evolved in this domain.

The speakers explore the growing prevalence of connected devices in our lives, the use of APIs, the increasing importance of API testing in its new form (REST vs older XML based testing), and how it’s a valuable skillset for researchers as well as organizations.

About our Guests:

Jim Hebert is a Senior Security Engineer at Fitbit in charge of internal security training and evangelism as well as heads up their bug bounty program. He has been involved with various aspects of security research in one form or another since 1996, including spending time at Google working on Chrome OS and their Vulnerability Rewards Program.

Marc Bown is also a Senior Security Engineer at Fitbit, managing the company’s Security Features team and Incident Response. Prior to joining Fitbit, he ran Trustwave SpiderLabs for the APAC region which meant delivering all application security and incident response projects for Spiderlabs in that region and has a background in application security, penetration testing, and incident response.

About Fitbit’s Bug Bounty Program:

About a year ago, Fitbit launched their public Kudos only program with Bugcrowd to supplement their internal test efforts and traditional, directed penetration tests from consulting firms. In addition to running a public program, Fitbit has experimented with private invite-only programs offering cash rewards. Up to date, Fitbit has paid over $30K from their private bounty programs and often ‘recruits’ researchers participating in their public program for their private program. They recently wrote about the value they find from running both of these programs with Bugcrowd, and why it’s important to work with the security research community on their Engineering Blog. 

Tune into this episode to hear more about why they run a bug bounty program, what trends they’ve seen, and details about a particularly interesting bug submitted through their program. 

Resources mentioned in this Episode:

• Troy Hunt’s Nissan LEAF hack
• OWASP IoT Surface Areas project
• Helpful IoT Testing/Learning Targets: Damn Vulnerable Router Firmware
• OAuth Testing resources
  • https://2015.appsec.eu/wp-content/uploads/2015/09/owasp-appseceu2015-haddix.pdf
  • https://www.owasp.org/index.php/REST_Security_Cheat_Sheet
  • https://www.owasp.org/index.php/REST_Assessment_Cheat_Sheet

Have questions for me? Continue the discussion on our forum and subscribe below to get monthly episodes of this podcast. You can also subscribe to the Bugcrowd podcast RSS feed and find us on iTunes.