Put a URL in a firmware image that is never called by your device/app.
Monitor the URL for access. You then receive an alert that someone accessed the URL.
This gives you a real-time notification that a reverse engineer has looked at your firmware. It also gives you an IP address. So you now “know” that someone might try to hack your device. And you also have an IP address.
This is a billion dollar security play!
Jokes aside. It is a good concept for IoT firms who have a security advocate, but no budget. Would help persuade people that there are hackers targeting their devices/apps with quantifiable data of degrading value.
Huh. That’s...a good idea. The idea has to be developed further though. This has to be deployed on different domain names and with full content control on the web pages.
I guess that’s all doable with the “private server with root access” under enterprise pricing. What a great way to precisely measure cover time. You could inject arbitrary URLs into an application to see if your API has been reverse engineered.
I presume the idea is to make the URL appear to be part of the standard API (and maybe even does something useful to induce use?), but it is never actually called by a legitimate application?
I’m speaking specifically about the case where someone is trying to reverse engineer a private API from an application. Then interacting with an API endpoint will necessarily trigger the canary.
Having retrieved API secrets offensively, and overseen secret rotation defensively, I’d say it would be a game changer. It’s an excellent idea to automate this discovery with an alarm. The current discovery system is either an internally developed, half-baked version of this that comes from sophisticated logging, or manual oversight.
Monitor the URL for access. You then receive an alert that someone accessed the URL.
This gives you a real-time notification that a reverse engineer has looked at your firmware. It also gives you an IP address. So you now “know” that someone might try to hack your device. And you also have an IP address.
This is a billion dollar security play!
Jokes aside. It is a good concept for IoT firms who have a security advocate, but no budget. Would help persuade people that there are hackers targeting their devices/apps with quantifiable data of degrading value.