Some years ago I developed a hardware solution for a young entrepreneur that was looking for a way to alert pet owners about dangerously high (or low) temperatures in the vicinity of their animals. The desire to build such a device was born out of grief over the loss of a couple of family pets that died of heat exhaustion. To me, a device that alerted owners of dangerous temperatures is an educational device and, if successful, would obsolete itself because owners would learn not to leave pets in cars - ever. Nevertheless, I developed the hardware and firmware around a cell modem that texted the owner when temperature thresholds were exceeded (there were several other interesting features).
The entrepreneur wanted the ability to change the cell number that received the texts, so as to allow the device to be linked separately to any number of individual cell phones. Part of the specification for handing off control required a security scheme that would impede unauthorized access to the device. The intent was that only people whom the owner decided should have access would be able to acquire control of the device. The device itself has no keyboard, no touch screen, and only a power switch and a microphone for user input. The scheme I arrived at was to lock the device to what I called a Registered User Number (RUN). Out of the box the device would lock onto the first cell number that texted it the correct 4 character personal identification number (PIN). The factory default PIN was known only to me and to the client.
A text based command was coded into the firmware that allowed the PIN to be changed only if the correct existing PIN and a valid replacement PIN were provided. That provided some security, but did not put up barriers to a spray and pray attack. To deter granting access to unknown assailants attempting to acquire control by repeated PIN guessing, I included a feature that immediately informed the current registered user of all PIN change requests. If a PIN change attempt is made, successful or not, an SMS text message is sent back to the existing RUN informing the current user of the PIN change attempt, providing the phone number that generated the change request. That established a reasonable barrier to hacking, however it is not perfect.
The client wanted to offer users some level of privacy, so though the current RUN receives an SMS text when a PIN change is requested, they do not receive the new PIN if the change was successful. They will know the cell number that made the request, and if it is a number they recognize, they will assume control was transferred to someone authorized to take control of the device. On the other hand, if the number is not recognized and the PIN change was successful, recourse to regain control is limited to tracking down the owner of the newly registered cell number. Good luck with that.
The lesson I learned in this instance was about the trade offs between security and privacy. In this case, increasing one could reduce the other and a trade off was reached where some barriers to unauthorized use were established to deter most hacks, but left the door open for a clever hacker that, through separate means, had acquired knowledge of the current PIN.
It's all about the trade offs.