Trademarking Makerspace (Again)

A British company has filed a trademark application for the word ‘MakerSpace’. While we’ve seen companies attempt to latch on to popular Maker phrases before, Gratnells Limited, the company in question, is a manufacturer of plastic containers, carts, and other various storage solutions. These products apparently provide a space to store all the stuff you make. Something along those lines.

This isn’t the first time we’ve seen someone try to glom onto the immense amount of marketing Make: has put into the term ‘makerspace’. In 2015, UnternehmerTUM MakerSpaceGmbH, an obviously German tech accelerator based in Munich, filed an application to trademark the word ‘Makerspace’. A few days later, we got word this makerspace wasn’t trying to enforce anything, they were just trying to keep the rug from being pulled out from under them. It was a defensive trademark, if something like that could ever exist (and it can’t under US trademark law). Swift and efficient German bureaucracy prevailed, and the trademark was rejected.

The trademark in question here covers goods including, ‘metal hardware and building materials’, ‘trolleys, trolleys with trays’, ‘guide rails of non-metallic materials’, and ‘lids for containers’, among other storage-related items. While this is far outside the usual meaning for a ‘makerspace’ – a building or club with a whole bunch of tools – if this trademark is approved, there is always the possibility of overzealous solicitors.

Fortunately, Gratnells released a statement today saying they would not defend or continue this trademark. This is in light of the recent, limited reaction to the trademark application. The word Makerspace is safe again another day.

Thanks [Tom] for the tip.

BrickerBot Takes Down your IoT Devices Permanently

There is a new class of virii in town, specifically targeting Internet of Things (IoT) devices. BrickerBot and its variants do exactly as their name says, turning your smart devices into bricks. Someone out there has gotten tired of all the IoT security flaws and has undertaken extreme (and illegal) measures to fix the problem. Some of the early reports have come in from a security company called Radware, who isolated two variants of the virii in their honeypots.

In a nutshell, BrickerBot gains access to insecure Linux-based systems by using brute force. It tries to telnet in using common default root username/password pairs. Once inside it uses shell commands (often provided by BusyBox) to write random data to any mounted drives. It’s as easy as

dd if=/dev/urandom of=/dev/sda1

With the secondary storage wiped, the device is effectively useless. There is already a name for this: a Permanent Denial-of-Service (PDoS) attack.

Now any card carrying Hackaday reader will know that a system taken down like this can be recovered by re-flashing through USB, JTAG, SD, other methods. However, we’re not BrickerBot’s intended audience. We’ve all changed our devices default passwords, right? RIGHT?

For more IoT security, check out Elliot’s excellent article about botnets earlier this year, and its follow-up.

IOT Startup Bricks Customers Garage Door Intentionally

Internet of Things startup Garadget remotely bricked an unhappy customer’s WiFi garage door for giving a bad Amazon review and being rude to company reps. Garadget device owner [Robert Martin] found out the hard way how quickly the device can turn a door into a wall. After leaving a negative Amazon review, and starting a thread on Garadget’s support forum complaining the device didn’t work with his iPhone, Martin was banned from the forum until December 27, 2019 for his choice of words and was told his comments and bad Amazon review had convinced Garadget staff to ban his device from their servers.

The response was not what you would expect a community-funded startup. “Technically there is no bricking, though,” the rep replied. “No changes are made to the hardware or the firmware of the device, just denied use of company servers.” Tell that to [Robert] who can’t get into his garage.

This caused some discontent amoung other customers wondering if it was just a matter of time before more paying customers are subjected to this outlandish treatment. The Register asked Garadget’s founder [Denis Grisak] about the situation, his response is quoted below.

 It was a Bad PR Move, Martin has now had his server connection restored, and the IOT upstart has posted a public statement on the matter.– Garadget

This whole debacle brings us to the conclusion that the IoT boom has a lot of issues ahead that need to be straightened out especially when it comes to ethics and security. It’s bad enough to have to deal with the vagaries of IoT Security and companies who shut down their products because they’re just not making enough money. Now we have to worry about using “cloud” services because the people who own the little fluffy computers could just be jerks.

How to Trick Your Electrical Meter By Saving Power

A group of Dutch scientists have been testing out some of today’s “smart” electrical meters to check their accuracy, among other things. Not ones to disappoint, the scientists have found consistently false readings that in some cases are 582% higher than actual energy consumption.

With experiments lasting for six months, the researchers tried to focus on meters representative of those commonly used in the Netherlands and manufactured between 2004 and 2014. Moreover, the researchers tried to reproduce standard household energy consumption patters rather than focusing on stress tests.

Their results? Well, “results varied wildly, with some meters reporting errors way above their disclosed range, going from -32% to +582%. Tests with uncommon results were repeated several times and the results were within a few percents of the original.” Moreover, “The greatest inaccuracies were seen when researchers combined dimmers with energy saving light bulbs and LED bulbs.” Not constrained to energy saving light bulbs, the inaccuracies are, ironically, tied to devices with integrated energy saving features. (Certainly makes us want to keep a close eye on our electric meters.)

“The reason for faulty readings appears to be the current sensor, and the associated circuitry,” said researchers. “The experimental results […] show that static energy meters can be pushed into faulty reading (positive and negative) if sufficiently fast pulsed currents are drawn by the consumer”

It is worth noting that there is contradictory research published by “the European voice of the providers of smart energy solutions” that maintains that “there is no reason to question smart metering technology”. Still, we wouldn’t blame you if you wanted a second opinion.

Thanks [acs] for sending this in!

Gigabytes the Dust with UEFI Vulnerabilities

At this year’s BlackHat Asia security conference, researchers from Cylance disclosed two potentially fatal flaws in the UEFI firmware of Gigabyte BRIX small computers which allow a would-be attacker unfettered low-level access to the computer.

Gigabyte has been working on a fix since the start of 2017. Gigabyte are preparing to release firmware updates as a matter of urgency to only one of the affected models — GB-BSi7H-6500 (firmware vF6), while leaving the — GB-BXi7-5775 (firmware vF2) unpatched as it has reached it’s end of life. We understand that support can’t last forever, but if you sell products with such a big fault from the factory, it might be worth it to fix the problem and keep your reputation.

The two vulnerabilities that have been discovered seem like a massive oversight from Gigabyte, They didn’t enable write protection for their UEFI (CVE-2017-3197), and seem to have thrown cryptography out of the window when it comes to signing their UEFI files (CVE-2017-3198). The latter vulnerability is partly due to not verifying a checksum or using HTTPS in the firmware update process, instead using its insecure sibling HTTP. CERT has issued an official vulnerability note (VU#507496) for both flaws.

Attackers may exploit the vulnerabilities to execute unsigned code in System Management Mode (SMM), planting whatever malware they like into the low level workings of the computer. Cylance explain a possible scenario as follows:

The attacker gains user-mode execution through an application vulnerability such as a browser exploit or a malicious Word document with an embedded script. From there, the attacker elevates his privileges by exploiting the kernel or a kernel module such as Capcom.sys to execute code in ring 0. A vulnerable SMI handler allows the attacker to execute code in SMM mode (ring -2) where he finally can bypass any write protection mechanisms and install a backdoor into the system’s firmware.

With all this said, it does raise some interesting opportunities for the hacker community. We wonder if anyone will come up with a custom UEFI for the Brix since Gigabyte left the keys in the door.

California Looks to Compel IoT Security

There is a bill going through committee in the state of California which, if passed, would require a minium level of security for Internet of Things devices and then some. California SB 327 Information privacy: connected devices in its original form calls for connected device manufacturers to secure their devices, protect the information they collect or store, indicate when they are collecting it, get user approval before doing so, and be proactive in informing users of security updates:

require a manufacturer that sells or offers to sell a connected device, defined as any device, sensor, or other physical object that is capable of connecting to the Internet, directly or indirectly, or to another connected device, to equip the device with reasonable security features appropriate to the nature of the device and the information it may collect, contain, or transmit, that protect it from unauthorized access, destruction, use, modification, or disclosure, and to design the device to indicate when it is collecting information and to obtain consumer consent before it collects or transmits information, as specified. The bill would also require a person who sells or offers to sell a connected device to provide a short, plainly written notice of the connected device’s information collection functions at the point of sale, as specified. The bill would require a manufacturer of a connected device to provide direct notification of security patches and updates to a consumer who purchases the device.

This is just a proposal and will change as it finds its way through committee. Currently there a really no methods of punishment outlined, but recent comments have suggested individual prosecutors may have latitude to interpret these cases as they see fit. Additionally it has been suggested that the devices in question would be required to notify in some way the user when information is being collected. No language exists yet to clarify or set forth rules on this matter.

The security community has been sounding the cry of lackluster (often lack of) security on this growing army of IoT hardware and we’ve all known one day the government would get involved. Often this type of action requires a major event where people were in some way harmed either physically or financially that would push this issue. Denial of service attacks have already occurred and hijacking of webcams and such are commonplace. Perhaps what we saw in September finally pushed this into the limelight.

Any reasonable person can see the necessity of some basic level of security such as eliminating default passwords and ensuring the security of the data. The question raised here is whether or not the government can get this right. Hackaday has previously argued that this is a much deeper problem than is being addressed in this bill.

The size of California’s economy (relative to both the nation and the world) and the high concentration of tech companies make it likely that standards imposed if this law passes will have a large effect on devices in all markets.

Transcranial Electrical Stimulation With Arduino, Hot Glue

The advance of electronic technology has been closely followed by the medical community over the past 200 years. Cutting edge electronics are used in medical imaging solutions to provide ever greater bandwidth and resolution in applications such as MRI machines, and research to interface with the human nervous system continues at a breakneck pace. The cost of this technology – particuarly in research and development – is incredibly high. Combine this with the high price of the regulatory approvals necessary for devices which deal in terms of life and death, and you’ll find that even basic medical technology is prohibitively expensive. Just ask any diabetic. On the face of things, there’s a moral dilemma. Humanity has developed technologies that can improve quality of life. Yet, due to our own rules and regulations, we cannot afford to readily distribute them.

One example of this is that despite the positive results from many transcranial electrical stimulation (TCS) studies, the devices used are prohibitively expensive, as are treatment regimens for patients. Realising this, [quicksilv3rflash] decided to develop a homebrew, open source transcranial electrical stimualtion device, and published it on Instructables. Yes, that’s the world we’re now living in.

It’s important to publish a warning here: Experimenting with this sort of equipment can easily kill you, fry your brain, or have any number of other awful results. If you don’t have a rock solid understanding of the principles behind seperate grounds, or your soldering is just a little sloppy, you don’t want to go anywhere near this. In particular, this device cannot be powered safely by a wall-wart.

To be honest, we find it difficult to trust any medical device manufactured out of modules sourced from eBay. But as a learning excercise, there is serious value here. Such a project requires mastery of analog design to avoid dangerous currents being passed to the body. The instructions also highlight the importance of rigorously testing the device before ever connecting it to a human body.

The equipment is based around an Arduino Nano receiving commands from a computer over serial, fed by an application written in Python & PyGame. To think, this writer thought he was being bold when he used it to control a remote control car! The Arduino Nano interprets this data and outputs it over SPI to a DAC which outputs a signal which is then amplified and fed to the human brain courtesy of op-amps, boost converters and sponge electrodes. The output of the device is limited to +/-2.1mA by design, in accordance with suggested limits for TCS use.

It should be noted, [quicksilv3rflash] has been experimenting with homebuilt TCS devices for several years now, and has lived to tell the tale. It’s impressive to see a full suite of homebrew, opensource tools being developed in this field. [quicksilv3rflash] reports to have not suffered injuries from the device, and several devices have been shipped to redditors. We’ve only found minimal reports on people receiving these, but nothing on anyone actually using the hardware as intended. If you’ve used one, get in touch in the comments.

It goes without saying – this sort of experimentation is dangerous and the stakes for getting it wrong are ludicrously high. We’ve seen before what happens when medical devices malfunction – things get real ugly, real fast. But hackers will be hackers and if you were wondering if it was possible to build a TCS device for under $100 in parts from eBay, well, yes. Yes it is.