Logs For A Toilet

The Internet of Things, as originally envisioned in papers dating to the early to mid-90s, is a magical concept. Wearable devices would report your location, health stats, and physiological information to a private server. Cameras in your shower would tell your doctor if that mole is getting bigger. Your car would monitor the life of your cabin air filter and buy a new one when the time arrived. Nanobots would become programmable matter, morphing into chairs, houses, and kitchen utensils. A ubiquity of computing would serve humans as an unseen hive mind. It was paradise, delivered by ever smaller computers, sensors, and advanced robotics.

The future didn’t turn out like we planned. While the scientists and engineers responsible for asking how they could make an Internet-connected toaster oven, no one was around to ask why anyone would want that. At least we got a 3Com Audrey out of this deal.

Fast forward to today and we learn [Christopher Hiller] just put his toilet on the Internet. Why is he doing this? Even he doesn’t know, but it does make for a great ‘logs from a toilet’ pun.

The hardware for this device is a Digistump Oak, a neat little Arduino-compatible WiFi-enabled development board. The Digistump Oak is able to publish to the Particle Cloud, and with just five lines of code, [Chris] is able to publish a flush to the Internet. The sensor for this build is a cheap plastic float switch. There are only three components in this build, and one of them is a 4k7 resistor.

Right now, there are a few issues with the build. It’s battery-powered, but that’s only because [Chris]’ toilet isn’t close enough to a wall outlet. There’s a bit of moisture in a bathroom, and clingfilm solves the problem for now, but some silly cone carne would solve that problem the right way. [Chris] also has two toilets, so he’ll need to build another one.

IOT Startup Bricks Customers Garage Door Intentionally

Internet of Things startup Garadget remotely bricked an unhappy customer’s WiFi garage door for giving a bad Amazon review and being rude to company reps. Garadget device owner [Robert Martin] found out the hard way how quickly the device can turn a door into a wall. After leaving a negative Amazon review, and starting a thread on Garadget’s support forum complaining the device didn’t work with his iPhone, Martin was banned from the forum until December 27, 2019 for his choice of words and was told his comments and bad Amazon review had convinced Garadget staff to ban his device from their servers.

The response was not what you would expect a community-funded startup. “Technically there is no bricking, though,” the rep replied. “No changes are made to the hardware or the firmware of the device, just denied use of company servers.” Tell that to [Robert] who can’t get into his garage.

This caused some discontent amoung other customers wondering if it was just a matter of time before more paying customers are subjected to this outlandish treatment. The Register asked Garadget’s founder [Denis Grisak] about the situation, his response is quoted below.

 It was a Bad PR Move, Martin has now had his server connection restored, and the IOT upstart has posted a public statement on the matter.– Garadget

This whole debacle brings us to the conclusion that the IoT boom has a lot of issues ahead that need to be straightened out especially when it comes to ethics and security. It’s bad enough to have to deal with the vagaries of IoT Security and companies who shut down their products because they’re just not making enough money. Now we have to worry about using “cloud” services because the people who own the little fluffy computers could just be jerks.

California Looks to Compel IoT Security

There is a bill going through committee in the state of California which, if passed, would require a minium level of security for Internet of Things devices and then some. California SB 327 Information privacy: connected devices in its original form calls for connected device manufacturers to secure their devices, protect the information they collect or store, indicate when they are collecting it, get user approval before doing so, and be proactive in informing users of security updates:

require a manufacturer that sells or offers to sell a connected device, defined as any device, sensor, or other physical object that is capable of connecting to the Internet, directly or indirectly, or to another connected device, to equip the device with reasonable security features appropriate to the nature of the device and the information it may collect, contain, or transmit, that protect it from unauthorized access, destruction, use, modification, or disclosure, and to design the device to indicate when it is collecting information and to obtain consumer consent before it collects or transmits information, as specified. The bill would also require a person who sells or offers to sell a connected device to provide a short, plainly written notice of the connected device’s information collection functions at the point of sale, as specified. The bill would require a manufacturer of a connected device to provide direct notification of security patches and updates to a consumer who purchases the device.

This is just a proposal and will change as it finds its way through committee. Currently there a really no methods of punishment outlined, but recent comments have suggested individual prosecutors may have latitude to interpret these cases as they see fit. Additionally it has been suggested that the devices in question would be required to notify in some way the user when information is being collected. No language exists yet to clarify or set forth rules on this matter.

The security community has been sounding the cry of lackluster (often lack of) security on this growing army of IoT hardware and we’ve all known one day the government would get involved. Often this type of action requires a major event where people were in some way harmed either physically or financially that would push this issue. Denial of service attacks have already occurred and hijacking of webcams and such are commonplace. Perhaps what we saw in September finally pushed this into the limelight.

Any reasonable person can see the necessity of some basic level of security such as eliminating default passwords and ensuring the security of the data. The question raised here is whether or not the government can get this right. Hackaday has previously argued that this is a much deeper problem than is being addressed in this bill.

The size of California’s economy (relative to both the nation and the world) and the high concentration of tech companies make it likely that standards imposed if this law passes will have a large effect on devices in all markets.

2017: The Year of the Dishwasher Security Patch

As if Windows Update wasn’t bad enough, one has to deal with a plethora of attention-hungry programs and utilities all begging for a continual stream of patches from the Internet. It’s exhausting, but unfortunately also par for the course. Many of these updates are to close security vulnerabilities that could otherwise expose your computer to undesirables. The Internet of Things will only expand the amount of hardware and software you need to keep updated and protected on a daily basis. Now, it’s your dishwasher that’s under attack.

The Register reports that Jens Regel discovered the bug in a Miele dishwasher with a webserver. It’s a basic directory traversal attack that can net the intruder the shadow password file. Armed with this, it’s simple to take over the embedded Linux system and wreak havoc on your local network.

It’s not particularly surprising – we’ve talked about IoT security and its pitfalls before. The problem is, a dishwasher is not a computer. Unlike Microsoft, or Google, or even the people behind VLC, Miele don’t have infrastructure in place to push out an update to dishwashers worldwide. This means that as it stands, your only real solutions are to either disconnect the dishwasher from your network, or lock it behind a highly restrictive firewall. Both are likely to impede functionality. Of course, as always, many will ask why a dishwasher needs to be connected to the Internet at all. Why indeed.

Putting Pi In Infrared Doohickies

The Raspberry Pi Zero W is a tiny, cheap Linux computer with WiFi. It’s perfect for Internet of Things things such as controlling ceiling fans, window blinds, LED strips, and judgmental toasters. This leads to an obvious question: how do you attach your ceiling fan and LED strips to a Pi Zero? A lot of these things already have infrared remotes, so why not build an infrared hat for the Pi? That’s what [Leon] did, and it’s Open Hardware with documentation.

[Leon]’s Anavi Infrared Pi Hat does exactly what you think it should do. There’s an IR receiver, two IR LEDs, and UART pins for debugging. That’s all you need to control infrared doohickies over the Internet, and [Leon] wrapped it up in a nice neat package that’s the same size as a Raspberry Pi Zero. Add on some documentation and you have something we rarely see: a project meant to be used by other people.

This focus on allowing people to actually use what [Leon] created can lead to only one cynical conclusion: he’s probably selling these things somewhere. The cynic is never surprised. [Leon] has a crowdfunding campaign going, that’s over 400% funded with a month to go. That’s okay, though: all the design files are available so if you want to build your own without supporting people who build useful devices, have at it.

Friday Hack Chat: Raspberry Pi Principal Hardware Engineer Roger Thornton

rpichat1-01Have you heard about the new Raspberry Pi Zero W which now includes WiFi and Bluetooth? Of course you have. Want to know what went into the addition to the popular design? Now’s the time to ask when this week’s Hack Chat is led by Roger Thornton, chief hardware engineer for Raspberry Pi.

Raspberry Pi was born on February 29th, 2012 and has seen a remarkable number of hardware flavors and revisions. Throughout, the hardware has been both dependable and affordable — not an easy thing to accomplish. Roger will discuss the process his team uses to go from concept, all the way through to the hands of the user. It’s an excellent chance to ask any questions you have from soup to nuts.

The Hack Chat is scheduled for Friday, March 3rd at noon PST (20:00 GMT).

Here’s How To Take Part:

join-hack-chatOur Hack Chats are live community events on the Hackaday.io Hack Chat group messaging.

Log into Hackaday.io, visit that page, and look for the ‘Join this Project’ Button. Once you’re part of the project, the button will change to ‘Team Messaging’, which takes you directly to the Hack Chat.

You don’t have to wait until Friday; join whenever you want and you can see what the community is talking about.

Upcoming Hack Chats

Mark your calendar for Friday March 10th when Hack Chat features mechanical manufacturing with members from the Fictiv team.

Your Internet of Things Speaks Volumes About You

If only Marv and Harry were burglars today; they might have found it much easier to case houses and — perhaps — would know which houses were occupied by technically inclined kids by capitalizing on the potential  vulnerability that [Luc Volders] has noticed on ThingSpeak.

As an IoT service, ThingSpeak takes data from an ESP-8266, graphs it, and publicly displays the data. Some of you may already see where this is going. While [Volders] was using the service for testing, he realized anyone could check the temperature of his man-cave — thereby inferring when the house was vacant since the location data also happened to be public. A little sleuthing uncovered several other channels with temperature data or otherwise tied to a location that those with nefarious intent could abuse.

Continue reading “Your Internet of Things Speaks Volumes About You”