Although the Internet of Things (IoT) is a reasonably new term, the idea isn’t really all that new. Many engineers and hackers have created networked embedded systems for many years. So what’s different? Two things: the Internet is everywhere and the use of connected embedded systems in a consumer setting.
Like anything else, there’s a spectrum of usefulness to IoT. Watching The Expanse, the other day (which is not a bad show, by the way), I noticed that if you had the right IoT lights, you could run an app that would change your lighting to suit the show in real-time. I don’t have those lights, but I suppose when the action moves to a dark sub-basement, your lights dim and when you are in a space ship’s reactor room, they turn red, and so on. Fun, but hardly useful or life-changing.
On the other hand, there are some very practical IoT items like the Nest thermostat. It might seem lazy to want to monitor and control your thermostat from your tablet, but if you are frequently away from home, or you have multiple houses, it can be a real positive to be able to control things remotely. With the recent blizzard on the U.S. east coast, for example, it would be great to turn on the heat in your weekend cottage 150 miles away while you were still at work or home. However, the Nest recently had a hiccup during an upgrade and it has made many of their customers mad (and cold). I’ll get back to that, in a minute. First, I want to talk about the problems with deploying something that will be in many varied environments (like people’s homes) that controls something real.
The Internet of Things is slowly turning into the world’s largest crappy robot, with devices seemingly designed to be insecure, all waiting to be rooted and exploited by anyone with the right know-how. The latest Internet-enabled device to fall is a Motorola Focus 73 outdoor security camera. It’s quite a good camera, save for the software. [Alex Farrant] and [Neil Biggs] found the software was exceptionally terrible and would allow anyone to take control of this camera and install new firmware.
The camera in question is the Motorola Focus 73 outdoor security camera. This camera connects to WiFi, features full pan, tilt, zoom controls, and feeds a live image and movement alerts to a server. Basically, it’s everything you need in a WiFi security camera. Setting up this camera is simple – just press the ‘pair’ button and the camera switches to host mode and sets up an open wireless network. The accompanying Hubble mobile app scans the network for the camera and prompts the user to connect to it. Once the app connects to the camera, the user is asked to select a WiFi connection to the Internet from a list. The app then sends the security key over the open network unencrypted. By this point, just about anyone can see the potential for an exploit here, and since this camera is usually installed outdoors – where anyone can reach it – evidence of idiocy abounds.
Once the camera is on the network, there are a few provisions for firmware upgrades. Usually, firmware upgrades are available by downloading from ‘private’ URLs and sent to the camera with a simple script that passes a URL directly into the shell as root. A few facepalms later, and [Alex] and [Neil] had root access to the camera. The root password was ‘123456’.
While there’s the beginnings of a good Internet of Camera in this product, the design choices for the software are downright stupid. In any event, if you’re looking for a network camera that you own – not a company with a few servers and a custom smartphone app – this would be near the top of the list. It’s a great beginning for some open source camera firmware.
What’s not to love about a hackathon? The junk food and caffeine that fuel the weekend; the highs that come with success and the lows that come when the blue smoke is released; the desperate search for inspiration as the clock ticks away; nerve-wracking pitches to the judges, hoping against hope that everything works in the demo. Hackathons are the contact sport of the hacker world, bringing in top competitors and eager upstarts, and when done well you just might attract interested “civilians” and other newbies that will catch the hacking bug from what they witness.
Such was the scene at the Tech Valley Center of Gravity in Troy, NY over the last weekend of January. New for 2016, the CoG is hosting a series of four hardware hackathons this year, each with a different theme. This event’s theme was “Internet of Things”, and the call went out to any and all to come compete for bragging rights and over $1,000 in prizes. Incentives to compete included some big name corporate sponsors, like AT&T, and judging and mentoring provided by the likes of SparkFun’s [Jeff Branson]. There was also a steady stream of food and drink, saturation coverage by local media outlets, and your humble Hackaday writer and his son, who made the trip up to Troy with a small passel of Hackaday swag and a curiosity to see how the CoG has fared since our last visit at the grand opening of their glorious new home. We were not disappointed.
We have lost a great inventor. [Artur Fischer], inventor of the plastic drywall plug, fischertechnik, the plastic wall plug, photo flash light, and holder of over 1100 patents (more than the great Edison), passed away this week.
Who remembers Glider? That old Macintosh game where you fly a paper airplane around a house is now available on GitHub. The creator of Glider, [John Calhoun] put all the code up a few days ago. If you have Metrowerks Code Warrior sitting around on an old box, feel free to dig around.
In the ‘this guy totally won’t get sued’ column is MagSafe for iPhones. The MagSafe power adapter is Apple’s largest contribution to humanity, but they are a little protective about it.
We have two calls for the community: [jimie] had a go at programming the latest, coolest, open source radio. Programming it is hard. Has anyone found an improved guide? Second, I now have a Tadpole Computer that was former property of Quallcom. I can’t find any info on getting *nix or *BSD on it. Anyone have any experience?
Getting software-defined radio (SDR) tools into the hands of the community has been great for the development and decoding of previously-cryptic, if not encrypted, radio signals the world over. As soon as there’s a new protocol or modulation method, it’s in everyone’s sights. A lot of people have been working on LoRa, and [bertrik] at RevSpace in The Hague has done some work of his own, and put together an amazing summary of the state of the art.
LoRa is a new(ish) modulation scheme for low-power radios. It’s patented, so there’s some information about it available. But it’s also proprietary, meaning that you need a license to produce a radio that uses the encoding. In keeping with today’s buzzwords, LoRa is marketed as a wide area network for the internet of things. HopeRF makes a LoRa module that’s fairly affordable, and naturally [bertrik] has already written an Arduino library for using it.
So with a LoRa radio in hand, and a $15 RTL-SDR dongle connected to a laptop, [bertrik] got some captures, converted the FM-modulated chirps down to audio, and did a bunch of hand analysis. He confirmed that an existing plugins for sdrangelove did (mostly) what they should, and he wrote it all up, complete with a fantastic set of links.
There’s more work to be done, so if you’re interested in hacking on LoRa, or just having a look under the hood of this new modulation scheme, you’ve now got a great starting place.
Security researchers can be a grim crowd. Everything, when looked at closely enough, is insecure at some level, and this leads to a lot of pessimism in the industry. So it’s a bit of a shock to see a security report that’s filled with neither doom nor gloom.
We’d previously covered Somerset Recon’s initial teardown of “Hello Barbie” and were waiting with bated breath for the firmware dump and some real reverse engineering. Well, it happened and basically everything looks alright (PDF report). The Somerset folks desoldered the chip, dumped the flash ROM, and when the IDA-dust settled, Mattel used firmware that’s similar to what everyone else uses to run Amazon cloud service agents, but aimed at the “toytalk.com” network instead. In short, it uses a tested and basically sound firmware.
The web services that the creepy talking doll connected to were another story, and were full of holes that were being actively patched throughout Somerset’s investigation, but we were only really interested in the firmware anyway, and that looked OK. Not everything is horror stories in IoT security. Some stories do have a happy ending. Barbie can sleep well tonight.
The folks at Q42 write code, lots of it, and this implies the copious consumption of coffee. In more primitive times, an actual human person would measure how many cups were consumed and update a counter on their website once a day. That had to be fixed, obviously, so they hacked their coffee machine so it publishes the amount of coffee being consumed by itself. Their Jura coffee machine makes good coffee, but it wasn’t hacker friendly at all. No API, no documentation, non-standard serial port and encrypted EEPROM contents. It seems the manufacturer tried every trick to keep the hackers away — challenge accepted.
The folks at Q42 found details of the Jura encryption protocol from the internet, and then hooked up a Raspberry-Pi via serial UART to the Jura. Encryption consisted of taking each byte and breaking it up in to 4 bytes, with the data being loaded in bit positions 2 and 5 of each of the 4 bytes, which got OR’ed into 0x5B. To figure out where the counter data was stored by the machine in the EEPROM, they took a data dump of the contents, poured a shot of coffee, took another memory dump, and then compared the two.
Once they had this all figured out, the Raspberry-Pi was no longer required, and was replaced with the more appropriate Particle Photon. The Photon is put on a bread board and stuck with Velcro to the back of the coffee machine, with three wires connected to the serial port on the machine.
If you’d like to dig in to their code, checkout their GitHub repository. Seems the guys at Q42 love playing games too – check out 0h h1 and 0h n0.