Shut the Backdoor! More IoT Cybersecurity Problems

We all know that what we mean by hacker around here and what the world at large thinks of as a hacker are often two different things. But as our systems get more and more connected to each other and the public Internet, you can’t afford to ignore the other hackers — the black-hats and the criminals. Even if you think your data isn’t valuable, sometimes your computing resources are, as evidenced by the recent attack launched from unprotected cameras connected to the Internet.

As [Elliot Williams] reported earlier, Trustwave (a cybersecurity company) recently announced they had found a backdoor in some Chinese voice over IP gateways. Apparently, they left themselves an undocumented root password on the device and — to make things worse — they use a proprietary challenge/response system for passwords that is insufficiently secure. Our point isn’t really about this particular device, but if you are interested in the details of the algorithm, there is a tool on GitHub, created by [JacobMisirian] using the Trustwave data. Our interest is in the practice of leaving intentional backdoors in products. A backdoor like this — once discovered — could be used by anyone else, not just the company that put it there.

Continue reading “Shut the Backdoor! More IoT Cybersecurity Problems”

Zelda and the Ocarina of Things

Voice recognition is this year’s model for home automation, but aside from feeling like you’re onboard the Aries 1b arguing with HAL 9000, it just doesn’t do it for our geeky selves. So what’s even geekier? How about carrying around an ocarina in your pocket so that you can get a Raspberry Pi to unlock the door for you? (YouTube video, embedded below.) Yeah, that’ll do.

[Sufficiently Advanced]’s video gets us 90% of the way toward replicating this build. There’s a tube with a microphone and a Raspberry Pi inside. There are a bunch of ESP8266-powered gadgets scattered around the house that take care of such things as turning on and off the heater, watering plants, and even pressing a (spare) car remote with a servo.

We’d love to know what pitch- or song-recognition software the Raspberry Pi is running. We’ve wanted to implement a whistling-based home automation interface since seeing the whistled. We can hold a tune just fine, but we don’t always start out on the same exact pitch, which is a degree of freedom that [Sufficiently Advanced]’s system doesn’t have to worry about, assuming it only responds to one ocarina.

If you’re questioning the security of locking and unlocking your actual apartment by playing “Zelda’s Lullaby” from outside your window, you either overestimate the common thief or you just don’t get the joke. The use case of calling (and hopefully finding) a cell phone is reason enough for us to carry a bulky ocarina around everywhere we go!

Continue reading “Zelda and the Ocarina of Things”

Point and Click to an IoT Button

The availability of cheap WiFi boards like the ESP8266 and others means you can inexpensively put projects on the network. But there is still the problem of how to connect these devices to other places reliably. An Open Source project that attempts to make that whole effort point and click is Mongoose OS. The open source system works with the ESP8266, ESP32, and several other platforms. It is well integrated with Amazon’s IoT backend, but it isn’t locked to it.

Everyone wants to be your IoT broker and we see products appear (and disappear) regularly aimed at capturing that market. One common way to send and receive messages from a tiny device to a remote server is MQTT, an ISO standard made with resource-limited devices in mind. Many IoT services speak this protocol, including Amazon’s IoT offering. You can see how quick it is to flash an ESP8266 to make an Amazon IoT button in the video below. Although the video example uses Amazon, you can configure the system to talk to any public or private MQTT broker.

Continue reading “Point and Click to an IoT Button”

Wireless Doorbell Hacked Into Hands-on MQTT Tutorial

The project itself is very simple: getting push notifications via MQTT when a wireless doorbell sounds. But as [Robin Reiter] points out, as the “Hello, world!” program is a time-honored tradition for coders new to a language, so too is his project very much the hardware embodiment of the same tradition. And the accompanying video build log below is a whirlwind tour that will get the first-timer off the ground and on the way to MQTT glory.

The hardware [Robin] chose for this primer is pretty basic – a wireless doorbell consisting of a battery-powered button and a plug-in receiver that tootles melodiously when you’ve got a visitor. [Robin] engages in a teardown of the receiver with attempted reverse engineering, but he wisely chose the path of least resistance and settled on monitoring the LEDs that flash when the button is pushed. An RFduino was selected from [Robin]’s ridiculously well-organized parts bin and wired up for the job. The ‘duino-fied doorbell talks Bluetooth to an MQTT broker on a Raspberry Pi, which also handles push notifications to his phone.

The meat of the build log, though, is the details of setting up MQTT. We’ve posted a lot about MQTT, including [Elliot Williams]’ great series on the subject. But this tutorial is very nuts and bolts, the kind of thing you can just follow along with, pause the video once in a while, and have a working system up and running quickly. There’s a lot here for the beginner, and even the old hands will pick up a tip or two.

Continue reading “Wireless Doorbell Hacked Into Hands-on MQTT Tutorial”

IoT Device Pulls Its Weight in Home Brewing

floating-square
The iSpindel floating in a test solution.

Brewing beer or making wine at home isn’t complicated but it does require an attention to detail and a willingness to measure and sanitize things multiple times, particularly when tracking the progress of fermentation. This job has gotten easier thanks to the iSpindel project; an ESP8266 based IoT device intended as a DIY alternative to a costly commercial solution.

Hydrometer [Source: grapestompers.com]

Tracking fermentation normally involves a simple yet critical piece of equipment called a hydrometer (shown left), which measures the specific gravity or relative density of a liquid. A hydrometer is used by winemakers and brewers to determine how much sugar remains in a solution, therefore indicating the progress of the fermentation process. Using a hydrometer involves first sanitizing all equipment. Then a sample is taken from the fermenting liquid, put into a tall receptacle, the hydrometer inserted and the result recorded. Then the sample is returned and everything is cleaned. [Editor (and brewer)’s note: The sample is not returned. It’s got all manner of bacteria on/in it. Throw those 20 ml away!] This process is repeated multiple times, sometimes daily. Every time the batch is opened also increases the risk of contamination. Continue reading “IoT Device Pulls Its Weight in Home Brewing”

Friday Hack Chat: Raspberry Pi Principal Hardware Engineer Roger Thornton

rpichat1-01Have you heard about the new Raspberry Pi Zero W which now includes WiFi and Bluetooth? Of course you have. Want to know what went into the addition to the popular design? Now’s the time to ask when this week’s Hack Chat is led by Roger Thornton, chief hardware engineer for Raspberry Pi.

Raspberry Pi was born on February 29th, 2012 and has seen a remarkable number of hardware flavors and revisions. Throughout, the hardware has been both dependable and affordable — not an easy thing to accomplish. Roger will discuss the process his team uses to go from concept, all the way through to the hands of the user. It’s an excellent chance to ask any questions you have from soup to nuts.

The Hack Chat is scheduled for Friday, March 3rd at noon PST (20:00 GMT).

Here’s How To Take Part:

join-hack-chatOur Hack Chats are live community events on the Hackaday.io Hack Chat group messaging.

Log into Hackaday.io, visit that page, and look for the ‘Join this Project’ Button. Once you’re part of the project, the button will change to ‘Team Messaging’, which takes you directly to the Hack Chat.

You don’t have to wait until Friday; join whenever you want and you can see what the community is talking about.

Upcoming Hack Chats

Mark your calendar for Friday March 10th when Hack Chat features mechanical manufacturing with members from the Fictiv team.

Your Internet of Things Speaks Volumes About You

If only Marv and Harry were burglars today; they might have found it much easier to case houses and — perhaps — would know which houses were occupied by technically inclined kids by capitalizing on the potential  vulnerability that [Luc Volders] has noticed on ThingSpeak.

As an IoT service, ThingSpeak takes data from an ESP-8266, graphs it, and publicly displays the data. Some of you may already see where this is going. While [Volders] was using the service for testing, he realized anyone could check the temperature of his man-cave — thereby inferring when the house was vacant since the location data also happened to be public. A little sleuthing uncovered several other channels with temperature data or otherwise tied to a location that those with nefarious intent could abuse.

Continue reading “Your Internet of Things Speaks Volumes About You”