Author: Jenny List

3308 Articles

Aussies Propose Crackdown On Insecure IoT Devices

October 16, 2017 by 36 Comments

We’ve all seen the stories about IoT devices with laughably poor security. Both within our community as fresh vulnerabilities are exposed and ridiculed, and more recently in the wider world as stories of easily compromised baby monitors have surfaced in mass media outlets. It’s a problem with its roots in IoT device manufacturers treating their products as appliances rather than software, and in a drive to produce them at the lowest possible price.

The Australian government have announced that IoT security is now firmly in their sights, announcing a possible certification scheme with a logo that manufacturers would be able to use if their products meet a set of requirements. Such basic security features as changeable, non-guessable, and non-default passwords are being mentioned, though we’re guessing that would also include a requirement not to expose ports to the wider Internet. Most importantly it is said to include a requirement for software updates to fix known vulnerabilities. It is reported that they are also in talks with other countries to harmonize some of these standards internationally.

It is difficult to see how any government could enforce such a scheme by technical means such as disallowing Internet connection to non-compliant devices, and if that was what was being proposed it would certainly cause us some significant worry. Therefore it’s likely that this will be a consumer certification scheme similar to for example the safety standards for toys, administered as devices are imported and through enforcement of trading standards legislation. The tone in which it’s being sold to the public is one of “Think of the children” in terms of compromised baby monitors, but as long-time followers of Hackaday will know, that’s only a small part of the wider problem.

Thanks [Bill Smith] for the tip.

Baby monitor picture: Binatoneglobal [CC BY-SA 3.0].

Why Not Expose Your PCBs Through An LCD?

October 16, 2017 by 67 Comments

Most people who have dabbled in the world of electronic construction will be familiar in some form with the process of producing a printed circuit board by exposing a UV sensitive coating through a transparent mask, before moving on to etching. Older readers will have created their masks by hand with crêpe paper tape on acetate, while perhaps younger ones started by laser-printing from their CAD package.

How about a refinement of the process, one which does away with the acetate mask entirely? [Ionel Ciobanuc] may have the answer, in the form of an exposure through an LCD screen. The video below the break shows how it’s done, starting with a (probably a bit too lengthy) sequence on applying the photo-resist coating to the board, and then sitting LCD on top of UV lamp with the board positioned at the top of the pile.

It’s an interesting demonstration, and one that certainly removes a step in the process of PCB creation as it brings the pattern direct from computer to board without an intermediate. Whether or not it’s worth the expenditure on an LCD is up to you, after all a sheet of acetate is pretty cheap and if you already have a laser printer you’re good to go. We’re curious to know whether or not any plastic components in the LCD itself might be damaged by long-term exposure to intense UV light.

Continue reading “Why Not Expose Your PCBs Through An LCD?”

Encryption For The Most Meager Of Devices

October 15, 2017 by 57 Comments

It seems that new stories of insecure-by-design IoT devices surface weekly, as the uneasy boundary is explored between the appliance and the Internet-connected computer. Manufacturers like shifting physical items rather than software patches, and firmware developers may not always be from the frontline of Internet security.

An interesting aside on the security of IoT traffic comes from [boz], who has taken a look at encryption of very low data rate streams from underpowered devices. Imagine perhaps that you have an Internet-connected sensor which supplies only a few readings a day that you would like to keep private. Given that your sensor has to run on tiny power resources so a super-powerful processor is out of the question, how do you secure your data? Simple encryption schemes are too easily broken.

He makes the argument for encryption from a rather unexpected source: a one-time pad. We imagine a one-time pad as a book with pages of numbers, perhaps as used by spies in Cold-War-era East Berlin or something. Surely storing one of those would be a major undertaking! In fact a one-time pad is simply a sequence of random keys that are stepped through, one per message, and if your message is only relatively few bytes a day then you have no need to generate more than a few K of pad data to securely encrypt it for years. Given that even pretty meager modern microcontrollers have significant amounts of flash at their disposal, pad storage for sensor data of this type is no longer a hurdle.

Where some controversy might creep in is the suggestion that a pad could be recycled when its last entry has been used. You don’t have to be a cryptologist to know that reusing a one-time pad weakens the integrity of the cypher, but he has a valid answer there too, If the repeat cycle is five years, your opponent must have serious dedication to capture all packets, and at that point it’s worth asking yourself just how sensitive the sensor data in question really is.

MIDI And A Real Vox Humana Come To A Century-Old Melodeon

October 15, 2017 by 6 Comments

A hundred years or more of consumer-level recorded music have moved us to a position in which most of us unconsciously consider music to be a recorded rather than live experience. Over a century ago this was not the case, and instead of a hi-fi or other device, many households would have had some form of musical instrument for their own entertainment. The more expensive ones could become significant status symbols, and there was a thriving industry producing pianos and other instruments for well-to-do parlours everywhere.

One of these parlour instruments came the way of [Alec Smecher], a pump organ, also known as a harmonium, or a melodeon. He’s carefully added a MIDI capability to it, and thus replaced its broken “Vox Humana” tremolo effect intended as a 19th century simulation of a choir, with a set of genuine human sounds. There is an almost Monty Python quality to his demonstration of this real Vox Humana, as you can see in the video below.

Lest you think though that he’s gutted the organ in the process of conversion, be rest assured that this is a sensitively applied piece of work. A microswitch has been placed beneath each key, leaving the original mechanism intact and working. An Arduino Leonardo has the microswitches multiplexed into a matrix similar to a keyboard, and emulates a USB MIDI device. It’s fair to say that it therefore lacks the force sensitivity you might need to emulate a piano, but it does result in rather an attractive MIDI instrument that also doubles as a real organ.

Continue reading “MIDI And A Real Vox Humana Come To A Century-Old Melodeon”

Nintendo Power Glove Achieves Its Promise As Vive Controller

October 14, 2017 by 11 Comments

You have to hand it to Nintendo, for blazing the virtual reality trail in consumer products a couple of decades before everyone else, even if the best that can be said for their efforts in that direction is that they weren’t exactly super-successful. Their 1989 Power Glove became little more than a difficult-to-use peripheral for everyday console games, and their 1995 Virtual Boy console was streets ahead of its time but had a 3D effect that induced discomfort in its players.

Many years later though, the Power Glove remains an intriguing product, and one that can be readily found second-hand. The folks at Teague Labs think that perhaps its time has come as the basis of a peripheral for modern VR systems, as a controller for the HTC Vive.

They’ve taken a Power Glove, and through an Arduino Due with a custom shield, interfaced it to the Vive controller mounted where the buttons would have been in its Nintendo days. The Vive provides positional data, while the Nintendo sensors provide hand data. Thus they’ve made an accomplished glove peripheral with a lot less heartache than they would have seen had they done so from scratch.

They show us a couple of environments using the glove, an iPad simulation which we’re having a little difficulty getting our heads round, and a rock/paper/scissors game which looks rather fun. If you are interested in further work, all their code is on GitHub.

We’ve shown you another hugely-upgraded Power Glove in the past, but how about one controlling a quadcopter?

Get Your Smarties Or M&Ms From A Vending Machine

October 12, 2017 by 19 Comments

There are some debates that split the world down the middle. Serious stuff: M&Ms, or Smarties*? Yes, the two chocolate beans may bear a superficial resemblance to each other, but you’re either a Smartie lover, or an M&M lover. No compromises.

[Maximusvo] has sensibly dodged all questions of brand loyalty in his text if not in his images even though it’s obvious what kind of confectionery he’s working with in his candy vending machine. The hard-shell chocolates are loaded into a hopper, from which a colourful cascade is released onto a scale. When the desired weight has been accumulated, it is tipped into a drawer for the hungry recipient.

Behind it all is an Arduino with a motor to release the beans, a load cell to weigh them, and an LCD display to give a status report. A motor vibrates the chute to ensure they move down it, but as can be seen in the video demo below the break it’s not doing an entirely successful job. There is an external buzzer to indicate delivery, and aside from the wooden construction of the machine there are 3D printed parts in the scale.

Continue reading “Get Your Smarties Or M&Ms From A Vending Machine”

One Man’s Tale Of EMC Compliance Testing

October 9, 2017 by 31 Comments

If you turn over almost any electronic device, you should find all those compliance logos: CE, FCC, UL, TÜV, and friends. They mean that the device meets required standards set by a particular region or testing organisation, and is safe for you, the consumer.

Among those standards are those concerning EMC, or ElectroMagnetic Compatibility. These ensure that the device neither emits RF radiation such that it might interfere with anything in its surroundings, nor is it unusually susceptible to radiation from those surroundings. Achieving a pass in those tests is something of a black art, and it’s one that [Pero] has detailed his exposure to in the process of seeing a large 3-phase power supply through them. It’s a lengthy, and fascinating post.

He takes us through a basic though slightly redacted look at the device itself, before describing the testing process, and the EMC lab. These are fascinating places with expert staff who can really help, though they are extremely expensive to book time in. Since the test involves a mains power supply he describes the Line Impedance Stabilisation Network, or LISN, whose job is to safely filter away the RF component on the mains cable, and present a uniform impedance to the device.

In the end his device failed its test, and he was only able to achieve a pass with a bit of that black magic involving the RF compliance engineer’s secret weapons: copper tape and ferrite rings. [Pero] and his colleagues are going to have to redesign their shielding.

We’ve covered our visits to the EMC test lab here before.