Aussies Propose Crackdown On Insecure IoT Devices

October 16, 2017 by 36 Comments

We’ve all seen the stories about IoT devices with laughably poor security. Both within our community as fresh vulnerabilities are exposed and ridiculed, and more recently in the wider world as stories of easily compromised baby monitors have surfaced in mass media outlets. It’s a problem with its roots in IoT device manufacturers treating their products as appliances rather than software, and in a drive to produce them at the lowest possible price.

The Australian government have announced that IoT security is now firmly in their sights, announcing a possible certification scheme with a logo that manufacturers would be able to use if their products meet a set of requirements. Such basic security features as changeable, non-guessable, and non-default passwords are being mentioned, though we’re guessing that would also include a requirement not to expose ports to the wider Internet. Most importantly it is said to include a requirement for software updates to fix known vulnerabilities. It is reported that they are also in talks with other countries to harmonize some of these standards internationally.

It is difficult to see how any government could enforce such a scheme by technical means such as disallowing Internet connection to non-compliant devices, and if that was what was being proposed it would certainly cause us some significant worry. Therefore it’s likely that this will be a consumer certification scheme similar to for example the safety standards for toys, administered as devices are imported and through enforcement of trading standards legislation. The tone in which it’s being sold to the public is one of “Think of the children” in terms of compromised baby monitors, but as long-time followers of Hackaday will know, that’s only a small part of the wider problem.

Thanks [Bill Smith] for the tip.

Baby monitor picture: Binatoneglobal [CC BY-SA 3.0].

Hackaday Prize Entry: Giving Phones Their Tactile Buttons Back

October 16, 2017 by 10 Comments

In the before-times, we could send text messages without looking at our phones. It was glorious, and something 90s Kids™ wish we could bring to our gigantic glowing rectangles stuck in our pocket. For his Hackaday Prize Entry, [Kyle] is bringing just a little bit of this sightless functionality back to the modern smartphone. He’s building a tactile remote control for smartphones. With this device, you can navigate through icons, push buttons, and even zoom in on maps with real, physical controls.

This keyboard is built around a handful of Cherry MX mechanical key switches for a great tactile feel, and a single capacitive touch strip for zooming in and out on the screen. This is pretty much exactly what you want for real, mechanical buttons for a smartphone — a satisfying click and a zoomy strip. The microcontroller used in this device is the BGM111 Bluetooth LE module from Silicon Labs. It’s an extremely low-power module that is able to read a cap touch strip and a few button inputs. Power is provided by a 2032 coin cell, giving the entire device a low profile form factor (except for the MX switches, but whatever), and more than enough run time.

It should be noted that [Kyle] is building this as a solution to distracted driving. True, looking down to send a quick text while driving is the cause of thousands of deaths. However, while typing out a quick note with a T9 keyboard on your Nokia seems like it’s less dangerous, it’s really not. Doing anything while driving is distracted driving, and there are volumes of studies to back this up. Outside the intended use case, this is a fantastic project that uses a neat little Bluetooth module we don’t see much of, and there are some pretty cool applications of a tiny wireless mechanical keyboard with cap touch we can think of.

The HackadayPrize2017 is Sponsored by:

Active Discussion About Passive Components

October 16, 2017 by 35 Comments

People talk about active and passive components like they are two distinct classes of electronic parts. When sourcing components on a BOM, you have the passives, which are the little things that are cheaper than a dime a dozen, and then the rest that make up the bulk of the cost. Diodes and transistors definitely fall into the cheap little things category, but aren’t necessarily passive components, so what IS the difference?

Continue reading “Active Discussion About Passive Components”

The Fine Art Of Heating And Cooling Your Beans

October 16, 2017 by 27 Comments

They say that if something is worth doing, it’s worth doing right. Those are good words to live by, but here at Hackaday we occasionally like to adhere to a slight variation of that saying: “If it’s worth doing, it’s worth overdoing”. So when we saw the incredible amount of work and careful research [Rob Linnaeus] was doing just to roast coffee beans, we knew he was onto something.

The heart of his coffee roaster is a vortex chamber with an opening on the side for a standard heat gun, and an aperture in the top where an eight cup flour sifter is to be placed. [Rob] modeled the chamber in Fusion 360 and verified its characteristics using RealFlow’s fluid simulation. He then created a negative of the chamber and printed it out on his Monoprice Maker Select 3D printer.

He filled the mold with a 1:1 mix of refractory cement and perlite, and used the back of a reciprocating saw to vibrate the mold as it set so any air bubbles would rise up to the surface. After curing for a day, [Rob] then removed the mold by heating it and peeling it away. Over the next several hours, the cast piece was fired in the oven at increasingly higher temperatures, from 200 °F all the way up to 500 °F. This part is critical, as trapped water could otherwise turn to steam and cause an explosion if the part was immediately subjected to high temperatures. If this sounds a lot like the process for making a small forge, that’s because it basically is. Continue reading “The Fine Art Of Heating And Cooling Your Beans”

Inside Two-Factor Authentication Apps

October 16, 2017 by 66 Comments

Passwords are in a pretty broken state of implementation for authentication. People pick horrible passwords and use the same password all over the place, firms fail to store them correctly and then their databases get leaked, and if anyone’s looking over your shoulder as you type it in (literally or metaphorically), you’re hosed. We’re told that two-factor authentication (2FA) is here to the rescue.

Well maybe. 2FA that actually implements a second factor is fantastic, but Google Authenticator, Facebook Code Generator, and any of the other app-based “second factors” are really just a second password. And worse, that second password cannot be stored hashed in the server’s database, which means that when the database is eventually compromised, your “second factor” blows away with the breeze.

Second factor apps can improve your overall security if you’re already following good password practices. We’ll demonstrate why and how below, but the punchline is that the most popular 2FA app implementations protect you against eavesdropping by creating a different, unpredictable, but verifiable, password every 30 seconds. This means that if someone overhears your login right now, they wouldn’t be able to use the same login info later on. What 2FA apps don’t protect you against, however, are database leaks.

Continue reading “Inside Two-Factor Authentication Apps”

Oh Great, WPA2 Is Broken

October 16, 2017 by 131 Comments

WPA2, the standard security for Wi-Fi networks these days, has been cracked due to a flaw in the protocol. Implications stemming from this crack range from decrypting Wi-Fi, hijacking connections, and injecting content. It’s fair to say, WPA2 is now Considered Harmful. The paper is available here (PDF).

This is a proof-of-concept exploit, and like all headline-making network security stories, it has a name. It’s called KRACK, for Key Reinstallation Attack. The key insight to this exploit is a vulnerability in the handshaking between routers and devices to establish a secure connection.

This is not the first time the researchers behind this exploit have found holes in WPA2. In a paper published by the KRACK researchers at the USENIX Symposium last August (PDF), they showed that the Random Number Generator used in 802.11 is flawed, ill-defined, and insecure. The researchers have also spoken at 33c3 on predicting WPA2 Group Keys.

The practical consequences of a poor definition and implementation of an RNG can be found in consumer hardware. The researchers found that in MediaTek-based routers, the only source of randomness is the current time. Meanwhile Broadcom-based routers do not use the RNG proposed by the 802.11 spec, but instead take the MD5 of the current time in microseconds. The researchers do not mention if the current time is a secret.

So what do we do now?

This has happened before. In 2001, WEP, the Wi-Fi security protocol many security-ignorant people are still running, was cracked in much the same was as KRACK. This quickly led to the development of Aircrack, and in 2003, the Wi-Fi Alliance rolled out WPA and WPA2. Sure, you can still select a deprecated security protocol for your router, but the problem of WEP hacking is as solved as it’s ever going to be.

The early 2000s were a different time when it came to wireless networks, though here in 2017 Wi-Fi permeates every cubic inch of our lives. Everything and everyone has Wi-Fi now. This is going to be a bit bigger than cracking WEP, but it remains possible to patch devices to ensure that this exploit is rendered useless. Install those security updates, people! Of course there will still be millions of unpatched devices in a year’s time, and for those routers, IoT baubles, and other wireless devices, turning on WPA2 will be akin to having no security at all.

That said, this isn’t a world-ending Armageddon in the way the botnet of webcams was. You will only be vulnerable if an attacker is within range of your router, and you will still be secure if you’re accessing secure websites. However, turning off Wi-Fi on your phone, relying on mobile data, not ignoring HTTPS cert warnings, and plugging into an Ethernet port might not be a bad idea.

Why Not Expose Your PCBs Through An LCD?

October 16, 2017 by 67 Comments

Most people who have dabbled in the world of electronic construction will be familiar in some form with the process of producing a printed circuit board by exposing a UV sensitive coating through a transparent mask, before moving on to etching. Older readers will have created their masks by hand with crêpe paper tape on acetate, while perhaps younger ones started by laser-printing from their CAD package.

How about a refinement of the process, one which does away with the acetate mask entirely? [Ionel Ciobanuc] may have the answer, in the form of an exposure through an LCD screen. The video below the break shows how it’s done, starting with a (probably a bit too lengthy) sequence on applying the photo-resist coating to the board, and then sitting LCD on top of UV lamp with the board positioned at the top of the pile.

It’s an interesting demonstration, and one that certainly removes a step in the process of PCB creation as it brings the pattern direct from computer to board without an intermediate. Whether or not it’s worth the expenditure on an LCD is up to you, after all a sheet of acetate is pretty cheap and if you already have a laser printer you’re good to go. We’re curious to know whether or not any plastic components in the LCD itself might be damaged by long-term exposure to intense UV light.

Continue reading “Why Not Expose Your PCBs Through An LCD?”