Don’t Toss That Bulb, It Knows Your Password

January 29, 2019 by Tom Nardi 70 Comments

Whether it was here on Hackaday or elsewhere on the Internet, you’ve surely heard more than a few cautionary tales about the “Internet of Things” by now. As it turns out, giving every gadget you own access to your personal information and Internet connection can lead to unintended consequences. Who knew, right? But if you need yet another example of why trusting your home appliances with your secrets is potentially a bad idea, [Limited Results] is here to make sure you spend the next few hours doubting your recent tech purchases.

In a series of posts on the [Limited Results] blog, low-cost “smart” bulbs are cracked open and investigated to see what kind of knowledge they’ve managed to collect about their owners. Not only was it discovered that bulbs manufactured by Xiaomi, LIFX, and Tuya stored the WiFi SSID and encryption key in plain-text, but that recovering said information from the bulbs was actually quite simple. So next time one of those cheapo smart bulb starts flickering, you might want to take a hammer to it before tossing it in the trash can; you never know where it, and the knowledge it has of your network, might end up.

Regardless of the manufacturer of the bulb, the process to get one of these devices on your network is more or less the same. An application on your smartphone connects to the bulb and provides it with the network SSID and encryption key. The bulb then disconnects from the phone and reconnects to your home network with the new information. It’s a process that at this point we’re all probably familiar with, and there’s nothing inherently wrong with it.

The trouble comes when the bulb needs to store the connection information it was provided. Rather than obfuscating it in some way, the SSID and encryption key are simply stored in plain-text on the bulb’s WiFi module. Recovering that information is just a process of finding the correct traces on the bulb’s PCB (often there are test points which make this very easy), and dumping the chip’s contents to the computer for analysis.

It’s not uncommon for smart bulbs like these to use the ESP8266 or ESP32, and [Limited Results] found that to be the case here. With the wealth of information and software available for these very popular WiFi modules, dumping the firmware binary was no problem. Once the binary was in hand, a little snooping around with a hex editor was all it took to identify the network login information. The firmware dumps also contained information such as the unique hardware IDs used by the “cloud” platforms the bulbs connect to, and in at least one case, the root certificate and RSA private key were found.

On the plus side, being able to buy cheap smart devices that are running easily hackable modules like the ESP makes it easier for us to create custom firmware for them. Hopefully the community can come up with slightly less suspect software, but really just keeping the things from connecting to anything outside the local network would be a step in the right direction.

(Some days later…)

[Limited Results] had hinted to us that he had previously disclosed some vulnerabilities to the bulb’s maker, but that until they fixed them, he didn’t want to make them public. They’re fixed now, and it appears that the bulbs were sending everything over the network unencrypted — your data, OTA firmware upgrades, everything. They’re using TLS now, so good job [Limited Results]! If you’re running an old version of their lightbulbs, you might have a look.

On WiFi credentials, we were told: “In the case where sensitive information in the flash memory wasn’t encrypted, the new version will include encrypted storage processing, and the customer will be able to select this version of the security chips, which can effectively avoid future security problems.” Argue about what that actually means in the comments.

WiFi Controlled Finger Dims Lights Over UDP

January 26, 2019 by Eric Evenchick 10 Comments

While WiFi controlled lights are readily available, replacing your lighting fixtures or switches isn’t always an option. [Thomas] ran into this issue with his office lights. For the developers in the office, these lights always seemed to run a little too bright. The solution? A 3D printed, WiFi controlled finger to poke the dimmer switch.

This little hack consists of a servo, a 3D printed arm and finger assembly, and a Wemos D1 Mini development board. The Wemos is a low cost, Arduino compatible development board based on the ESP8266. We’ve seen it used for a wide variety of hacks here on Hackaday.

For this device, the Wemos is used to listen for UDP packets on the company’s WiFi network. When it receives a packet, it tells the servo to push the dimming button for a specified amount of time. [Thomas] wrote a Slack bot to automatically send these packets. Now, when the lights are too bright, a simple message to the bot allows anyone to dim the lights without ever leaving the comfort of their desk. Sure, it’s not the most secure or reliable method of controlling lights, but if something goes wrong, the user can always get up and flip the switch the old fashioned way.

Motorizing An IKEA SKARSTA Table

January 23, 2019 by Tom Nardi 38 Comments

We’ve been told that standing at a desk is good for you, but unless you’re some kind of highly advanced automaton you’re going to have to sit down eventually no matter what all those lifestyle magazines say. That’s where desks like the IKEA SKARSTA come in; they use a crank on the front to raise and lower the desk to whatever height your rapidly aging corporeal form is still capable of maintaining. All the health benefits of a standing desk, without that stinging sense of defeat when you later discover you hate it.

But who wants to turn a crank with their hand in 2019? Certainly not [iLLiac4], who’s spent the last few months working in conjunction with [Martin Mihálek] to add some very impressive features to IKEA’s adjustable table. Replacing the hand crank with a motorized system which can do the raising and lifting was only part of it, the project also includes a slick control panel with a digital display that shows the current table height and even allows the user to set and recall specific positions. The project is still in active development and has a few kinks to work out, but it looks exceptionally promising if you’re looking to get a very capable adjustable desk without breaking the bank.

The heart of the project is a 3D printable device which uses a low-RPM DC gear motor to turn the hex shaft where the crank would normally go. A rotary encoder is linked to the shaft of the motor by way of printed GT2 pulleys and a short length of belt, which gives the system positional information and avoids the complexity of adding limit switches to the table itself.

For controlling the motor the user is given the option between using relays or an H-Bridge PWM driver board, but in either event an Arduino Nano will be running the show. In addition to controlling the motor and reading the output of the rotary encoder, the Arduino also handles the front panel controls. This consists of a TM1637 four digit LED display originally intended for clocks, as well as six momentary contact tactile switches complete with 3D printed caps. The front panel’s simple user interface not only allows for setting and recalling three preset desk heights, but can even be used to perform the calibration routine without having to go in and hack the source code to change minimum and maximum positions.

We’ve seen all manner of hacks and modifications dealing with IKEA products, from a shelving unit converted into a vivarium to a table doing double duty as a cheap plate reverb. Whether you’re looking for meatballs or some hacking inspiration, IKEA seems to be the place to go.

Alexa, Remind Me Of The First Time Your Product Category Failed

January 21, 2019 by Brian Benchoff 94 Comments

For the last few years, the Last Great Hope™ of the consumer electronics industry has been voice assistants. Alexas and Echos and Google Homes and Facebook Portals are all the rage. Over one hundred million Alexa devices have been sold, an impressive feat given that there are only about 120 Million households in the United States, and a similar number in Europe. Look to your left, look to your right, one of you lives in a house with an Internet connected voice assistant.

2018 saw a huge explosion of Internet connected voice assistants, in sometimes bizarre form factors. There’s a voice controlled microwave, which is great if you’ve ever wanted to defrost a chicken through the Internet. You can get hardware for developing your own voice assistant device. 2019 will be even bigger. Facebook is heavily advertising the Facebook Portal. If you haven’t yet deleted your Facebook account, you can put the Facebook Portal on your kitchen counter and make video calls with your family and friends through Facebook Messenger. With the Google Home Hub and a Nest doorbell camera, you too can be just like Stu Pickles from Rugrats.

This is not the first time the world has been enamored with Internet-connected assistants. This is not the first time the consumer electronics industry put all their hope into one product category. This has happened before, and all those devices failed spectacularly. These were the Internet appliances released between 1999 and 2001: the last great hurrah of the dot-com boom. They were dumb then, and they’re dumb now.

Continue reading “Alexa, Remind Me Of The First Time Your Product Category Failed” →

Always Have A Square To Spare

January 19, 2019 by Bryan Cockfield 24 Comments

Some aspects of humanity affect all of us at some point in our lives. Whether it’s getting caught in the rain without an umbrella, getting a flat tire on the way to work, or upgrading a Linux package which somehow breaks the entire installation, some experiences are truly universal. Among these is pulling a few squares of toilet paper off the roll, only to have the entire roll unravel with an overly aggressive pull. It’s possible to employ a little technology so that none of us have to go through this hassle again, though.

[William Holden] and [Eric Strebel] have decided to tackle this problem with an innovative bearing of sorts that replaces a typical toilet paper holder. Embedded in the mechanism is a set of magnetic discs which provide a higher resistance than a normal roll holder would. Slowly pulling out squares of paper is possible, but like a non-Newtonian fluid becomes solid when a higher force is applied, the magnets will provide enough resistance when a higher speed tug is performed on the toilet paper. This causes the paper to tear rather than unspool the whole roll, and also allows the user to operate the toilet paper one-handed.

This is a great solution to a problem we’ve all faced but probably forgot about a minute after we experienced it. And, it also holds your cell phone to keep it from falling in the toilet! If you’d like to check out their Kickstarter, they are trying to raise money to bring the product to market. And, if you want to upgrade your toilet paper dispenser even further, there’s also an IoT device for it as well, of course.

Continue reading “Always Have A Square To Spare” →

DIY Clapper Is 1980s Style With Raspberry Pi Twist

January 18, 2019 by Al Williams 7 Comments

Home automation isn’t all that new. It is just more evolved. Many years ago, a TV product appeared called the Clapper. If you haven’t heard of it, it was basically a sound-operated AC switch. You plug, say, a lamp into the device and the clapper into the wall and you can then turn the lamp on or off by clapping. If you somehow missed these — and you can still get them, apparently — have a look at the 1984 commercial in the video below. [Ash] decided to forego ordering one on Amazon and instead built her own using a Raspberry Pi.

[Ash’s] prototype uses an LED and could — in theory — drive anything. If you wanted to make a real Clapper replacement you’d need a relay or some other kind of AC switch suitable for the load. The actual clap detection software is from [nikhiljohn10] and simply waits for two loud noises. No fancy machine learning to differentiate between a clap and a cat knocking over a vase. Just a threshold and some timing.

Continue reading “DIY Clapper Is 1980s Style With Raspberry Pi Twist” →

Designing A Toilet Roll Holder

January 17, 2019 by Lewin Day 22 Comments

Everything needs to be designed, at one point or another. There are jobs for those who design kitchens, and stadiums, and interplanetary spacecraft. However, there are also jobs for those who design cutlery, hose fittings, and even toilet roll holders. [Eric Strebel] is here to share just such a story.

[Eric] covers the whole process from start to finish. In the beginning, a wide variety of concepts are drawn up and explored on paper. Various ideas are evaluated against each other and whittled down to a small handful. Then, cardboard models are created and the concepts further refined. This continues through several further phases until it gets down to the fun part of choosing colours and materials for the final product.

Watching the effects of cost and manufacturing process shape the finished item is instructive as to how the design process works in the real world. The toilet paper holder itself is an interesting unit, too – using adjustable magnetic detents to enable one-handed use, as well as including a cell phone holder.

We’ve seen [Eric]’s work before – such as his primer on the value of cardboard in design. Video after the break.

Continue reading “Designing A Toilet Roll Holder” →