HTTPS for the Internet of Things

Every day, we’re connecting more and more devices over the internet. No longer does a household have a single connected computer — there are smartphones, tablets, HVAC systems, deadbolts — you name it, it’s been connected. As the Internet of Things proliferates, it has become readily apparent that security is an issue in this space. [Andreas Spiess] has been working on this very problem, by bringing HTTPS to the ESP8266 and ESP32. 

Being the most popular platform for IOT devices, it makes sense to start with the ESP devices when improving security. In his video, [Andreas] starts at the beginning, covering the basics of SSL, before branching out into how to use these embedded systems with secure cloud services, and the memory requirements to do so. [Andreas] has made the code available on GitHub so it can be readily included in your own projects.

Obviously implementing increased security isn’t free; there’s a cost in terms of processing power, memory, and code complexity. However, such steps are crucial if IOT devices are to become trusted in wider society. A malfunctioning tweeting coffee pot is one thing, but being locked out of your house is another one entirely.

We’ve seen other takes on ESP8266 security before, too. Expect more to come as this field continues to expand.

[Thanks to Baldpower for the tip!]

US Announces Withdraw From Postal Treaty; International Shipping Prices Expected to Rise

The United States has announced plans to withdraw from a 144-year postal treaty that sets lower international shipping rates. The US claims this treaty gives countries like China and Singapore an unfair advantage that floods the US market with cheap packages. The BBC reports the withdraw of this treaty will increase shipping costs from China by between 40% and 70%.

The treaty in question is the Universal Postal Union, which established that each country should retain all money it has collected for international postage. The US Chamber of Commerce has said this treaty, ‘leads to the United States essentially paying for Chinese shipping’. This is especially true since 2010, when the US Postal Service entered an agreement with eBay Greater China & Southeast Asia and the China Post Express & Logistics Corporation. This agreement established e-packet delivery where packages weighing up to 2 kg would be delivered at lower prices. If you have ordered inexpensive products shipped from abroad, it is likely the e-packet price that made this possible.

This will affect businesses that capitalize on imports and exports; the storefronts on Amazon and eBay that resell Chinese goods rely on cheap shipping from China. It will also affect companies based outside of the United States that ship to US customers. Small businesses within the US who manufacture at low enough quantities to get their components/raw-materials shipped under the e-packet rates will also see a hit. An increase in shipping costs will mean higher prices for all of these products.

The move is also being justified as a way to even the playing field for US manufacturers who are shipping from within the US and may be paying higher rates to ship to the same customers as foreign-bought goods. It is the latest development in a growing trade war between the US and China which has already seen several rounds of tarrifs on goods like electronics, and even 3D printing filament. It’s hard to see how the compounding effect of these will be anything but higher prices for consumers. Manufacturers seeing the pinch on raw materials and components will pass this on to customers who will also soon see higher shipping prices than they are used to.

LibSSH Vuln: You Don’t Need to See my Authentication

Another day, another CVE (Common Vulnerabilities and Exposures). Getting a CVE number assigned to a vulnerability is a stamp of authenticity that you have a real problem on your hands. CVE-2018-10933 is a worst case scenario for libssh.  With a single response, an attacker can completely bypass authentication, giving full access to a system.

Before you panic and yank the power cord on your server, know that libssh is not part of OpenSSH. Your Linux box almost certainly uses OpenSSH as the SSH daemon, and that daemon is not vulnerable to this particular problem. Libssh does show up in a few important places, the most notable is probably Github and their security team already announced their implementation was not vulnerable.

Libssh has released a new version that fixes the problem. Stick around for the details after the break.

Continue reading “LibSSH Vuln: You Don’t Need to See my Authentication”

FIDO2 Authentication In All The Colors

Here at Hackaday, we have a soft spot for security dongles. When a new two-factor-authentication dongle is open source, uses USB and NFC, and supports FIDO2, the newest 2FA standard, we take notice. That just happens to be exactly what [Conor Patrick] is funding on Kickstarter.

We’ve looked at [Conor]’s first generation hardware key, and the process of going from design to physical product.  With that track record, the Solo security key promises to be more than the vaporware that plagues crowdfunding services.

Another player, Yubikey, has also recently announced a new product that supports FIDO2 and NFC. While Yubikey has stepped away from their early open source policy, Solo is embracing the open source ethos. The Kickstarter promises the release of both the software and hardware design as fully open, using MIT and CC BY-SA licenses.

For more information, see the blog post detailing the project goals and initial design process.  As always, caveat emptor, but this seems to be a crowdfunding project worth taking a look at.

Hams see Dark Side Of The Moon Without Pink Floyd

Ham radio operators bouncing signals off the moon have become old hat. But a ham radio transmitter on the Chinese Longjiang-2 satellite is orbiting the moon and has sent back pictures of the Earth and the dark side of the moon. The transceiver’s main purpose is to allow hams to downlink telemetry and relay messages via lunar orbit.

While the photo was received by the Dwingeloo radio telescope, reports are that other hams also picked up the signal. The entire affair has drawn in hams around the world. Some of the communications use a modulation scheme devised by [Joe Taylor, K1JT] who also happens to be a recipient of a Nobel prize for his work with pulsars. The Dwingeloo telescope has several ham radio operators including [PA3FXB] and [PE1CHQ].

Continue reading “Hams see Dark Side Of The Moon Without Pink Floyd”

Flash: Arduino Vidor FPGA Instructions Hit France

If you speak French and you have an Arduino Vidor 4000, you are in luck because there’s some good news. The good news is there’s finally some inside information about how to configure the onboard FPGA yourself. The bad news though is that it is pretty sparse. If your high school French isn’t up to the task, there’s always Google Translate.

We knew some of this already. You’ll need Quartus, the FPGA design tool from Altera — er, Intel — and we know about the sample project on GitHub, too. Instead of using conventional Verilog or VHDL, the new information uses schematic capture, but that’s OK. All the design entry winds up in the same place, so it should be easy to adapt to the language of your choice. In fact, in part 2 they show both some schematics and some Verilog. Google Translate does have a little trouble with code comments, though. If you want something even stouter, there’s an example that uses Verilog to output a video frame.

Continue reading “Flash: Arduino Vidor FPGA Instructions Hit France”

Mergers And Acquisitions: Apple Buys Most of Dialog

Apple is buying a $600 million stake in Dialog Semiconductor in a deal Dialog is describing as an asset transfer and licensing deal.

Dialog’s current portfolio is focused mainly on mobile devices, with Bluetooth wearables-on-a-chipCODEC chips for smartphones, and power management ICs for every type of portable electronics. Power managment ICs are by far the most visible component, although they do have the very interesting GreenPAK, a sort of mixed-signal FPGA-ish thing that is one of the more interesting chips to be come online in the last few years. Apple of course are a trillion dollar company that once made computers, but now receives most of its revenue through phone dongles and lightning connector converters. It is not clear at the time of this writing whether a Dialog engineer with experience in heat management will be joining Apple.

In the last week, Apple have taken some bad press about the state of their supply chain. Bloomberg reported Apple found hidden chips in Supermicro motherboards. ostensibly implanted by Chinese intelligence agencies. This story is reportedly multiply sourced, but there’s no evidence or explanation of how this supply chain hack was done. In short, infiltration of a supply chain by foreign agents could happen (and I suspect Bloomberg engineers found something in some of their hardware), but the Bloomberg piece is merely just a wake-up call telling us yes, you are vulnerable to a hardware attack.

This is further evidence of Apple’s commitment to vertical integration. Apple are making their own chips, and the A12 Bionic in the new iPhone X is an Apple-designed CPU, GPU, and ‘neural engine’ that turns your Facetime sessions into animated emojis. This chip is merely the latest in a series of SoCs developed by Apple, and adds to Apple’s portfolio of chips designed to run the Apple Watch, Apple AirPods, and system management controllers in Apple products. There’s no other electronics manufacturer that is as dedicated to vertical integration as Apple (although we’re pouring one out for Commodore), and the acquisition of Dialog will surely add to Apple’s capabilities.