News

3665 Articles

IOT Startup Bricks Customers Garage Door Intentionally

April 5, 2017 by 202 Comments

Internet of Things startup Garadget remotely bricked an unhappy customer’s WiFi garage door for giving a bad Amazon review and being rude to company reps. Garadget device owner [Robert Martin] found out the hard way how quickly the device can turn a door into a wall. After leaving a negative Amazon review, and starting a thread on Garadget’s support forum complaining the device didn’t work with his iPhone, Martin was banned from the forum until December 27, 2019 for his choice of words and was told his comments and bad Amazon review had convinced Garadget staff to ban his device from their servers.

The response was not what you would expect a community-funded startup. “Technically there is no bricking, though,” the rep replied. “No changes are made to the hardware or the firmware of the device, just denied use of company servers.” Tell that to [Robert] who can’t get into his garage.

This caused some discontent amoung other customers wondering if it was just a matter of time before more paying customers are subjected to this outlandish treatment. The Register asked Garadget’s founder [Denis Grisak] about the situation, his response is quoted below.

 It was a Bad PR Move, Martin has now had his server connection restored, and the IOT upstart has posted a public statement on the matter.– Garadget

This whole debacle brings us to the conclusion that the IoT boom has a lot of issues ahead that need to be straightened out especially when it comes to ethics and security. It’s bad enough to have to deal with the vagaries of IoT Security and companies who shut down their products because they’re just not making enough money. Now we have to worry about using “cloud” services because the people who own the little fluffy computers could just be jerks.

How To Trick Your Electrical Meter By Saving Power

April 4, 2017 by 95 Comments

A group of Dutch scientists have been testing out some of today’s “smart” electrical meters to check their accuracy, among other things. Not ones to disappoint, the scientists have found consistently false readings that in some cases are 582% higher than actual energy consumption.

With experiments lasting for six months, the researchers tried to focus on meters representative of those commonly used in the Netherlands and manufactured between 2004 and 2014. Moreover, the researchers tried to reproduce standard household energy consumption patters rather than focusing on stress tests.

Their results? Well, “results varied wildly, with some meters reporting errors way above their disclosed range, going from -32% to +582%. Tests with uncommon results were repeated several times and the results were within a few percents of the original.” Moreover, “The greatest inaccuracies were seen when researchers combined dimmers with energy saving light bulbs and LED bulbs.” Not constrained to energy saving light bulbs, the inaccuracies are, ironically, tied to devices with integrated energy saving features. (Certainly makes us want to keep a close eye on our electric meters.)

“The reason for faulty readings appears to be the current sensor, and the associated circuitry,” said researchers. “The experimental results […] show that static energy meters can be pushed into faulty reading (positive and negative) if sufficiently fast pulsed currents are drawn by the consumer”

It is worth noting that there is contradictory research published by “the European voice of the providers of smart energy solutions” that maintains that “there is no reason to question smart metering technology”. Still, we wouldn’t blame you if you wanted a second opinion.

Thanks [acs] for sending this in!

UEFI-Hacked

Gigabytes The Dust With UEFI Vulnerabilities

April 4, 2017 by 46 Comments

At this year’s BlackHat Asia security conference, researchers from Cylance disclosed two potentially fatal flaws in the UEFI firmware of Gigabyte BRIX small computers which allow a would-be attacker unfettered low-level access to the computer.

Gigabyte has been working on a fix since the start of 2017. Gigabyte are preparing to release firmware updates as a matter of urgency to only one of the affected models — GB-BSi7H-6500 (firmware vF6), while leaving the — GB-BXi7-5775 (firmware vF2) unpatched as it has reached it’s end of life. We understand that support can’t last forever, but if you sell products with such a big fault from the factory, it might be worth it to fix the problem and keep your reputation.

The two vulnerabilities that have been discovered seem like a massive oversight from Gigabyte, They didn’t enable write protection for their UEFI (CVE-2017-3197), and seem to have thrown cryptography out of the window when it comes to signing their UEFI files (CVE-2017-3198). The latter vulnerability is partly due to not verifying a checksum or using HTTPS in the firmware update process, instead using its insecure sibling HTTP. CERT has issued an official vulnerability note (VU#507496) for both flaws.

Attackers may exploit the vulnerabilities to execute unsigned code in System Management Mode (SMM), planting whatever malware they like into the low level workings of the computer. Cylance explain a possible scenario as follows:

The attacker gains user-mode execution through an application vulnerability such as a browser exploit or a malicious Word document with an embedded script. From there, the attacker elevates his privileges by exploiting the kernel or a kernel module such as Capcom.sys to execute code in ring 0. A vulnerable SMI handler allows the attacker to execute code in SMM mode (ring -2) where he finally can bypass any write protection mechanisms and install a backdoor into the system’s firmware.

With all this said, it does raise some interesting opportunities for the hacker community. We wonder if anyone will come up with a custom UEFI for the Brix since Gigabyte left the keys in the door.

California Looks To Compel IoT Security

April 3, 2017 by 32 Comments

There is a bill going through committee in the state of California which, if passed, would require a minium level of security for Internet of Things devices and then some. California SB 327 Information privacy: connected devices in its original form calls for connected device manufacturers to secure their devices, protect the information they collect or store, indicate when they are collecting it, get user approval before doing so, and be proactive in informing users of security updates:

require a manufacturer that sells or offers to sell a connected device, defined as any device, sensor, or other physical object that is capable of connecting to the Internet, directly or indirectly, or to another connected device, to equip the device with reasonable security features appropriate to the nature of the device and the information it may collect, contain, or transmit, that protect it from unauthorized access, destruction, use, modification, or disclosure, and to design the device to indicate when it is collecting information and to obtain consumer consent before it collects or transmits information, as specified. The bill would also require a person who sells or offers to sell a connected device to provide a short, plainly written notice of the connected device’s information collection functions at the point of sale, as specified. The bill would require a manufacturer of a connected device to provide direct notification of security patches and updates to a consumer who purchases the device.

This is just a proposal and will change as it finds its way through committee. Currently there a really no methods of punishment outlined, but recent comments have suggested individual prosecutors may have latitude to interpret these cases as they see fit. Additionally it has been suggested that the devices in question would be required to notify in some way the user when information is being collected. No language exists yet to clarify or set forth rules on this matter.

The security community has been sounding the cry of lackluster (often lack of) security on this growing army of IoT hardware and we’ve all known one day the government would get involved. Often this type of action requires a major event where people were in some way harmed either physically or financially that would push this issue. Denial of service attacks have already occurred and hijacking of webcams and such are commonplace. Perhaps what we saw in September finally pushed this into the limelight.

Any reasonable person can see the necessity of some basic level of security such as eliminating default passwords and ensuring the security of the data. The question raised here is whether or not the government can get this right. Hackaday has previously argued that this is a much deeper problem than is being addressed in this bill.

The size of California’s economy (relative to both the nation and the world) and the high concentration of tech companies make it likely that standards imposed if this law passes will have a large effect on devices in all markets.

Transcranial Electrical Stimulation With Arduino, Hot Glue

March 31, 2017 by 28 Comments

The advance of electronic technology has been closely followed by the medical community over the past 200 years. Cutting edge electronics are used in medical imaging solutions to provide ever greater bandwidth and resolution in applications such as MRI machines, and research to interface with the human nervous system continues at a breakneck pace. The cost of this technology – particuarly in research and development – is incredibly high. Combine this with the high price of the regulatory approvals necessary for devices which deal in terms of life and death, and you’ll find that even basic medical technology is prohibitively expensive. Just ask any diabetic. On the face of things, there’s a moral dilemma. Humanity has developed technologies that can improve quality of life. Yet, due to our own rules and regulations, we cannot afford to readily distribute them.

One example of this is that despite the positive results from many transcranial electrical stimulation (TCS) studies, the devices used are prohibitively expensive, as are treatment regimens for patients. Realising this, [quicksilv3rflash] decided to develop a homebrew, open source transcranial electrical stimualtion device, and published it on Instructables. Yes, that’s the world we’re now living in.

It’s important to publish a warning here: Experimenting with this sort of equipment can easily kill you, fry your brain, or have any number of other awful results. If you don’t have a rock solid understanding of the principles behind seperate grounds, or your soldering is just a little sloppy, you don’t want to go anywhere near this. In particular, this device cannot be powered safely by a wall-wart.

To be honest, we find it difficult to trust any medical device manufactured out of modules sourced from eBay. But as a learning excercise, there is serious value here. Such a project requires mastery of analog design to avoid dangerous currents being passed to the body. The instructions also highlight the importance of rigorously testing the device before ever connecting it to a human body.

The equipment is based around an Arduino Nano receiving commands from a computer over serial, fed by an application written in Python & PyGame. To think, this writer thought he was being bold when he used it to control a remote control car! The Arduino Nano interprets this data and outputs it over SPI to a DAC which outputs a signal which is then amplified and fed to the human brain courtesy of op-amps, boost converters and sponge electrodes. The output of the device is limited to +/-2.1mA by design, in accordance with suggested limits for TCS use.

It should be noted, [quicksilv3rflash] has been experimenting with homebuilt TCS devices for several years now, and has lived to tell the tale. It’s impressive to see a full suite of homebrew, opensource tools being developed in this field. [quicksilv3rflash] reports to have not suffered injuries from the device, and several devices have been shipped to redditors. We’ve only found minimal reports on people receiving these, but nothing on anyone actually using the hardware as intended. If you’ve used one, get in touch in the comments.

It goes without saying – this sort of experimentation is dangerous and the stakes for getting it wrong are ludicrously high. We’ve seen before what happens when medical devices malfunction – things get real ugly, real fast. But hackers will be hackers and if you were wondering if it was possible to build a TCS device for under $100 in parts from eBay, well, yes. Yes it is.

Save Big By Hacking Your Car Keys

March 29, 2017 by 69 Comments

Three hundred bucks for a new car key? Nonsense! When you lose your keys or want to have an extra made for that new teen driver, don’t let the stealership lighten your wallet. Just pull the ECU and hack some hex to add the new keys.

The video below is a whirlwind tour of the process [speedkar9] uses to reprogram Toyota ECUs to allow new keys to pass the security test on your new(er) car. Since the early 2000s or so, most manufacturers have included RFID chips in their keys so that only known keys will start a car. In Toyotas, this is done by an RFID reader in the steering column that passes the inserted key’s code to the engine control unit. If the 8-byte key code matches one of three values stored in the ECU, the car will start. Clearing the EEPROM in the ECU is the focus of [speedkar9]’s process, which connecting to the EEPROM and reading the contents. His rig includes an RS-232 serial connection, so the hardest part of this hack might be rounding up a PC with a DB-9 jack, but once you’ve got that covered, it’s just a little bit-bashing to “virginize” the ECU to ready it for reprogramming.

The details of the procedure will vary by manufacturer, of course, and cars of a more recent vintage will likely have even more security to worry about. Might you even run afoul of DRM like you would by hacking a tractor? Perhaps. But $300 is $300.

Continue reading “Save Big By Hacking Your Car Keys”

2017: The Year Of The Dishwasher Security Patch

March 28, 2017 by 101 Comments

As if Windows Update wasn’t bad enough, one has to deal with a plethora of attention-hungry programs and utilities all begging for a continual stream of patches from the Internet. It’s exhausting, but unfortunately also par for the course. Many of these updates are to close security vulnerabilities that could otherwise expose your computer to undesirables. The Internet of Things will only expand the amount of hardware and software you need to keep updated and protected on a daily basis. Now, it’s your dishwasher that’s under attack.

The Register reports that Jens Regel discovered the bug in a Miele dishwasher with a webserver. It’s a basic directory traversal attack that can net the intruder the shadow password file. Armed with this, it’s simple to take over the embedded Linux system and wreak havoc on your local network.

It’s not particularly surprising – we’ve talked about IoT security and its pitfalls before. The problem is, a dishwasher is not a computer. Unlike Microsoft, or Google, or even the people behind VLC, Miele don’t have infrastructure in place to push out an update to dishwashers worldwide. This means that as it stands, your only real solutions are to either disconnect the dishwasher from your network, or lock it behind a highly restrictive firewall. Both are likely to impede functionality. Of course, as always, many will ask why a dishwasher needs to be connected to the Internet at all. Why indeed.