Hurdy-Gurdy Gets Modernized with MIDI Upgrades

If you’ve never heard a hurdy-gurdy before, you’re in for a treat. Not many people have, since they’re instruments which are uncommon outside of some eastern European communities. Think of a violin that replaces the bow with a hand-cranked wheel, and adds some extra strings that function similar to drones on a bagpipe. The instrument has been around for hundreds of years, but now it’s been given an upgrade via the magic of MIDI.

All of these new features come from [Barnaby Walters] who builds hurdy-gurdys by hand but has recently been focusing on his MIDI interface. The interface can do pitch-shifting polyphony, which allows the instrument to make its own chords and harmonies. It also has a hybrid poly synthesizer, which plays completely different sounds, and can layer them on top of one another. It can also split the keyboard into two instruments, where the top half plays one sound and the bottom half another. It’s an interesting take on an interesting instrument, and the video is definitely worth a look.

The hurdy-gurdy isn’t a commonly used instrument for hacking compared to something like drums or the violin, of course. In fact we had to go back over ten years to find any other articles featuring the hurdy-gurdy, the Furby Gurdy. It was an appropriately named instrument.

Thanks to [baldpower] for the tip!

Continue reading “Hurdy-Gurdy Gets Modernized with MIDI Upgrades”

Harmony Hub Hacked and Patched

When we say “hack” here we most often mean either modifying something to do something different or building something out of parts. But as we build more Internet-connected things, it is worthwhile to think about the other kind of hack where people gain unauthorized access to a system. For example, you wouldn’t think a remote control would be a big deal for hackers. But the Logitech Harmony Hub connects to the Internet and runs Linux. What’s more is it can control smart devices like door locks and thermostats, so hacking it could cause problems. FireEye’s Mandian Red Team set out to hack the Harmony and found it had a lot of huge security problems.

The remote didn’t check Logitech’s SSL certificate for validity. It didn’t have a secure update process. There were developer tools (an SSH server) left inactive in the production firmware and — surprisingly — the root password was blank! The team shared their findings with Logitech before publishing the report and the latest patch from the company fixes these problems. But it is instructive to think about how your Raspberry Pi project would fare under the same scrutiny.

In fact, that’s the most interesting part of the story is the blow-by-blow description of the attack. We won’t spoil the details, but the approach was to feed the device a fake update package that turned on a dormant ssh server. Although they started by trying to solder wires to a serial port, that wasn’t productive and the final attack didn’t require any of that.

We’ve looked at some ways to harden Linux systems like the Raspberry Pi before, but honestly, it is an ongoing battle. We’ve seen plenty of devices with cybersecurity holes in them — some not found by good guy hackers first.