Hackaday Prize Entry: USB GSM GPS 9DOF SD TinyTracker Has All The Acronyms

June 11, 2017 by Bob Baddeley 28 Comments

[Paul] has put together an insanely small yet powerful tracker for monitoring all the things. The USB TinyTracker is a device that packages a 48MHz processor, 2G modem, GPS receiver, 9DOF motion sensor, barometer, microphone, and micro-SD slot for data storage. He managed to get it all to fit into a USB thumb drive enclosure, meaning that you can program it however you want in the Arduino IDE, then plug it into any USB port and let it run. This enables things like remote monitoring, asset tracking, and all kinds of spy-like activity.

One of the most unusual aspects of his project, though, is this line: “Everything came together very nicely and the height of parts and PCBs is exactly as I planned.” [Paul] had picked out an enclosure that was only supposed to fit a single PCB, but with some careful calculations, and picky component selection, he managed to fit everything onto two 2-layer boards that snap together with a connector and fit inside the enclosure.

We’ve followed [Paul’s] progress on this project with an earlier iteration of his GSM GPS Tracker, which used a Teensy and fit snugly into a handlebar, but this one is much more versatile.

Show Us Your Internet Of Useful Things By Monday

June 7, 2017 by Mike Szczys 14 Comments

Don’t forget to get your connected device entered in the Hackaday Prize by Monday morning. The current challenge is IuT ! IoT, a clever tilt at the Internet of Things, which is so hot right now. We don’t just want things to connect, we want that connection to be useful, so save your Internet Toasters and Twittering Toilets for another round.

So what are we looking for here? Any device that communicates with something else and thereby performs a service that has meaningful value. The Hackaday Prize is about building something that matters.

We’ve been covering a lot of great entries. HeartyPatch is an open source heart rate monitor and ECG that communicates through a smart phone. We’ve seen an affordable water level measuring station to help track when water levels are rising dangerously fast in flood prone areas. And the heads-up display for multimeters seeks to make work safer for those dealing with high voltages. Get inspired by all of the IuT ! IoT entries.

There’s $20,000 at stake in this challenge alone, as twenty IuT projects will be named finalists, awarded $1000 each, and move on to compete for the top prizes in the finals.

If you don’t have your project up on Hackaday.io yet, now’s the time. Once your project is published, entering is as easy as using the dropdown box on the left sidebar of your project page. [Shulie] even put together a quick video showing how to submit your entry. Check to make sure “Internet of Useful Things” is listed on your project’s sidebar and if not, use that dropdown to add it.

Hijacking The Sonoff OTA Mechanism

May 31, 2017 by Lewin Day 25 Comments

ITEAD’s Sonoff line is a range of Internet-of-Things devices based around the ESP8266. This makes them popular for hacking due to their accessibility. Past projects have figured out how to reflash the Sonoff devices, but for [mirko], that wasn’t enough – it was time to reverse engineer the Sonoff Over-The-Air update protocol.

[mirko]’s motivation is simple enough – a desire for IoT devices that don’t need to phone home to the corporate mothership, combined with wanting to avoid the labor of cracking open every Sonoff device to reflash it with wires like a Neanderthal. The first step involved connecting the Sonoff device to WiFi and capturing the traffic. This quickly turned up an SSL connection to a remote URL. This was easily intercepted as the device doesn’t do any certificate validation – but a lack of security is sadly never a surprise on the Internet of Things.

After capturing the network traffic, [mirko] set about piecing together the protocol used to execute the OTA updates. After a basic handshake between client and server, the server can ask the client to take various actions – such as downloading an updated firmware image. After determining the messaging format, [mirko] sought to create a webserver in Python to replicate this behaviour.

There are some pitfalls – firmware images need to be formatted slightly differently for OTA updates versus the usual serial upload method, as this process leaves the stock bootloader intact. There’s also the split-partition flash storage system to deal with, which [mirko] is still working on.

Nevertheless, it’s great to see hackers doing what they do best – taking control over hardware and software to serve their own purposes. To learn more, why not check out how to flash your Sonoff devices over serial? They’re just an ESP8266 inside, after all.

Logs For A Toilet

April 29, 2017 by Brian Benchoff 47 Comments

The Internet of Things, as originally envisioned in papers dating to the early to mid-90s, is a magical concept. Wearable devices would report your location, health stats, and physiological information to a private server. Cameras in your shower would tell your doctor if that mole is getting bigger. Your car would monitor the life of your cabin air filter and buy a new one when the time arrived. Nanobots would become programmable matter, morphing into chairs, houses, and kitchen utensils. A ubiquity of computing would serve humans as an unseen hive mind. It was paradise, delivered by ever smaller computers, sensors, and advanced robotics.

The future didn’t turn out like we planned. While the scientists and engineers responsible for asking how they could make an Internet-connected toaster oven, no one was around to ask why anyone would want that. At least we got a 3Com Audrey out of this deal.

Fast forward to today and we learn [Christopher Hiller] just put his toilet on the Internet. Why is he doing this? Even he doesn’t know, but it does make for a great ‘logs from a toilet’ pun.

The hardware for this device is a Digistump Oak, a neat little Arduino-compatible WiFi-enabled development board. The Digistump Oak is able to publish to the Particle Cloud, and with just five lines of code, [Chris] is able to publish a flush to the Internet. The sensor for this build is a cheap plastic float switch. There are only three components in this build, and one of them is a 4k7 resistor.

Right now, there are a few issues with the build. It’s battery-powered, but that’s only because [Chris]’ toilet isn’t close enough to a wall outlet. There’s a bit of moisture in a bathroom, and clingfilm solves the problem for now, but some silly cone carne would solve that problem the right way. [Chris] also has two toilets, so he’ll need to build another one.

IOT Startup Bricks Customers Garage Door Intentionally

April 5, 2017 by Jack Laidlaw 201 Comments

Internet of Things startup Garadget remotely bricked an unhappy customer’s WiFi garage door for giving a bad Amazon review and being rude to company reps. Garadget device owner [Robert Martin] found out the hard way how quickly the device can turn a door into a wall. After leaving a negative Amazon review, and starting a thread on Garadget’s support forum complaining the device didn’t work with his iPhone, Martin was banned from the forum until December 27, 2019 for his choice of words and was told his comments and bad Amazon review had convinced Garadget staff to ban his device from their servers.

The response was not what you would expect a community-funded startup. “Technically there is no bricking, though,” the rep replied. “No changes are made to the hardware or the firmware of the device, just denied use of company servers.” Tell that to [Robert] who can’t get into his garage.

This caused some discontent amoung other customers wondering if it was just a matter of time before more paying customers are subjected to this outlandish treatment. The Register asked Garadget’s founder [Denis Grisak] about the situation, his response is quoted below.

It was a Bad PR Move, Martin has now had his server connection restored, and the IOT upstart has posted a public statement on the matter.– Garadget

This whole debacle brings us to the conclusion that the IoT boom has a lot of issues ahead that need to be straightened out especially when it comes to ethics and security. It’s bad enough to have to deal with the vagaries of IoT Security and companies who shut down their products because they’re just not making enough money. Now we have to worry about using “cloud” services because the people who own the little fluffy computers could just be jerks.

California Looks To Compel IoT Security

April 3, 2017 by Charles Alexanian 32 Comments

There is a bill going through committee in the state of California which, if passed, would require a minium level of security for Internet of Things devices and then some. California SB 327 Information privacy: connected devices in its original form calls for connected device manufacturers to secure their devices, protect the information they collect or store, indicate when they are collecting it, get user approval before doing so, and be proactive in informing users of security updates:

require a manufacturer that sells or offers to sell a connected device, defined as any device, sensor, or other physical object that is capable of connecting to the Internet, directly or indirectly, or to another connected device, to equip the device with reasonable security features appropriate to the nature of the device and the information it may collect, contain, or transmit, that protect it from unauthorized access, destruction, use, modification, or disclosure, and to design the device to indicate when it is collecting information and to obtain consumer consent before it collects or transmits information, as specified. The bill would also require a person who sells or offers to sell a connected device to provide a short, plainly written notice of the connected device’s information collection functions at the point of sale, as specified. The bill would require a manufacturer of a connected device to provide direct notification of security patches and updates to a consumer who purchases the device.

This is just a proposal and will change as it finds its way through committee. Currently there a really no methods of punishment outlined, but recent comments have suggested individual prosecutors may have latitude to interpret these cases as they see fit. Additionally it has been suggested that the devices in question would be required to notify in some way the user when information is being collected. No language exists yet to clarify or set forth rules on this matter.

The security community has been sounding the cry of lackluster (often lack of) security on this growing army of IoT hardware and we’ve all known one day the government would get involved. Often this type of action requires a major event where people were in some way harmed either physically or financially that would push this issue. Denial of service attacks have already occurred and hijacking of webcams and such are commonplace. Perhaps what we saw in September finally pushed this into the limelight.

Any reasonable person can see the necessity of some basic level of security such as eliminating default passwords and ensuring the security of the data. The question raised here is whether or not the government can get this right. Hackaday has previously argued that this is a much deeper problem than is being addressed in this bill.

The size of California’s economy (relative to both the nation and the world) and the high concentration of tech companies make it likely that standards imposed if this law passes will have a large effect on devices in all markets.

2017: The Year Of The Dishwasher Security Patch

March 28, 2017 by Lewin Day 101 Comments

As if Windows Update wasn’t bad enough, one has to deal with a plethora of attention-hungry programs and utilities all begging for a continual stream of patches from the Internet. It’s exhausting, but unfortunately also par for the course. Many of these updates are to close security vulnerabilities that could otherwise expose your computer to undesirables. The Internet of Things will only expand the amount of hardware and software you need to keep updated and protected on a daily basis. Now, it’s your dishwasher that’s under attack.

The Register reports that Jens Regel discovered the bug in a Miele dishwasher with a webserver. It’s a basic directory traversal attack that can net the intruder the shadow password file. Armed with this, it’s simple to take over the embedded Linux system and wreak havoc on your local network.

It’s not particularly surprising – we’ve talked about IoT security and its pitfalls before. The problem is, a dishwasher is not a computer. Unlike Microsoft, or Google, or even the people behind VLC, Miele don’t have infrastructure in place to push out an update to dishwashers worldwide. This means that as it stands, your only real solutions are to either disconnect the dishwasher from your network, or lock it behind a highly restrictive firewall. Both are likely to impede functionality. Of course, as always, many will ask why a dishwasher needs to be connected to the Internet at all. Why indeed.