An Eight-Day Home Automation Hackathon Is Inspiration For Getting More Projects Done

There’s nothing quite like a deadline to cut through extras and get right at the heart of the problem. Maybe we should all follow Interpreet’s example and stop thinking about automating our homes and just make it in an eight-day hackathon. His talk at the 2019 Hackaday Superconference covers the zero-to-deployment home automation build he finished in the eight days leading up to his move from one continent to another.

Hackaday’s very own Inderpreet Singh found himself pulling up roots and moving from his home in India to teach at Centennial College in Toronto, Canada. He needed a way to keep an eye on his home from afar and the name of the game is IoT. When the only choice is “whatever works right now”, you can learn a lot about simple solutions.

He chose familiar hardware to work with, with the ESP8266 making up the bulk of the nodes and a Raspberry Pi as as a central hub for the setup. He chose to communicate between all the nodes on his system using WiFi because the hardware is robust and available. With security in mind, he keeps the automation system separate from the daily use WiFi system by grabbing an extra access point to serve as the automation network. The Raspberry Pi serves as a router of sorts; its Ethernet port is connected to the IoT device’s AP, while the onboard WiFi is used to connect to the home’s main AP for a connection to the wider Internet.

Software for the system is built on a REST API served by a Python Flask app. Many would advocate for using MQTT but Inderpreet’s testing with that protocol came up short as the broker he intended to use was no longer available. One of the interesting parts of his system design is that all nodes will check in at regular intervals; this allows them to inquire about actions they need to take, but it also allows the system to detect a malfunctioning node immediately. I’ve seen a similar trick used by Elliot Williams where he assigns a “ping” topic to all MQTT devices that causes them to report in with their IP address. Having a system to query and ensure the health of every node is a big tip to take away from this talk.

Continue reading “An Eight-Day Home Automation Hackathon Is Inspiration For Getting More Projects Done”

Modular Solar-Powered IoT Sensors

Bringing a product to market is not easy, if it were everyone would be doing it, and succeeding. The team at Pycno is in the process of launching their second product, a modular solar powered IoT unit called Pulse. It’s always interesting to get an inside look when a company is so open during the development process, and see how they deal with challenges.

Pycno’s first product was a solar powered sensor suite for crops. This time round they are keeping the solar part, but creating a modular system that can accept wired or wireless connections (2G/3G/4G, WiFi, LoRa, GPS and Bluetooth 5) or modules that slide into the bottom of the unit. They plan to open source the module design to allow other to design custom modules, which is a smart move since interoperability can be a big driving factor behind adoption. The ease of plugging in sensors is a very handy feature, since most non-Hackaday users would probably prefer to not open up expensive units to swap out sensors. The custom solar panel itself is pretty interesting, since it features an integrated OLED display. It consists of a PCB with the cutout for the display, with solar cells soldered on before the whole is laminated to protect the cells.

Making a product so completely modular also has some pitfalls, since it can be really tricky to market something able to do anything for anybody. However, we wish them the best of luck with their Kickstarter (video after the break) and look forward to seeing how the ecosystem develops.

When a large community develops around a modular ecosystem, it can truly grow beyond the originator’s wildest dreams. Just look at Arduino and Raspberry Pi. We’re also currently running a contest involving boards for the Feather form factor if you want to get in on the act. Continue reading “Modular Solar-Powered IoT Sensors”

Another IoT Debacle: Charter Offers Home Insecurity

If you are a glass-half-empty person, you’ll view Charter’s announcement that they will shutter their home security and smart home service on February 5th as another reason not to buy into closed-source IoT devices. If you are a glass-half-full person though, you’ll see the cable company’s announcement as a sign that a lot of Zigbee hardware will soon flood the surplus market. Ars Technica reports that after investigation it appears that some of the devices may connect to a standard Zigbee hub after a factory reset, but many others will definitely not.

As you might expect, users were less than thrilled. Especially those that shelled out thousands of dollars on sensors and cameras. This sort of thing might be expected if a company goes out of business, but Charter just doesn’t want to be in the home security business anymore.

Continue reading “Another IoT Debacle: Charter Offers Home Insecurity”

Apple HomeKit Accessory Development Kit Gets More Accessible

Every tech monopoly has their own proprietary smart home standard; how better to lock in your customers than to literally build a particular solution into their homes? Among the these players Apple is traditionally regarded as the most secretive, a title it has earned with decades of closed standards and proprietary solutions. This reputation is becoming progressively less deserved when it comes to HomeKit, their smart home gadget connectivity solution. In 2017 they took a big step forward and removed the need for a separate authentication chip in order to interact with HomeKit. Last week they took another and released a big chunk of their HomeKit Accessory Development Kit (ADK) as well. If you’re surprised not to have heard sooner, that might be because it was combined the the even bigger news about Apple, Amazon, the Zigbee Alliance, and more working together on more open, interoperable home IoT standards. Check back in 2030 to see how that is shaping up.

“The HomeKit ADK implements key components of the HomeKit Accessory Protocol (HAP), which embodies the core principles Apple brings to smart home technology: security, privacy, and reliability.”
– A descriptive gem from the README

Apple’s previous loosening-of-restrictions allowed people to begin building devices which could interact natively with their iOS devices without requiring a specific Apple-sold “auth chip” to authenticate them. This meant existing commercial devices could become HomeKit enabled with an OTA, and hobbyists could interact in sanctioned, non-hacky ways. Part of this was a release of the (non-commercial) HomeKit specification itself, which is available here (with Apple developer sign in, and license agreement).

Despite many breathless mentions in the press release it’s hard to tell what the ADK actually is. The README and documentation directory are devoid of answers, but spelunking through the rest of the GitHub repo gives us an idea. It consists of two primary parts, the HomeKit Accessory Protocol itself and the Platform Abstraction Layer. Together the HAP implements HomeKit itself, and the PAL is the wrapper that lets you plug it into a new system. It’s quite a meaty piece of software; the HAP’s main header is a grueling 4500 lines long, and it doesn’t take much searching to find some fear-inspiring 50 line preprocessor macros. This is a great start, but frankly we think it will take significantly more documentation to make the ADK accessible to all.

If it wasn’t obvious, most of the tools above are carefully licensed by Apple and intended for non-commercial use. While we absolutely appreciate the chance to get our hands on interfaces like this, we’re sure many will quibble over if this really counts as “open source” or not (it’s licensed as Apache 2.0). We’ll leave that for you in the comments.

Amazon Ring: Neighbors Leaking Data On Neighbors

For a while now a series of stories have been circulating about Amazon’s Ring doorbell, an Internet-connected camera and entry system that lets users monitor and even interact with visitors and delivery people at their doors. The adverts feature improbable encounters with would-be crooks foiled by the IoT-equipped homeowner, but the stories reveal a much darker side. From reports of unhindered access by law enforcement to privately-held devices through mass releases of compromised Ring account details to attackers gaining access to children via compromised cameras, it’s fair to say that there’s much to be concerned about.

One cause for concern has been the location data exposed by the associated Amazon Neighbors crowd-sourced local crime paranoia app, and for those of us who don’t live and breathe information security there is an easy-to-understand Twitter breakdown of its vulnerabilities from [Elliot Alderson] that starts with the app itself and proceeds from there into compromising Ring accounts by finding their passwords. We find that supposedly anonymized information in the app sits atop an API response with full details, that there’s no defense against brute-forcing a Ring password, and that a tasty list of API and staging URLs is there for all to see embedded within the app. Given all that information, there’s little wonder that the system has proven to be so vulnerable.

As traditional appliance makers have struggled with bringing Internet connectivity into their products there have been a few stories of woeful security baked into millions of homes. A defense could be made that a company with roots outside the Internet can be forgiven for such a gaffe, but in the case of Amazon whose history has followed that of mass Web adoption and whose infrastructure lies behind so much of the services we trust, this level of lax security is unforgivable. Hackaday readers will be aware of the security issues behind so-called “smart” devices, but to the vast majority of customers they are simply technological wonders that are finally delivering a Jetsons-style future. If some good comes of these Ring stories it might be that those consumers finally begin to wake up to IoT security, and use their new-found knowledge to demand better.

Header image: Ring [CC BY-SA 4.0]

Hackaday Links: December 8, 2019

Now that November of 2019 has passed, it’s a shame that some of the predictions made in Blade Runner for this future haven’t yet come true. Oh sure, 109 million people living in Los Angeles would be fun and all, but until we get our flying cars, we’ll just have to console ourselves with the ability to “Enhance!” photographs. While the new service, AI Image Enlarger, can’t tease out three-dimensional information, the app is intended to sharpen enlargements of low-resolution images, improving the focus and bringing up details in the darker parts of the image. The marketing material claims that the app uses machine learning, and is looking for volunteers to upload high-resolution images to improve its training set.

We’ve been on a bit of a nano-satellite bender around here lately, with last week’s Hack Chat discussing simulators for CubeSats, and next week’s focusing on open-source thrusters for PocketQube satellites. So we appreciated the timing of a video announcing the launch of the first public LoRa relay satellite. The PocketCube-format satellite, dubbed FossaSat-1, went for a ride to space along with six other small payloads on a Rocket Lab Electron rocket launched from New Zealand. Andreas Spiess has a short video preview of the FossaSat-1 mission, which was designed to test the capabilities of a space-based IoT link that almost anyone can access with cheap and readily available parts; a ground station should only cost a couple of bucks, but you will need an amateur radio license to uplink.

We know GitHub has become the de facto standard for source control and has morphed into a collaboration and project management platform used by everybody who’s anybody in the hacking community. But have you ever wished for a collaboration platform that was a little more in tune with the needs of hardware designers? Then InventHub might be of interest to you. Currently in a limited beta – we tried to sign up for the early access program but seem to have been put on a waiting list – it seems like this will be a platform that brings versioning directly to the ECAD package of your choice. Through plugins to KiCad, Eagle, and all the major ECAD players you’ll be able to collaborate with other designers and see their changes marked up on the schematic — sort of a visual diff. It seems interesting, and we’ll be keeping an eye on developments.

Amazon is now offering a stripped-down version of their Echo smart speaker called Input, which teams up with speakers that you already own to satisfy all your privacy invasion needs on the super cheap — only $10. At that price, it’s hard to resist buying one just to pop it open, which is what Brian Dorey did with his. The teardown is pretty standard, and the innards are pretty much what you’d expect from a modern piece of surveillance apparatus, but the neat trick here involved the flash memory chip on the main board. Brian accidentally overheated it while trying to free up the metal shield over it, and the BGA chip came loose. So naturally, he looked up the pinout and soldered it to a micro-SD card adapter with fine magnet wire. He was able to slip it into a USB SD card reader and see the whole file system for the Input. It was a nice hack, and a good teardown.

Your WiFi Signals Are Revealing Your Location

The home may be the hearth, but it’s not going to be a place of safety for too long.

With the abundance of connected devices making their ways into our homes, increasing levels of data may allow for more accurate methods for remote surveillance. By measuring the strength of ambient signals emitted from devices, a site can be remotely monitored for movement. That is to say, WiFi signals may soon pose a physical security vulnerability.

In a study from the University of Chicago and the University of California, Santa Barbara, researchers built on earlier studies where they could use similar techniques to “see through walls” to demonstrate a proof-of-concept for passive listening. Attackers don’t need to transmit signals or break encryptions to gain access to a victim’s location – they just need to listen to the ambient signals coming from connected devices, making it more difficult to track bad actors down.

Typically, connected devices communicate to an access point such as a router rather than directly with the Internet. A person walking near a device can subtly change the signal propagated to the access point, which is picked up by a receiver sniffing the signal. Most building materials do not block WiFi signals from propagating, allowing receivers to be placed inconspicuously in different rooms from the access point.

WiFi sniffers are relatively inexpensive, with models running for less than $20. They’re also small enough to hide in unsuspecting locations – inside backpacks, inside a box – and emit no signal that could be detected by a target. The researchers proposed some methods for safeguarding against the vulnerability: insulating buildings against WiFi leakage (while ensuring that desirable signals, i.e. signals from cell tower are still able to enter) or having access points emit a “cover signal” that mixes signals from connected devices to make it harder to sniff for motion.

While we may not be seeing buildings surrounded by Faraday cages anytime soon, there’s only going to be more attack surfaces to worry about as our devices continue to become connected.

[Thanks to Qes for the tip!]