We’ve all seen the stories about IoT devices with laughably poor security. Both within our community as fresh vulnerabilities are exposed and ridiculed, and more recently in the wider world as stories of easily compromised baby monitors have surfaced in mass media outlets. It’s a problem with its roots in IoT device manufacturers treating their products as appliances rather than software, and in a drive to produce them at the lowest possible price.
The Australian government have announced that IoT security is now firmly in their sights, announcing a possible certification scheme with a logo that manufacturers would be able to use if their products meet a set of requirements. Such basic security features as changeable, non-guessable, and non-default passwords are being mentioned, though we’re guessing that would also include a requirement not to expose ports to the wider Internet. Most importantly it is said to include a requirement for software updates to fix known vulnerabilities. It is reported that they are also in talks with other countries to harmonize some of these standards internationally.
It is difficult to see how any government could enforce such a scheme by technical means such as disallowing Internet connection to non-compliant devices, and if that was what was being proposed it would certainly cause us some significant worry. Therefore it’s likely that this will be a consumer certification scheme similar to for example the safety standards for toys, administered as devices are imported and through enforcement of trading standards legislation. The tone in which it’s being sold to the public is one of “Think of the children” in terms of compromised baby monitors, but as long-time followers of Hackaday will know, that’s only a small part of the wider problem.
Thanks [Bill Smith] for the tip.
Baby monitor picture: Binatoneglobal [CC BY-SA 3.0].
It seems that new stories of insecure-by-design IoT devices surface weekly, as the uneasy boundary is explored between the appliance and the Internet-connected computer. Manufacturers like shifting physical items rather than software patches, and firmware developers may not always be from the frontline of Internet security.
An interesting aside on the security of IoT traffic comes from [boz], who has taken a look at encryption of very low data rate streams from underpowered devices. Imagine perhaps that you have an Internet-connected sensor which supplies only a few readings a day that you would like to keep private. Given that your sensor has to run on tiny power resources so a super-powerful processor is out of the question, how do you secure your data? Simple encryption schemes are too easily broken.
He makes the argument for encryption from a rather unexpected source: a one-time pad. We imagine a one-time pad as a book with pages of numbers, perhaps as used by spies in Cold-War-era East Berlin or something. Surely storing one of those would be a major undertaking! In fact a one-time pad is simply a sequence of random keys that are stepped through, one per message, and if your message is only relatively few bytes a day then you have no need to generate more than a few K of pad data to securely encrypt it for years. Given that even pretty meager modern microcontrollers have significant amounts of flash at their disposal, pad storage for sensor data of this type is no longer a hurdle.
Where some controversy might creep in is the suggestion that a pad could be recycled when its last entry has been used. You don’t have to be a cryptologist to know that reusing a one-time pad weakens the integrity of the cypher, but he has a valid answer there too, If the repeat cycle is five years, your opponent must have serious dedication to capture all packets, and at that point it’s worth asking yourself just how sensitive the sensor data in question really is.
The Internet of Things is developing at a rapid pace, as hobbyists and companies rush to develop the latest and greatest home automation gear. One area of particular interest to some is lighting – yes, even the humble lightbulb now comes with a brain and is ripe for the hacking.
[Tinkerman] starts by doing a full disassembly of the Sonoff B1 lightbulb. It’s a popular device, and available for less than $20 on eBay. Rated at 6 watts, the bulb has a heatsink that is seemingly far larger than necessary. Inside is the usual AC/DC converter, LED driver and an ESP8285 running the show. While this is a slightly different part to the usual ESP8266, it can be programmed in the same way by selecting the correct programming mode.
This is where it gets interesting – [Tinkerman] flashes the device with a custom firmware known as ESPurna. This firmware enables greater control over the function of the bulb, from colour choice, to speaking to the bulb over MQTT.
[Tinkerman] does a great job of walking through the exact steps needed to disassemble and reprogram the bulb, and touches upon the added flexibility given by the custom firmware. We love to see projects like this one, that give greater control over IoT devices and enable users to better integrate them with other systems.
In hacker circles, the “Internet of Things” is often the object of derision. Do we really need the IoT toaster? But there’s one phrase that — while not new — is really starting to annoy me in its current incarnation: AI or Artificial Intelligence.
The problem isn’t the phrase itself. It used to mean a collection of techniques used to make a computer look like it was smart enough to, say, play a game or hold a simulated conversation. Of course, in the movies it means HAL9000. Lately, though, companies have been overselling the concept and otherwise normal people are taking the bait.
The Alexa Effect
Not to pick on Amazon, but all of the home assistants like Alexa and Google Now tout themselves as AI. By the most classic definition, that’s true. AI techniques include matching natural language to predefined templates. That’s really all these devices are doing today. Granted the neural nets that allow for great speech recognition and reproduction are impressive. But they aren’t true intelligence nor are they even necessarily direct analogs of a human brain.
Continue reading “AI: This Decade’s Worst Buzz Word”
What to do once you have a sprinkler system installed on your property: buy a sprinkler control system or make your own? The latter, obviously.
[danaman] was determined to hack together a cheap, IoT-enabled system but it wasn’t easy — taking the better part of a year to get working. Instead of starting right from scratch, he used the open-source Sustainable Irrigation Platform(SIP) control software — a Python sprinkler scheduler with some features [danman] was looking for(eg: it won’t activate if there’s rain in the forecast). Since he wasn’t running it with a Raspberry Pi as recommended, [danman] wrote a Python plugin that runs on his home server as a daemon which listens to TCP port 20000 for connections and then updates the relevant relays. Ok, software done; on to the relay controller box!
Continue reading “DIY Wireless Sprinkler System? Don’t Mind If I Do.”
Delicious sheets of wallboard coated with yummy latex paints, all kept warm and moist by a daily deluge of showers and habitually forgetting to turn on the bathroom exhaust fan. You want mildew? Because that’s how you get mildew.
Fed up with the fuzzy little black spots on the ceiling, [Innovative Tom] decided to make bathroom ventilation a bit easier with this humidity-sensing IoT control for his bathroom exhaust fan. Truthfully, his build accomplishes little more than a $15 timer switch for the fan would, with one critical difference — it turns the fan on automatically when the DHT11 sensor tells the WeMos board that the relative humidity has gone over 60%. A relay shield kicks the fan on until the humidity falls below a set point. A Blynk app lets him monitor conditions in the bathroom and override the automatic fan, which is handy for when you need it for white noise generation more than exhaust. The best part of the project is the ample documentation and complete BOM in the description of the video below, making this an excellent beginner’s project.
No bathroom fan? Not a problem — this standalone humidity-sensing fan can help. Or perhaps you have other bathroom ventilation needs that this methane-sensing fan could help with?
Continue reading “Fight Mold and Mildew with an IoT Bathroom Fan”
Have a beautiful antique radio that’s beyond repair? This ESP8266 based Internet radio by [Edzelf] would be an excellent starting point to get it running again, as an alternative to a Raspberry-Pi based design. The basic premise is straightforward: an ESP8266 handles the connection to an Internet radio station of your choice, and a VS1053 codec module decodes the stream to produce an audio signal (which will require some form of amplification afterwards).
Besides the excellent documentation (PDF warning), where this firmware really shines is the sheer number of features that have been added. It includes a web interface that allows you to select an arbitrary station as well as cycle through presets, adjust volume, bass, and treble.
If you prefer physical controls, it supports buttons and dials. If you’re in the mood for something more Internet of Things, it can be controlled by the MQTT protocol as well. It even supports a color TFT screen by default, although this reduces the number of pins that can be used for button input.
The firmware also supports playing arbitrary .mp3 files hosted on a server. Given the low parts count and the wealth of options for controlling the device, we could see this device making its way into doorbells, practical jokes, and small museum exhibits.
To see it in action, check out the video below:
Continue reading “ESP8266 Based Internet Radio Receiver is Packed with Features”