IoT

318 Articles

Custom Firmware For Cheap Smart Bulbs Is A Cinch To Tinker With

February 11, 2020 by 14 Comments

It’s the end of another decade, and while we don’t have real hoverboards, flying cars, or affordable dental care, we do have multicolored lightbulbs you can control over WiFi. [Don Howdeshell] picked up a couple of cheap Merkury branded units in a Black Friday sale, and quickly set about hacking them.

By and large, many of these bulbs are manufactured by various companies and rebranded for whoever happens to place an order. The bulbs tend to use the Tuya IOT ecosystem. Based on the ESP8266, reflashing the bulbs with custom firmware is simple, thanks to the Tuya Convert project. Using a Linux computer with a WiFi card running in Access Point mode, it spoofs a server that tricks the Tuya product into downloading a firmware update. From there, the bulb is an open book, ready to do your bidding.

One of [Don]’s attempts didn’t go so swimmingly, however. Flashing the firmware failed and the bulb was non-functional. [Don] elected to to a teardown, photographing it for our perusal, before hooking up to the ESP8266 directly over its serial interface. From there, it was simple to reprogram the bulb with Tasmota firmware, getting it back up and running.

Security alone is a great reason for running your own firmware on IoT devices. It never hurts to know what you’re connecting to your network!

NFC For Your Home Automation

January 30, 2020 by 26 Comments

If home automation in the IoT era has taught us anything, it is that no one wants to run wires. Many of us rent, so new cabling is not even an option, even if we wanted to go that route. If you want a unique sensor, you have to build your own, and [tmkThings] wanted an NFC scanner at his front door. Just like arriving at work, he scans his credentials, and the door unlocks automagically.

Inside a little white box, we find an ESP8266 speaking Wifi attached to a PN532 talking NFC, and both are familiar names on these pages. The code, which is available on GitHub, links up with IFTTT and MQTT. For the security-minded, we won’t see this on your front door, but you can trigger your imagination’s limit of events from playing your favorite jams at the end of the day to powering down all the televisions at bedtime.

NFC hacks are great because they are instantly recognizable and readers are inexpensive, but deadbolt hacking is delightful in our books.

Continue reading “NFC For Your Home Automation”

An Eight-Day Home Automation Hackathon Is Inspiration For Getting More Projects Done

January 24, 2020 by 11 Comments

There’s nothing quite like a deadline to cut through extras and get right at the heart of the problem. Maybe we should all follow Interpreet’s example and stop thinking about automating our homes and just make it in an eight-day hackathon. His talk at the 2019 Hackaday Superconference covers the zero-to-deployment home automation build he finished in the eight days leading up to his move from one continent to another.

Hackaday’s very own Inderpreet Singh found himself pulling up roots and moving from his home in India to teach at Centennial College in Toronto, Canada. He needed a way to keep an eye on his home from afar and the name of the game is IoT. When the only choice is “whatever works right now”, you can learn a lot about simple solutions.

He chose familiar hardware to work with, with the ESP8266 making up the bulk of the nodes and a Raspberry Pi as as a central hub for the setup. He chose to communicate between all the nodes on his system using WiFi because the hardware is robust and available. With security in mind, he keeps the automation system separate from the daily use WiFi system by grabbing an extra access point to serve as the automation network. The Raspberry Pi serves as a router of sorts; its Ethernet port is connected to the IoT device’s AP, while the onboard WiFi is used to connect to the home’s main AP for a connection to the wider Internet.

Software for the system is built on a REST API served by a Python Flask app. Many would advocate for using MQTT but Inderpreet’s testing with that protocol came up short as the broker he intended to use was no longer available. One of the interesting parts of his system design is that all nodes will check in at regular intervals; this allows them to inquire about actions they need to take, but it also allows the system to detect a malfunctioning node immediately. I’ve seen a similar trick used by Elliot Williams where he assigns a “ping” topic to all MQTT devices that causes them to report in with their IP address. Having a system to query and ensure the health of every node is a big tip to take away from this talk.

Continue reading “An Eight-Day Home Automation Hackathon Is Inspiration For Getting More Projects Done”

Modular Solar-Powered IoT Sensors

January 19, 2020 by 1 Comment

Bringing a product to market is not easy, if it were everyone would be doing it, and succeeding. The team at Pycno is in the process of launching their second product, a modular solar powered IoT unit called Pulse. It’s always interesting to get an inside look when a company is so open during the development process, and see how they deal with challenges.

Pycno’s first product was a solar powered sensor suite for crops. This time round they are keeping the solar part, but creating a modular system that can accept wired or wireless connections (2G/3G/4G, WiFi, LoRa, GPS and Bluetooth 5) or modules that slide into the bottom of the unit. They plan to open source the module design to allow other to design custom modules, which is a smart move since interoperability can be a big driving factor behind adoption. The ease of plugging in sensors is a very handy feature, since most non-Hackaday users would probably prefer to not open up expensive units to swap out sensors. The custom solar panel itself is pretty interesting, since it features an integrated OLED display. It consists of a PCB with the cutout for the display, with solar cells soldered on before the whole is laminated to protect the cells.

Making a product so completely modular also has some pitfalls, since it can be really tricky to market something able to do anything for anybody. However, we wish them the best of luck with their Kickstarter (video after the break) and look forward to seeing how the ecosystem develops.

When a large community develops around a modular ecosystem, it can truly grow beyond the originator’s wildest dreams. Just look at Arduino and Raspberry Pi. We’re also currently running a contest involving boards for the Feather form factor if you want to get in on the act. Continue reading “Modular Solar-Powered IoT Sensors”

Another IoT Debacle: Charter Offers Home Insecurity

January 18, 2020 by 38 Comments

If you are a glass-half-empty person, you’ll view Charter’s announcement that they will shutter their home security and smart home service on February 5th as another reason not to buy into closed-source IoT devices. If you are a glass-half-full person though, you’ll see the cable company’s announcement as a sign that a lot of Zigbee hardware will soon flood the surplus market. Ars Technica reports that after investigation it appears that some of the devices may connect to a standard Zigbee hub after a factory reset, but many others will definitely not.

As you might expect, users were less than thrilled. Especially those that shelled out thousands of dollars on sensors and cameras. This sort of thing might be expected if a company goes out of business, but Charter just doesn’t want to be in the home security business anymore.

Continue reading “Another IoT Debacle: Charter Offers Home Insecurity”

Apple HomeKit Accessory Development Kit Gets More Accessible

December 27, 2019 by 6 Comments

Every tech monopoly has their own proprietary smart home standard; how better to lock in your customers than to literally build a particular solution into their homes? Among the these players Apple is traditionally regarded as the most secretive, a title it has earned with decades of closed standards and proprietary solutions. This reputation is becoming progressively less deserved when it comes to HomeKit, their smart home gadget connectivity solution. In 2017 they took a big step forward and removed the need for a separate authentication chip in order to interact with HomeKit. Last week they took another and released a big chunk of their HomeKit Accessory Development Kit (ADK) as well. If you’re surprised not to have heard sooner, that might be because it was combined the the even bigger news about Apple, Amazon, the Zigbee Alliance, and more working together on more open, interoperable home IoT standards. Check back in 2030 to see how that is shaping up.

“The HomeKit ADK implements key components of the HomeKit Accessory Protocol (HAP), which embodies the core principles Apple brings to smart home technology: security, privacy, and reliability.”
– A descriptive gem from the README

Apple’s previous loosening-of-restrictions allowed people to begin building devices which could interact natively with their iOS devices without requiring a specific Apple-sold “auth chip” to authenticate them. This meant existing commercial devices could become HomeKit enabled with an OTA, and hobbyists could interact in sanctioned, non-hacky ways. Part of this was a release of the (non-commercial) HomeKit specification itself, which is available here (with Apple developer sign in, and license agreement).

Despite many breathless mentions in the press release it’s hard to tell what the ADK actually is. The README and documentation directory are devoid of answers, but spelunking through the rest of the GitHub repo gives us an idea. It consists of two primary parts, the HomeKit Accessory Protocol itself and the Platform Abstraction Layer. Together the HAP implements HomeKit itself, and the PAL is the wrapper that lets you plug it into a new system. It’s quite a meaty piece of software; the HAP’s main header is a grueling 4500 lines long, and it doesn’t take much searching to find some fear-inspiring 50 line preprocessor macros. This is a great start, but frankly we think it will take significantly more documentation to make the ADK accessible to all.

If it wasn’t obvious, most of the tools above are carefully licensed by Apple and intended for non-commercial use. While we absolutely appreciate the chance to get our hands on interfaces like this, we’re sure many will quibble over if this really counts as “open source” or not (it’s licensed as Apache 2.0). We’ll leave that for you in the comments.

Amazon Ring: Neighbors Leaking Data On Neighbors

December 21, 2019 by 31 Comments

For a while now a series of stories have been circulating about Amazon’s Ring doorbell, an Internet-connected camera and entry system that lets users monitor and even interact with visitors and delivery people at their doors. The adverts feature improbable encounters with would-be crooks foiled by the IoT-equipped homeowner, but the stories reveal a much darker side. From reports of unhindered access by law enforcement to privately-held devices through mass releases of compromised Ring account details to attackers gaining access to children via compromised cameras, it’s fair to say that there’s much to be concerned about.

One cause for concern has been the location data exposed by the associated Amazon Neighbors crowd-sourced local crime paranoia app, and for those of us who don’t live and breathe information security there is an easy-to-understand Twitter breakdown of its vulnerabilities from [Elliot Alderson] that starts with the app itself and proceeds from there into compromising Ring accounts by finding their passwords. We find that supposedly anonymized information in the app sits atop an API response with full details, that there’s no defense against brute-forcing a Ring password, and that a tasty list of API and staging URLs is there for all to see embedded within the app. Given all that information, there’s little wonder that the system has proven to be so vulnerable.

As traditional appliance makers have struggled with bringing Internet connectivity into their products there have been a few stories of woeful security baked into millions of homes. A defense could be made that a company with roots outside the Internet can be forgiven for such a gaffe, but in the case of Amazon whose history has followed that of mass Web adoption and whose infrastructure lies behind so much of the services we trust, this level of lax security is unforgivable. Hackaday readers will be aware of the security issues behind so-called “smart” devices, but to the vast majority of customers they are simply technological wonders that are finally delivering a Jetsons-style future. If some good comes of these Ring stories it might be that those consumers finally begin to wake up to IoT security, and use their new-found knowledge to demand better.

Header image: Ring [CC BY-SA 4.0]