IoT

326 Articles

Friday Hack Chat: Security For IoT

February 22, 2017 by 28 Comments

securityforiot-01Over the last few weeks, our weekly Hack Chats on hackaday.io have gathered a crowd. This week, we’re talking about the greatest threat humanity has ever faced: toasters with web browsers.

The topic of this week’s Hack Chat is Security for IoT, because someone shut down the Internet with improperly configured webcams.

This chat is hosted by the Big Crypto Team at the University of Pittsburgh. [Wenchen Wang], [Ziyue Sun], [Brandon Contino], and [Nick Albanese] will be taking questions about lightweight devices connected to the Internet. Discussion will include building things that connect to larger networks securely.

The Big Crypto team at UP are thinking about the roadblocks people have to implement security in their projects, and if apathy or ignorance is the main reason security isn’t even considered in the worst IoT offenders.

The Hack Chat is scheduled for Friday, February 24th at noon PST (20:00 GMT).

Here’s How To Take Part:

join-hack-chatOur Hack Chats are live community events on the Hackaday.io Hack Chat group messaging.

Log into Hackaday.io, visit that page, and look for the ‘Join this Project’ Button. Once you’re part of the project, the button will change to ‘Team Messaging’, which takes you directly to the Hack Chat.

You don’t have to wait until Friday; join whenever you want and you can see what the community is talking about.

Upcoming Hack Chats

These Hack Chats are becoming very popular, and that’s due in no small part to the excellent lineup of speakers we’ve hosted. Already, we’ve had [Lady Ada], [Sprite_tm], and [bunnie] — engineers, hackers, and developers who are at the apex of their field. We’re not resting on our laurels, though: in a few weeks we’ll be hosting Hack Chats with [Roger Thornton], an engineer with Raspberry Pi, and Fictiv, masters of mechanical manufacturing.

Monitor All The Laundry Things With This Sleek IoT System

February 18, 2017 by 18 Comments

If like us you live in mortal fear of someone breaking into your house when you’re on vacation and starting a dryer fire while doing laundry, this full-featured IoT laundry room monitor is for you. And there’s a school bus. But don’t ask about the school bus.

In what [seasider1960] describes as “a classic case of scope creep,” there’s very little about laundry room goings on that escapes the notice of this nicely executed project. It started as a water sensor to prevent a repeat of a leak that resulted in some downstairs damage. But once you get going, why not go too far? [seasider1960] added current sensing to know when the washer and dryer are operating, as well as to tote up power usage. A temperature sensor watches the dryer vent and warns against the potential for the aforementioned tragedy by sounding an obnoxious local alarm — that’s where the school bus comes in. The whole system is also linked into Blynk for IoT monitoring, with an equally obnoxious alarm you can hear in the video below. Oh, and there are buttons for testing each alarm and for making an Internet note to reorder laundry supplies.

We’ve seen a spate of laundry monitoring projects lately, all of which have their relative merits. But you’ve got to like the fit and finish of [seasider1960]’s build. The stainless face plate and in-wall mount makes for a sleek, professional appearance which is fitting with the scope-creepy nature of the build.

Continue reading “Monitor All The Laundry Things With This Sleek IoT System”

Hacking On The Weirdest ESP Module

February 13, 2017 by 33 Comments

Sometimes I see a component that’s bizarre enough that I buy it just to see if I can actually do something with it. That’s the case with today’s example, the ESP-14. At first glance, you’d ask yourself what AI Thinker, the maker of many of the more popular ESP8266 modules, was thinking.

The ESP-14 takes the phenomenally powerful ESP8266 chip and buries it underneath one of the cheapest microcontrollers around: the 8-bit STM8S003 “value line” chip. Almost all of the pins of the ESP chip are locked inside the RF cage’s metal tomb — only the power, bootloader, and serial TX/RX pins see the light of day, and the TX/RX pins are shared with the STM8S. The rest of the module’s pins are dedicated to the STM8S. Slaving the ESP8266 to an STM8S is like taking a Ferrari and wrapping it inside a VW Beetle.

I had never touched an STM8 chip before, and just wanted to see what I could do with this strange beast. In the end, ironically, I ended up doing something that wouldn’t be too far out of place on Alibaba, but with a few very Hackaday twists: a monitor for our washer and dryer that reports power usage over MQTT, programmed in Forth with a transparent WiFi serial bridge into the chip for interactive debugging without schlepping down into the basement. Everything’s open, tweakable, and the Forth implementation for the STM8S was even developed here on Hackaday.io.

It’s a weird project for the weirdest of ESP modules. I thought I’d walk you through it and see if it sparks you to come up with any alternative uses for the ESP8266-and-STM8S odd couple that is the ESP-14.

Continue reading “Hacking On The Weirdest ESP Module”

Printer Vulnerabilites Almost As Bad As IoT

February 7, 2017 by 30 Comments

Recently ZDNet and Gizmodo published articles outlining a critical flaw in a large array of personal printers. While the number of printers with this flaw is staggering, the ramifications are even more impressive. Ultimately, any of these printers could have documents sent to them stolen even if the document was only intended to be printed as a hard copy.

Luckily the people responsible for this discovery are white-hat in nature, and the release of this information has been made public so the responsible parties can fix the security flaws. Whether or not the “responsible party” is the manufacturer of the printer, though, is still somewhat unclear because part of the exploit takes advantage of a standard that is part of almost all consumer-grade printers. The standard itself may need to be patched.

Right now, however, it doesn’t seem clear exactly how deep the rabbit hole goes. We all remember the DDoS attack that was caused by Internet of Things devices that were poorly secured, and it seems feasible that networked printers could take some part in a similar botnet if a dedicated user really needed them. At the very least, however, your printed documents might not be secure at all, and you may be seeing a patch for your printer’s firmware in the near future.

 

Quick And Easy IoT Prototyping With Involt

February 4, 2017 by 20 Comments

IoT, web apps, and connected devices are all becoming increasingly popular. But, the market still resembles a wild west apothecary, and no single IoT ecosystem or architecture seems to be the one bottle of snake oil we’ll all end up using. As such, we hackers are keen to build our own devices, instead of risking being locked into an IoT system that could become obsolete at any time. But, building an IoT device and interface takes a wide range of skills, and those who are lacking skill in the dark art of programming might have trouble creating a control app for their shiny new connected-thing.

Enter Involt, which is a framework for building hardware control interfaces using HTML and CSS. The framework is built on Node-Webkit, which means the conventions should be familiar to those with a bit of web development background. Hardware interactions (on Arduinos) are handled with simple CSS classes. For example, a button might contain a CSS class which changes an Arduino pin from high to low.

Involt can take that CSS and convert it into a function, which is then sent to the Arduino via serial or Bluetooth communication. For more advanced functionality, Javascript (or really any other language) can be used to define what functions are generated — and, in turn, sent to the Arduino. But, all that is needed for the basic functionality necessary for many IoT devices (which might only need to be turned on and off, or set to a certain value) is a bit of HTML and CSS knowledge. You’ll create both the interface and the underlying hardware interactions all within an HTML layout with CSS styling and functionality.

While Involt isn’t the only framework to simplify hardware interaction (it’s not even the only Node.js based method), the simplicity is definitely laudable. For those who are just getting started with these sorts of devices, Involt can absolutely make the process faster and less painful. And, even for those who are experienced in this arena, the speed and efficiency of prototyping with Involt is sure to be useful.

Popular Printers Pwned In Prodigious Page Prank

February 4, 2017 by 40 Comments

A new day dawns, and we have another story involving insecure networked devices. This time it is printers of all makes and descriptions that are causing the panic, as people are finding mystery printouts bearing messages such as this:

Stackoverflowin has returned to his glory, your printer is part of a botnet, the god has returned

Well that’s it then, you can’t argue with a deity, especially one who has apparently created a botnet from the world’s printing devices. Printer owners the world over are naturally worried about their unexpected arrival, and have appeared on support forums and the like to express their concern.

We are of course used to taking everything our printers tell us at face value. Low on ink? I hear you, my inanimate reprographic friend! But when our printer tells us it’s part of a botnet perhaps it’s time to have a little think. It is entirely possible that someone could assemble a botnet of compromised printers, but in this case we smell a rat. Only in farcical crime dramas do crooks announce their crimes in such a theatrical fashion, you might say it’s the point of a botnet not to be detected by its host. Reading some of the reports it seems that many of the affected systems have port 9100 open to the world, that’s the standard TCP printer port, so it seems much more likely that someone has written a little script that looks for IP addresses with port 9100 open, and trolls them with this message.

The real message here is one with which we expect Hackaday readers will be very familiar, and which we’ve covered before. Many network connected appliances have scant regard for security, and are a relative push-over for an attacker. The solution is relatively straightforward to those of a technical inclination, be aware of which services the devices is exposing, lock down services such as uPNP and close any open ports on your router. Unfortunately these steps are probably beyond many home users, whose routers remain with their default manufacturer’s settings for their entire lives. It’s a shame our printer troll didn’t add a link to basic router security tips.

If you want to have a little fun, some of the printed pages include an email address for ‘the god’. It would be fun to figure out who this is, right?

Dash With Arduino

February 2, 2017 by 5 Comments

Amazon Dash is a handy service, and when Amazon released their AWS IoT platform, [Brian Carbonette] felt that it left out all the hardware hackers from the tinkering fun. Seeking justice, he put together a guide for an Arduino Dash button aimed at hardware hackers and those who are still easing into the world.

For his build, [Carbonette] used an Arduino MKR1000, laying out a few different configuration options for building your button. He has also gone to great lengths to help all comers tackle the Arduino-Dash API communication process by building an AmazonDRS Arduino Library, which handles all the “boring details,” so you can focus on the hardware. With the warning that the software-side setup is tedious the first time around, [Carbonette] has included a detailed manual for setting up the aforementioned AmazonDRS library, some example code, and a breakdown thereof. He also suggests implementing other features — such as a notification if the item is out of stock on Amazon — to tie the project together.

Continue reading “Dash With Arduino”