IoT

318 Articles

Extra-Large Denial Of Service Attack Uses DVRs, Webcams

September 26, 2016 by 46 Comments

Brace yourselves. The rest of the media is going to be calling this an “IoT DDOS” and the hype will spin out of control. Hype aside, the facts on the ground make it look like an extremely large distributed denial-of-service attack (DDOS) was just carried out using mostly household appliances (145,607 of them!) rather than grandma’s old Win XP system running on Pentiums.

Slide from <a href="http://slideplayer.org/slide/906693/">this talk</a> by Lisa Plesiutschnig
Replace computers with DVRs. Slide from this talk by Lisa Plesiutschnig

We can argue all day about whether a digital video recorder (DVR) or an IP webcam is an “IoT” device and whether this DDOS attack is the biggest to date or merely among them, but the class of devices exploited certainly are not traditional computers, and this is a big hit. Most of these devices run firmware out of flash, and it’s up to the end user (who is not a sysadmin) to keep it up to date or face the wrath of hackers. And it’s certainly the case that as more Internet-facing devices get deployed, the hacker’s attack surface will grow.

Why did the DDOS network use these particular devices? We’re speculating, but we’d guess it’s a combination of difficult-to-update firmware and user “convenience” features like uPnP. To quote the FBI “The UPnP describes the process when a device remotely connects and communicates on a network automatically without authentication.” You can see how this would be good for both the non-tech-savvy and hostile attackers, right? (Turn off UPnP on your router now.)

We alternate between Jekyll and Hyde on the IoT. On one hand, we love having everything in our own home hooked up to our local WiFi network and running on Python scripts. On the other hand, connecting each and every device up to the broader Internet and keeping it secure would be a system administration headache. Average users want the convenience of the latter without having to pay the setup and know-how costs of the former. Right now, they’re left out in the cold. And their toasters are taking down ISPs.

Hackaday Prize Entry: Theia IoT Light-switch

September 24, 2016 by 17 Comments

There are it seems no wireless-enabled light switches available in the standard form factor of a UK light switch. At least, that was the experience of [loldavid6], when he decided he needed one. Also, none of the switches he could find were open-source, or easy to integrate with. So he set out to design his own, and the Theia IoT light switch is the result.

In adapting a standard light switch, he was anxious that his device would not depend on the position of the switch for its operation. Therefore he had to ensure that the switch became merely an input to whichever board he designed, rather than controlling the mains power. He settled upon the ESP8266 wireless-enabled microcontroller as the brains of the unit, with a relay doing the mains switching. He first considered using an LNK304 off-line switching PSU chip to derive his low voltages, but later moved to an off-the-shelf switch-mode board.

So far two prototype designs have been completed, one for each power supply option. Boards have been ordered, and he’s now in the interminable waiting period for international postage. All the KiCad and other files are available for download o the project’s hackaday.io page, so you can have a look for yourselves if you are so inclined.

You might ask why another IoT light switch might be needed. But even though they are now available and inexpensive, there is still a gap for a board that is open, and more importantly does not rely on someone else’s cloud backend. Plus, of course, this board can be used for more than lighting.

Light bulb image: Осадчая Екатерина (Own work) [CC BY-SA 4.0], via Wikimedia Commons.

The HackadayPrize2016 is Sponsored by:

Finding ESP8266 Inside Big-Box Store IoT Plugs

September 23, 2016 by 44 Comments

When we buy new shiny toys, we usually open them up to at least have a look. [Scott Gibson] does the same, apparently. He found an ESP8266 module inside the EcoPlug brand WiFi-controlled wall switches.

The original device was intended to be controlled by a (crappy) app. He sniffed the UDP packets enough to send the on-off signals to an unmodified device, but where’s the fun in that? [Scott] gave it an upgrade by replacing the ESP8266’s firmware with his own and now he’s got a much more capable remote switch, one that speaks MQTT like the rest of his home automation system.

Continue reading “Finding ESP8266 Inside Big-Box Store IoT Plugs”

How To Run A Pagekite Server To Expose Your Raspberry Pi

September 21, 2016 by 9 Comments

Last time I showed you how to expose a web service on a Raspberry Pi (or, actually, any kind of device) by using a reverse proxy from Pagekite. On your Pi, you just need a simple Python script. However, it also depends on the Pagekite server, which isn’t always convenient. There are limits to the free service, and you don’t control the entire thing. The good news is twofold: the same Python script you use to set up the client-side can also set up a server. The other good news is the entire thing is open source.

In practical terms, then, if you have a computer that is always on and has an IP address that can be found on the public internet, you can run your own Pagekite server (they call it a front end) and service your own backends.

Continue reading “How To Run A Pagekite Server To Expose Your Raspberry Pi”

Expose Your Raspberry Pi On Any Network

September 20, 2016 by 42 Comments

Everyone’s talking about the Internet of Things (IoT) these days. If you are a long-time Hackaday reader, I’d imagine you are like me and thinking: “so what?” We’ve been building network-connected embedded systems for years. Back in 2003, I wrote a book called Embedded Internet Design — save your money, it is way out of date now and the hardware it describes is all obsolete. But my point is, the Internet of Things isn’t a child of this decade. Only the name is.

The big news — if you can call it that — is that the network is virtually everywhere. That means you can connect things you never would have before. It also means you get a lot of data you have to find a reason to use. Back in 2003, it wasn’t always easy to get a board on the Internet. The TINI boards I used (later named MxTNI) had an Ethernet port. But your toaster or washing machine probably didn’t have a cable next to it in those days.

Today boards like the Raspberry Pi, the Beagle Bone, and their many imitators make it easy to get a small functioning computer on the network — wired or wireless. And wireless is everywhere. If it isn’t, you can do 3G or 4G. If you are out in the sticks, you can consider satellite. All of these options are cheaper than ever before.

The Problem

There’s still one problem. Sure, the network is everywhere. But that network is decidedly slanted at letting you get to the outside world. Want to read CNN or watch Netflix? Sure. But turning your computer into a server is a little different. Most low-cost network options are asymmetrical. They download faster than they upload. You can’t do much about that except throw more money at your network provider. But also, most inexpensive options expose one IP address to the world and then do Network Address Translation (NAT) to distribute service to local devices like PCs, phones, and tablets. What’s worse is, you share that public address with others, so your IP address is subject to change on a whim.

What do you do if you want to put a Raspberry Pi, for example, on a network and expose it? If you control the whole network, it isn’t that hard. You usually use some kind of dynamic DNS service that lets the Pi (or any computer) tell a well-known server its current IP address (see figure below).

Continue reading “Expose Your Raspberry Pi On Any Network”

Reverse Engineering And Networking The A/C Remote Control

September 8, 2016 by 19 Comments

IoT has become such an polarizing, overused term. But here it is in its essence: [zeroflow] had a thing (his airconditioner) and he needed to put it on the Internet.

For his contribution to this modern vernacular atrocity, he first had to build an IR debugging tool and reverse engineer the signals coming from the air conditioner’s remote. He wrote up a really good summary of the process, and worth reading. He loads up an IR library onto an Arduino and dumps the resulting 32 bits of information to his computer. In a process much like filling in the blanks on a word puzzle, he eventually determines which blocks of the data correspond to the remote’s different buttons.

Next he throws an array of IR LEDS and an ESP8266 onto a bit of protoboard. After writing some code, available on GitHub, he could set the temperature of his room from anywhere on the planet. We take it on faith that [zeroflow] has a compelling reason for doing so.

Bolstered by this success, he didn’t stop there. [Zeroflow] admits to having more than one thing on the Internet. Boom! Internet of things.

Asking The Security Question Of Home Automation

August 18, 2016 by 53 Comments

“Security” is the proverbial dead horse we all like to beat when it comes to technology. This is of course not unjust — we live in a technological society built with a mindset of “security last”. There’s always one reason or another proffered for this: companies need to fail fast and will handle security once a product proves viable, end users will have a harder time with setup and use if systems are secured or encrypted, and governments/law enforcement don’t want criminals hiding behind strongly secured systems.

This is an argument I don’t want to get bogged down in. For this discussion let’s all agree on this starting point for the conversation: any system that manages something of value needs some type of security and the question becomes how much security makes sense? As the title suggests, the technology du jour is home automation. When you do manage to connect your thermostat to your door locks, lights, window shades, refrigerator, and toilet, what type of security needs to be part of the plan?

Join me after the break for an overview of a few Home Automation security concerns. This article is the third in our series — the first asked What is Home Automation and the second discussed the Software Hangups we face.

These have all been inspired by the Automation challenge round of the Hackaday Prize. Document your own Automation project by Monday morning to enter. Twenty projects will win $1000 each, becoming finalists with a chance at the grand prize of $150,000. We’re also giving away Hackaday T-shirts to people who leave comments that help carry this discussion forward, so let us know what you think below.

Continue reading “Asking The Security Question Of Home Automation”