Hacking The Internet Of Things: Decoding LoRa

January 31, 2016 by Elliot Williams 20 Comments

Getting software-defined radio (SDR) tools into the hands of the community has been great for the development and decoding of previously-cryptic, if not encrypted, radio signals the world over. As soon as there’s a new protocol or modulation method, it’s in everyone’s sights. A lot of people have been working on LoRa, and [bertrik] at RevSpace in The Hague has done some work of his own, and put together an amazing summary of the state of the art.

LoRa is a new(ish) modulation scheme for low-power radios. It’s patented, so there’s some information about it available. But it’s also proprietary, meaning that you need a license to produce a radio that uses the encoding. In keeping with today’s buzzwords, LoRa is marketed as a wide area network for the internet of things. HopeRF makes a LoRa module that’s fairly affordable, and naturally [bertrik] has already written an Arduino library for using it.

So with a LoRa radio in hand, and a $15 RTL-SDR dongle connected to a laptop, [bertrik] got some captures, converted the FM-modulated chirps down to audio, and did a bunch of hand analysis. He confirmed that an existing plugins for sdrangelove did (mostly) what they should, and he wrote it all up, complete with a fantastic set of links.

There’s more work to be done, so if you’re interested in hacking on LoRa, or just having a look under the hood of this new modulation scheme, you’ve now got a great starting place.

“Hello Barbie” Not An IoT Nightmare After All

January 29, 2016 by Elliot Williams 25 Comments

Security researchers can be a grim crowd. Everything, when looked at closely enough, is insecure at some level, and this leads to a lot of pessimism in the industry. So it’s a bit of a shock to see a security report that’s filled with neither doom nor gloom.

We’d previously covered Somerset Recon’s initial teardown of “Hello Barbie” and were waiting with bated breath for the firmware dump and some real reverse engineering. Well, it happened and basically everything looks alright (PDF report). The Somerset folks desoldered the chip, dumped the flash ROM, and when the IDA-dust settled, Mattel used firmware that’s similar to what everyone else uses to run Amazon cloud service agents, but aimed at the “toytalk.com” network instead. In short, it uses a tested and basically sound firmware.

The web services that the creepy talking doll connected to were another story, and were full of holes that were being actively patched throughout Somerset’s investigation, but we were only really interested in the firmware anyway, and that looked OK. Not everything is horror stories in IoT security. Some stories do have a happy ending. Barbie can sleep well tonight.

Hacking A Coffee Machine

January 28, 2016 by Anool Mahidharia 19 Comments

The folks at Q42 write code, lots of it, and this implies the copious consumption of coffee. In more primitive times, an actual human person would measure how many cups were consumed and update a counter on their website once a day. That had to be fixed, obviously, so they hacked their coffee machine so it publishes the amount of coffee being consumed by itself. Their Jura coffee machine makes good coffee, but it wasn’t hacker friendly at all. No API, no documentation, non-standard serial port and encrypted EEPROM contents. It seems the manufacturer tried every trick to keep the hackers away — challenge accepted.

The folks at Q42 found details of the Jura encryption protocol from the internet, and then hooked up a Raspberry-Pi via serial UART to the Jura. Encryption consisted of taking each byte and breaking it up in to 4 bytes, with the data being loaded in bit positions 2 and 5 of each of the 4 bytes, which got OR’ed into 0x5B. To figure out where the counter data was stored by the machine in the EEPROM, they took a data dump of the contents, poured a shot of coffee, took another memory dump, and then compared the two.

Once they had this all figured out, the Raspberry-Pi was no longer required, and was replaced with the more appropriate Particle Photon. The Photon is put on a bread board and stuck with Velcro to the back of the coffee machine, with three wires connected to the serial port on the machine.

If you’d like to dig in to their code, checkout their GitHub repository. Seems the guys at Q42 love playing games too – check out 0h h1 and 0h n0.

Thanks [Max] for letting us know about this.

Finally, A Power Meter Without Nixies

January 22, 2016 by Dan Maloney 17 Comments

We’ve had quite a spate of home-brew energy meters on the tip line these days, and that probably reflects a deep inner desire that hackers seem to have to quantify their worlds. Functionally, these meters have all differed, but we’ve noticed a distinct stylistic trend toward the “Nixies and wood” look. Ironically, it is refreshing to see an energy meter with nothing but a spartan web interface for a change.

Clearly, [Tomasz Salwach] had raw data in mind as a design goal, and his Raspberry Pi-based meter delivers. After harvesting current sensing transformers from a bucket of defunct power meter PC boards, [Tomasz] calibrated them with a DIY oscilloscope and wired them and the voltage sensors up to an STM32 Nucleo development board. Data from the MCU goes to the Pi for processing and display as snazzy charts and GUI elements served internally. [Tomasz] was kind enough to include a link to his meter in his tip line post, but asked that we not share it publicly lest HaD readers love the Pi to death. But we can assure you that it works, and it’s kind of fun to peek in on the power usage of a house in Poland in real time.

It’s a nice project that does exactly what it set out to do. But if you missed the recent spate of Nixie-based displays, check out this front hallway meter or this one for a solar-power company CEO’s desk.

Shmoocon 2016: Z-Wave Protocol Hacked With SDR

January 16, 2016 by Mike Szczys 16 Comments

The first talk at 2016 Shmoocon was a great one. Joseph Hall and Ben Ramsey presented their work hacking Z-Wave, a network that has been gaining a huge market share in both consumer and industrial connected devices. EZ-Wave uses commodity Software Defined Radio to exploit Z-Wave networks. This is not limited to sniffing, but also used for control with the potential for mayhem.

Continue reading “Shmoocon 2016: Z-Wave Protocol Hacked With SDR” →

Internet Of Things In Five Minutes

January 8, 2016 by Elliot Williams 22 Comments

If you’re looking for the quickest way to go from zero to voice-controlled home automation system, you should spend five minutes checking out [Hari Wiguna]’s project on Hackaday.io where he connects up IoT gadgets and services into a functioning lightswitch. (Video below the break.)

[Hari] demonstrates how to set up a complex chain: Amazon Echo to IFTTT to Adafruit.io as a data broker, which is then polled by an ESP8266 unit in his home that controls his X10 setup. (Pshwew.) But each step along the way is designed to be nearly plug-and-play, so it’s really a lot like clicking Lego blocks together. [Hari]’s video is a nice overview.

There’s only one catch if you’re going to replicate this yourself: the X10 system that’s used for the last mile. Unless you have one of these setups already, you’re on your own for controlling the outlets that turn the lights on and off. For price and hackability, we suggest the common 433MHz wireless outlet switches and pairing them with cheap 433MHz transmitters, available at eBay for around $1. We’ve seen a lot of hacks of these systems — they’re quite common both in the US and Europe.

We’ve also covered [Hari]’s projects before: both his self-learning TV remote and a sweet Halloween hack. His video production skills are excellent. We’re in awe of how much info he crams into his YouTube videos.

Weightless IoT Hardware Virtually Unavailable

December 28, 2015 by Brandon Dunson 36 Comments

It has been over 2 years since we last mentioned the Weightless SIG and their claims of an IoT open standard chip with a 10 year battery life and 10km wireless range, all at a jaw dropping price of $2 per chip. There was a planned production run of the 3rd gen chips which I would suspect went to beta testers or didn’t make it into production since we didn’t hear anything else, for years.

Recently, a company called nwave began producing dev-kits using the Weightless Technology which you can see in the banner image up top. Although the hardware exists it is a very small run and only available to members of the development team. If you happen to have been on the Weightless mailing list when the Weightless-N SDK was announced there was an offer to get a “free” development board to the first 100 development members. I use bunny ears on free because in order to become a member of the developer team you have to pay a yearly fee of £900. Don’t abrasively “pffffft” just yet, if you happened to be one first 100 there was an offer for developers that came up with a product and submitted it back for certification to get their £900 refunded to them. It’s not the best deal going, but the incentive to follow through with a product is an interesting take.

Continue reading “Weightless IoT Hardware Virtually Unavailable” →