Harmony Hub Hacked and Patched

When we say “hack” here we most often mean either modifying something to do something different or building something out of parts. But as we build more Internet-connected things, it is worthwhile to think about the other kind of hack where people gain unauthorized access to a system. For example, you wouldn’t think a remote control would be a big deal for hackers. But the Logitech Harmony Hub connects to the Internet and runs Linux. What’s more is it can control smart devices like door locks and thermostats, so hacking it could cause problems. FireEye’s Mandian Red Team set out to hack the Harmony and found it had a lot of huge security problems.

The remote didn’t check Logitech’s SSL certificate for validity. It didn’t have a secure update process. There were developer tools (an SSH server) left inactive in the production firmware and — surprisingly — the root password was blank! The team shared their findings with Logitech before publishing the report and the latest patch from the company fixes these problems. But it is instructive to think about how your Raspberry Pi project would fare under the same scrutiny.

In fact, that’s the most interesting part of the story is the blow-by-blow description of the attack. We won’t spoil the details, but the approach was to feed the device a fake update package that turned on a dormant ssh server. Although they started by trying to solder wires to a serial port, that wasn’t productive and the final attack didn’t require any of that.

We’ve looked at some ways to harden Linux systems like the Raspberry Pi before, but honestly, it is an ongoing battle. We’ve seen plenty of devices with cybersecurity holes in them — some not found by good guy hackers first.

Microsoft Secures IoT from the Microcontroller Up

Frustrated by the glut of unsecured IoT devices? So are Microsoft. And they’re using custom Linux and hardware to do something about it.

Microsoft have announced a new ecosystem for secure IoT devices called “Azure Sphere.” This system is threefold: Hardware, Software, and Cloud. The hardware component is a Microsoft-certified microcontroller which contains Microsoft Pluton, a hardware security subsystem. The first Microsoft-certified Azure Sphere chip will be the MediaTek MT3620, launching this year. The software layer is a custom Linux-based Operating System (OS) that is more capable than the average Real-Time OS (RTOS) common to low-powered IoT devices. Yes, that’s right. Microsoft is shipping a product with Linux built-in by default (as opposed to Windows Subsystem for Linux). Finally, the cloud layer is billed as a “turnkey” solution, which makes cloud-based functions such as updating, failure reporting, and authentication simpler.

Continue reading “Microsoft Secures IoT from the Microcontroller Up”

Unlock & Talk: Open Source Bootloader & Modem

During the early years of cell phones, lifespan was mainly limited by hardware (buttons wearing out, dropping phones, or water damage), software is a primary reason that phones are replaced today. Upgrades are often prompted by dissatisfaction with a slow phone, or manufacturers simply stopping updates to phone software after a few years at best. [Oliver Smith] and the postmarketOS project are working to fix the update problem, and have begun making progress on loading custom software onto cellphone processors and controlling their cellular modems. Continue reading “Unlock & Talk: Open Source Bootloader & Modem”

Pocket-Sized Workstation Sports Pi Zero, Pop-Up Screen

Many of us could use a general-purpose portable workstation, something small enough to pocket but still be ready for a quick troubleshooting session. Terminal apps on a smartphone will usually do the job fine, but they lack the panache of this pocketable pop-top Raspberry Pi workstation.

It doesn’t appear that [Michael Horne] has a specific mission in mind for his tiny Linux machine, but that’s OK — we respect art for art’s sake. The star of the show is the case itself, a unit intended for dashboard use with a mobile DVD player or backup camera. The screen is a 4.3″ TFT with a relatively low-resolution, so [Michael] wasn’t expecting too much from it. And he faced some challenges, like dealing with the different voltage needs for the display and the Raspberry Pi Zero W he intended to stuff into the base. Luckily, the display regulates the 12-volt supply internally to 3.3-volts, so he just tapped into the 3.3-volt pin on the Pi and powered everything from a USB charger. The display also has some smarts built in, blanking until composite video is applied, which caused a bit of confusion at first. A few case mods to bring connectors out, a wireless keyboard, and he had a nice little machine for whatever.

No interest in a GUI machine? Need a text-only serial terminal? We’ve seen that before too. And here’s one with a nice slide-out keyboard built in.

Continue reading “Pocket-Sized Workstation Sports Pi Zero, Pop-Up Screen”

Eavesdropping on a VGA Monitor’s Conversations

Did you ever wonder what your monitor and your computer are talking about behind your back? As it turns out, there’s quite a conversation going on while the monitor and the computer decide how to get along, and sniffing out VGA communications can reveal some pretty fascinating stuff about the I²C protocol.

To reverse engineer the configuration information exchanged between a VGA monitor and a video card, [Ken Shirriff] began by lopping a VGA cable in two. The inside of such cables is surprisingly complex, with separate shielding wires for each color and sync channel and a host of control wires, all bundled in multiple layers of shielding foil and braid to reduce EMI. [Ken] identified the clock and data lines used for the I²C interface and broke those out into a PocketBeagle for analysis using the tiny Linux machine’s I²C tools.

With a Python script to help decode the monitor’s Extended Display Identification Data (EDID) data, [Ken] was able to see everything the monitor knows about itself — manufacturer, serial number, all the supported resolution modes, and even deprecated timing and signal information left over from the days when CRTs ruled the desktop. Particularly interesting are the surprisingly limited capabilities of a VGA display in terms of color reproduction, as well as [Ken]’s detailed discussion on the I²C bus in general and how it works.

We always enjoy these looks under the hood that [Ken] is so good at, and we look forward to his reverse engineering write-ups. His recent efforts include a look at core memory from a 50-year old mainframe and reverse engineering at the silicon level.

Linux Fu: File Aliases, Links, and Mappings

Have you heard it said that everything in Linux is a file? That is largely true, and that’s why the ability to manipulate files is crucial to mastering Linux Fu.

One thing that makes a Linux filesystem so versatile is the ability for a file to be many places at once. It boils down to keeping the file in one place but using it in another. This is handy to keep disk access snappy, to modify a running system, or merely to keep things organized in a way that suits your needs.

There are several key features that lend to this versatility: links, bind mounts, and user space file systems immediately come to mind. Let’s take a look at how these work and how you’ll often see them used.

Continue reading “Linux Fu: File Aliases, Links, and Mappings”

Linux Fu: Regular Expressions

If you consider yourself a good cook, you may or may not know how to make a souffle or baklava. But there are certain things you probably do know how to do that form the basis of many recipes. For example, you can probably boil water, crack an egg, and brown meat. With Linux or Unix systems, you can make the same observation. You might not know how to set up a Wayland server or write a kernel module. But there are certain core skills like file manipulation and editing that will serve you no matter what you do. One of the pervasive skills that often gives people trouble is regular expressions. Many programs use these as a way to specify search patterns, usually in text strings such as files.

If you aren’t comfortable with regular expressions, that’s easy to fix. They aren’t that hard to learn and there are some great tools to help you. Many tools use regular expressions and the core syntax is the same. The source of confusion is that the details beyond core syntax have variations.

Let’s look at the foundation you need to understand regular expression well.

Continue reading “Linux Fu: Regular Expressions”