security

471 Articles

Metal mechanoid security patrol ride-on made from scrap

Homemade Scrapyard Security Mech Gives Uncle Super Powers

January 3, 2022 by 26 Comments

[Handy Geng] is back again with another bonkers build, that we just can’t not cover. His Uncle came to visit the workshop one day and said he’d love to go there every day, and could even watch over it when [Handy Geng] was away. But being an older chap and needing a stick to get around, he would not be much use if ‘bad guys’ decided to pay a visit. The obvious solution was to build a ride-on security mech which Uncle could ride on, (video, embedded below) and use to defend the shop from bandits.

The build starts with him unloading a large pair of tracked wheel units from his truck, which caused a chuckle around these parts when we tried to imagine the scrap yard he’d just visited! The build video is more of a spot-weld-come-assembly log, with the less interesting sub assembly construction omitted. If he’d included all the details, this video would have been hours long. Though, we’d probably watch that anyway.

Features of the final construction include, but not limited to, dual motors for on-the-spot turns, night-time patrol lights, dual pneumatic fists for attack mode, dual water cannons for a more gentle approach and rear facing speakers blasting out Chinese opera for the ultimate deterrent. Practical touches include an integrated glasses case for the ready-readers, and a walking cane holder, so the mech was Uncle-ready. He seemed impressed from the grin on his face!

Continue reading “Homemade Scrapyard Security Mech Gives Uncle Super Powers”

Hackaday Links Column Banner

Hackaday Links: December 12, 2021

December 12, 2021 by 14 Comments

It looks as though the Mars Ingenuity flight team is starting to press the edge of the envelope a bit. The tiny rotorcraft, already 280-something sols into a mission that was only supposed to last for about 30 sols, is taking riskier flights than ever before, and things got particularly spicy during flight number 17 this past week. The flight was a simple up-over-and-down repositioning of the aircraft, but during the last few meters of descent at its landing zone, Ingenuity dipped behind a small hill and lost line-of-sight contact with Perseverance. Without the 900-MHz telemetry link to the rover, operators were initially unable to find out whether the chopper had stuck the landing, as it had on its previous 16 flights. Thankfully, Perseverance picked up a blip of data packets about 15 minutes after landing that indicated the helicopter’s battery was charging, which wouldn’t be possible if the craft were on its side. But that’s it as far as flight data, at least until they can do something about the LOS problem. Whether that involves another flight to pop up above the hill, or perhaps even repositioning the rover, remains to be decided.

Thinking up strong passwords that are memorable enough to type when they’re needed is never easy, and probably contributes more to the widespread use of “P@$$w0rD123” and the like than just about anything. But we got a tip on a method the musically inclined might find useful — generating passwords using music theory. It uses standard notation for chords to come up with a long, seemingly random set of characters, like “DMaj7|Fsus2|G#9”. It’s pretty brilliant, especially if you’ve got the musical skills to know what that would sound like when played — the rest of us can click here to find out. But since we can’t carry a tune in a bucket, we’ll just stick with the “correct horse battery staple” method.

Looks like you can only light so many roofs on fire before somebody starts to take an interest in what’s going on. At least that seems to be the case with Tesla, which is now under investigation by the US Security and Exchanges Commission for not keeping its shareholders and the public looped in on all those pesky solar array fires it was having back in the day. The investigation stems from a 2019 whistleblower complaint by engineer Steven Henkes, who claims he was fired by Tesla after pointing out that it really would be best not to light their customers’ buildings on fire with poorly installed solar arrays. It’s interesting that the current investigation has nothing to do with the engineering aspects of these fires, but rather the financial implications of disclosure. We discussed some of those problems before, which includes dodgy installation practices and seems to focus on improperly torqued MC4 connectors.

Staying with the Tesla theme, it looks like the Cybertruck is going to initially show up as a four-motor variant. The silly-looking vehicle is also supposed to sport four-wheel steering, which will apparently make it possible to drive diagonally. We’ve been behind the wheel for nearly four decades at this point and can count on no hands the number of times diagonal driving would have helped, and while there might be an edge case we haven’t bumped into yet, we suspect this is more about keeping up with the competition than truly driving innovation. It seems like if they were really serious about actually shipping a product, they’d work on the Cybertruck windshield wiper problem first.

And finally, as I’m sure you’re all aware by now, our longtime boss Mike Szczys is moving on to greener pastures. I have to say the news came as a bit of shock to me, since I’ve worked for Mike for over six years now. In that time, he has put me in the enviable position of having a boss I actually like, which has literally never happened to me before. I just thought I’d take the chance to say how much I appreciate him rolling the dice on me back in 2015 and giving me a chance to actually write for a living. Thanks, Mike, and best of luck with the new gig!

Comfortable, wearable packaging for biometric device for monitoring physiological data and pushing the data to the cloud

A DIY Biometric Device With Some Security Considerations

December 11, 2021 by 8 Comments

Biohacking projects are not new to Hackaday and it’s certainly a genre that really piques our interest. Our latest biohacking device comes courtesy of [Manivannan] who brings his flavor of a wearable biosensor with some security elements built-in through AWS.

The hardware is composed of some impressive components we have seen. He has an AD8232 electrocardiogram front end, the MAX30102 integrated pulse oximeter IC for determining blood oxygen and heart rate, and the ever-popular LM35 for measuring body temperature. Either of these chips would be perfect for your next DIY biosensor project though you might try the MAX30205 body temperature sensor given its 0.1-degree Celsius accuracy. However, what really piqued our interest was the use of Microchip’s AVR-IoT WA Development Board. Now we’ve talked about this board before and also mentioned you could probably do all the same things with an ESP-device, but perhaps now we get to see the board a bit more in action.

[Manivannan] walks the reader through the board’s setup and everything looks to be pretty straightforward. He ultimately rigged together a very primitive dashboard for viewing all his vitals in real-time, demonstrating how you could put together your own patient dashboard for remote monitoring of vitals or other sensor signals. He emphasizes that all this is powered through AWS, giving him some added security layers that are critical for protecting his data from unwanted viewers.

Though [Manivannan’s] security implementation doesn’t rise to the standard of medical devices, maybe it will serve as a case study in the growing open-source medical device movement.

Continue reading “A DIY Biometric Device With Some Security Considerations”

ESP32 board with battery and nearby antenna

How To Easily Set Up Secure OTA Firmware Updates On ESP32

November 29, 2021 by 12 Comments

After an electronic IoT device has been deployed into the world, it may be necessary to reprogram or update it. But if physical access to the device (or devices) is troublesome or no longer possible, that’s a problem.

OTA updates allow a device to download new firmware, install it, and reboot itself into the new version. Convenient? Yes. Secure? It definitely needs to be.

Fortunately, over-the-air (OTA) firmware updates are a thing, allowing embedded devices to be reprogrammed over their wireless data connection instead of with a physical hardware device. Security is of course a concern, and thankfully [Refik] explains how to set up a basic framework so that ESP32 OTA updates can happen securely, allowing one to deploy devices and still push OTA updates in confidence.

[Refik] begins by setting up a web server using Ubuntu Linux, and sets up HTTPS using a free SSL certificate from Let’s Encrypt, but a self-signed SSL certificate is also an option. Once that is done, the necessary fundamentals are in place to support deploying OTA updates in a secure manner. A bit more configuration, and the rest is up to the IoT devices themselves. [Refik] explains how to set things up using the esp32FOTA library, but we’ve also seen other ways to make OTA simple to use.

You can watch a simple secure OTA firmware update happen in the video, embedded below. There are a lot of different pieces working together, so [Refik] also provides a second video for those viewers who prefer a walkthrough to help make everything clear. Watch them both, after the break.

Continue reading “How To Easily Set Up Secure OTA Firmware Updates On ESP32”

Flaw In AMD Platform Security Processor Affects Millions Of Computers

October 1, 2021 by 30 Comments

Another day, another vulnerability. This time, it’s AMD’s turn, with a broad swathe of its modern CPU lines falling victim to a dangerous driver vulnerability that could leave PCs open to all manner of attacks.

As reported by TechSpot, the flaw is in the driver for AMD Platform Security Processor (PSP), and could leave systems vulnerable by allowing attackers to steal encryption keys, passwords, or other data from memory. Today, we’ll take a look at what the role of the PSP is, and how this vulnerability can be used against affected machines.

Continue reading “Flaw In AMD Platform Security Processor Affects Millions Of Computers”

Adversarial Makeup: Your Contouring Skills Could Defeat Facial Recognition

September 24, 2021 by 30 Comments

Facial recognition is everywhere these days. Cloud servers churn through every picture uploaded to social media, phone cameras help put faces to names, and CCTV systems are being used to trace citizens in their day-to-day lives. You might want to dodge this without arousing suspicion, just for a little privacy now and then. As it turns out, common makeup techniques can help you do just that.

In research from a group at the Ben-Gurion University of the Negev, the team trialled whether careful makeup contouring techniques could fool a facial recognition system. There are no wild stripes or dazzle patterns here; these techniques are about natural looks and are used by makeup artists every day.

The trick is to use a surrogate facial recognition system and a picture of the person who intends to evade. Digital techniques are used to alter the person’s appearance until it fools the facial recognition system. This is then used as a guide for a makeup artist to recreate using typical contouring techniques.

The theory was tested with a two-camera system in a corridor. The individual was identified correctly in 47.57% of frames in which a face was detected when wearing no makeup. With random makeup, this dropped to 33.73%, however with the team’s intentionally-designed makeup scheme applied, the attacker was identified in just 1.22% of frames. (PDF)

The attack relies on having a good surrogate of the facial recognition system one wishes to fool. Else, it’s difficult to properly design appropriate natural-look makeup to fool the system. However, it goes to show the power of contouring to completely change one’s look, both in front of humans and the machines!

Facial recognition remains a controversial issue, but nothing is stopping its rollout across the world. Indeed, your facial profile may already be out there.

The Postmortem Password Problem

September 1, 2021 by 82 Comments

Death and passwords: two things we just can’t avoid. With so much of our lives tied up in cloud services nowadays, there’s good reason to worry about what happens to these accounts if we drop dead tomorrow. For many of us, important documents, photos, financial information and other data will be locked behind a login prompt. Your payment methods will also expire shortly after you have, which could lead to data loss if not handled promptly. The most obvious way to address this is to give a trusted party access in case of emergency.

A Bad Solution

Let’s start with the simplest solution: using the same password everywhere.  Great, all you need to do is put this on a Post-it note, stuff it in an envelope, and let someone know where to find it. Unfortunately, using a single password for many services is a terrible idea. Password breaches happen, and if you’re using a single password across the internet, they can be disastrous.

Password breaches are usually the result of an attacker finding a vulnerability that allows reading password data from an application’s database. Odds are high that your information has been leaked in one of these breaches. You can check if your email is on a list of known breaches with Have I Been Pwned. Don’t feel bad if you’ve been pwned, my email shows up on six different breaches, and this service only indexes publicly known breaches!

Depending on the competency of the company that was breached, your password may have been stolen in a few different formats. In the worst case, the passwords were stored as-is (i.e., cleartext), and the breach contains your actual password. Nowadays, storing passwords in cleartext is never considered acceptable. A hash of the password is stored instead. Attackers need to use a tool like hashcat to try to recover the passwords via brute force hash cracking. This is slow for complex passwords, but is always getting faster as GPUs improve.

So we really need to use different passwords everywhere, or our Tumblr account from 2013 could give access to our bank account. Given the large number of services we use and our inability to remember passwords, we’re going to need to use a password manager. Continue reading “The Postmortem Password Problem”