Posts | Comments

Planet Arduino

Archive for the ‘Security’ Category

A little less than a month ago, I joined Arduino as their Chief Information Security Officer. I’ve been in touch with the team for the past couple of months and feel incredibly lucky to be part of such a talented and driven group of people.

We’re working hard on developing a robust, well-rounded security program that fits our organisation and busy improving our security posture across all departments. I am a true believer that it all starts from introducing a strong culture of security awareness — where employees feel confident and empowered to take action against security issues.  

Today, I’m thrilled to announce the first release of Arduino’s Coordinated Vulnerability Disclosure (CVD) Policy.

We used some great references when putting it together and we’d like to give them a shout out here: HackerOne’s VDP guidelines, CEPS’ report on “Software Vulnerability Disclosure in Europe,” and the US DoJ Cyber Security unit’s VDP framework. We also took into consideration recent Senate testimony of experts in vulnerability disclosure in the role hackers can play in strengthening security, Dropbox’s announcement on protecting researchers and 18F’s own policy. I even wanted to publicly thank Amit Elazari Bar On, a doctoral law candidate (J.S.D.) at UC Berkeley School of Law and a Lecturer at UC Berkeley School of Information Master in Cybersecurity program for her useful advices and for providing the amazing “#legalbugbounty” standardisation project.

We’re also happy to announce that all of the text in our policy is a freely copyable template. We’ve done this because we’d like to see others take a similar approach. We’ve put some effort in to this across our teams and if you like what you see, please use it. Similarly, if you have improvements to suggest, we’d love to hear from you.

What is CVD?

Coordinated vulnerability disclosure (CVD) is a process aimed at mitigating/eradicating the potential negative impacts of vulnerabilities. It can be defined as “the process of gathering information from vulnerability finders, coordinating the sharing of that information between relevant stakeholders, and disclosing the existence of vulnerabilities and their mitigation to various stakeholders, including the public.”

Figure 1: Relationships among actors in the CVD process. Source: “The CERT Guide to Coordinated Vulnerability Disclosure,” Software Engineering Institute, Carnegie Mellon University

Why is it important for us?

At Arduino, we consider the security of our systems and products a top priority. No technology is perfect, and Arduino believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. We want security researchers to feel comfortable reporting vulnerabilities they’ve discovered, as set out in this policy, so that we can fix them and keep our information safe.

If you believe you’ve found a security issue in our products or services, we encourage you to notify us. We welcome working with you to resolve the issue promptly.

This policy describes how to send us vulnerability reports and how long we ask security researchers to wait before publicly disclosing vulnerabilities.

Where can I find it?

A copy of the policy is published on our Vulnerability Disclosure Policy page. The official document lives in GitHub. If you would like to comment or suggest a change to the policy, please open a GitHub issue.

Thank you for helping keep Arduino and our users safe!

— Gianluca Varisco

University of Birmingham researchers found two vulnerabilities that allow hackers to gain entry to almost all VW vehicles manufactured after 1995.A team of researchers were able to unlock and start the ignition of Volkswagen cars with just $40 of electronic components.

Read more on MAKE

The post Volkswagen Security Problems: Arduino Hack Reveals RFID Vulnerability appeared first on Make: DIY Projects and Ideas for Makers.

University of Birmingham researchers found two vulnerabilities that allow hackers to gain entry to almost all VW vehicles manufactured after 1995.A team of researchers were able to unlock and start the ignition of Volkswagen cars with just $40 of electronic components.

Read more on MAKE

The post Volkswagen Security Problems: Arduino Hack Reveals RFID Vulnerability appeared first on Make: DIY Projects and Ideas for Makers.

[Ido Gendel] was thinking about new and interesting ways to send data between devices, when he realized that the answer was right in his hand. Literally: he decided to try sending data using the mouse pointer. What he came up with was an interesting hack that uses small movements of the mouse pointer to send data at up to 1200bps, or about 150 bytes per second.

The way he did this was very, very clever. He used an Arduino Leonardo that is set to emulate a mouse, working alongside his existing mouse. This setup means that he can use his existing mouse: the system just sees the Arduino as a second mouse, and the pointer just looks a little jerky when you zoom in. That is because the Arduino is just sending tiny movements, each of which is a code that represents a nybble (4 binary bits) of data. By using both a combination of three left-right or up-down movements, he was able to create 16 movements, each of which can encode 4 bits of data. Each of these encoding movements also returns the mouse to its origin point, so the mouse doesn’t mysteriously scroll off the screen when data is being sent.

The encoding scheme used by [Ido].
The encoding scheme used by [Ido].
On the computer, a custom program detects and decodes this movement, recreating the stream of data. In his example, this is data from a photoresistor, but it could be anything from random data to the contents of a secret file.

Of course, this isn’t a practical way of sending secret data: it only works when the custom program is active, 150 bytes per second is rather slow and enabling mouse acceleration in Windows stops it working because it masks the small movement. But it is an awesome hack that shows how you can send data in ways that you might not first think of. When you are trying to make a device as simple as possible, this is an important lesson to learn.


Filed under: Arduino Hacks, peripherals hacks

All photos taken by space150.Use an Apple Watch to automagically open doors at home or at work with a tap on your wrist.

Read more on MAKE

The post Make an Apple Watch Door Unlocker appeared first on Make: DIY Projects, How-Tos, Electronics, Crafts and Ideas for Makers.

Giu
03

Secure and Track Your Bike with this Arduino-Based GPS Lock

arduino, bicycle, bike, bike lock, lock, Security, Transportation Commenti disabilitati su Secure and Track Your Bike with this Arduino-Based GPS Lock 

Riding a bike can be fun, great exercise, and, if you live in a city conducive to it, a great mode of transportation. According to author Scott Bennett who lives in Vancouver BC, Canada, a city with a high bike theft rate, he “wanted to have some peace of mind […]

Read more on MAKE

The post Secure and Track Your Bike with this Arduino-Based GPS Lock appeared first on Make:.

Mag
13

Casa Jasmina and Bruce Sterling at Thingscon 2015

arduino, bruce sterling, CasaJasmina, Featured, iot, privacy, Security, Thingscon Commenti disabilitati su Casa Jasmina and Bruce Sterling at Thingscon 2015 

hype

Bruce Sterling went to Thingscon conference with a keynote about Casa Jasmina and then published the following essay.

—————-

This is the third of my Casa Jasmina essays. It’s about the recent “ThingsCon” conference in Berlin, May 2015.

This remarkable event was the second “ThingsCon,” a new gathering which makes itself useful to the European hardware startup scene, especially “connected products” designers and builders from Berlin and London. “ThingsCon” took place in Berlin’s “Culture Brewery,” which is a huge, defunct beer factory, currently re-zoned for theaters, bars, restaurants and design retail.

Anybody who has seen the Garrone Foundry (which houses Toolbox Co-Working, Fab Lab Torino and Casa Jasmina), would surely recognize the “Culture Brewery.” It’s the same European story: the old industrial hulk remade for today’s culture-industry. So we found the ThingsCon venue to be pretty cozy, even though the stairs are of odd sizes, the huge, lofty rooms don’t fit together properly, the events and workshops are on different floors and mysteriously distant from one another, and there was excellent beer everywhere and tiny, crooked bathrooms stuck nowhere in particular. There’s something fun about this steampunk disorganization — if you’ve built a weird open-source Internet-of-Things device out of glued plywood and steel rods, it really fits that atmosphere.

ThingsCon is not a Maker Faire for the general public, and attending it is not cheap. ThingsCon is aimed at designers, developers, engineers, entrepreneurs and similar stakeholder-types from the technology ecosystem. The presentations were full of practical wisdom about commercial tech-product development: scaring up funding money, allocating time and resources, packaging, promotion, marketing, founder exit-strategies, angel investment, the issues common to people who might like to sit down for a serious talk with, say, Intel.

The organizers of ThingsCon are Peter Bihr, Simon Hoher, Emanuel Schwarz, Max Kruger, Sonja Heinen, Alexandra Deschamps-Sonsino, Brady Forrest, Louisa Heinrich, and Marcel Schouwenaar. As conference organizers go, they won’t win any prizes for sleek efficiency. However when it comes to the Internet of Things, these activists know plenty. At ThingsCon you can learn a lot in a hurry.

So: now that we understand what ThingsCon is about and who ThingsCon is meant to please, let’s confront some of their native ThingsCon problems, because they have lots of interesting issues.

The guy who delivered the first ThingsCon opening keynote, Warren Ellis, really understands their pains. Warren Ellis is pretty well known as a comic book writer, film scriptwriter and novelist, but he was also in the brain-trust of BERG,the legendary and now-dead London interaction-design firm. Warren Ellis grasps the many thorny difficulties of modern connected-product design.

Ellis delivered a sardonically funny rant, warning designers, engineers and manufacturers about the fierce wrath of genuine consumers. Consumers — (they’re the people who are supposed to buy Internet-of-Things products) — are a fickle and treacherous group. Consumers are never grateful for the hard work of designers and technicians. On the contrary, consumers are suspicious, endlessly demanding of customer support, and they resent most things they buy. The Internet-of-Things is even worse than traditional consumer capitalism, because interactive products don’t just sit there, they are invasive and intimate. People treasure their homes as a safe space in a harsh, competitive world, and they feel emotionally wounded when anything in their house betrays them.

Warren Ellis is an intelligent and erudite man, and he was telling the crowd the truth, but they were all laughing nervously because they can’t really believe what he says. It’s all true, but it’s important to understand this and still have some courage about it. If you invent and manufacture something, and it’s a commercial success and ten million people buy the product, of course your life is going to change. You won’t be a “Maker” alone in a garage any more, you’ll be an Internet multimillionaire with customer-support issues. Warren Ellis is right to urge people to think these things through: you shouldn’t dabble in technology and business unless you’re ready to face the consequences of getting what you want.

Barriers to entry in manufacturing are collapsing, so the old lines between a do-it-yourself Maker and a commercial industrialist are blurring. But this doesn’t solve old problems, it just creates interesting new ones. This was the lesson conveyed by Tina Aspiala. Before ThingsCon 2015, I had never heard of Tina Aspiala. Thanks to ThingsCon, I will pay attention to Tina Aspiala from now on.

Tina, who achieved some success with a product of hers, has become a Kickstarter patroness. Tina Aspiala spends a lot of time on Kickstarter and likes to give people some crowdfunding money just to see what happens. She told the crowd that results were mixed. Kickstarter is a funding platform, but some people on Kickstarter are crooks, they’re Kickstarter embezzlers. Other people want to be honest, but they flee in terror when they realize what the real world expects from real design and manufacturing. Others just have bad luck with their Kickstarter: they really wanted to do the work, but they broke a leg, or Dad died, or there was a divorce… that mishap wouldn’t stop FIAT or General Electric, but it does stop the Kickstarter team because they are few in number, while FIAT and General Electric have thousands of personnel.

Many Kickstarter projects get built, despite the host of problems in shipping, supply chains, material costs and manufacturing — but that doesn’t end the story. The product might be workable, but just not much good. The product might do what is promised, but the thing that the product does is only interesting once or twice, not useful in daily life. It’s a “gonzo product” (in the term created by Alexandra Deschamps-Sonsino), because it physically works and it does something, but the thing it does is eccentric and weird, so it has no commercial potential or mass appeal.

Why do we have “gonzo products” nowadays? It’s because (as Tina Aspiala pointed out), cheap electronic components make new combinations easy. Projectors, motors, sensors, cameras, processors and various wireless connectivity chips are all drastically cheaper, so product development becomes like a card game, when any gambler can connect X with Y and add some Z, then hope for a jackpot payoff.

In the case of the Internet of Things, there are many possible inputs — dozens of sensors of all kinds — but very limited outputs, because most IoT gizmos can only do very limited things to get any human attention: they blink, or beep, or vibrate. Blinking, beeping, vibrating things that demand human attention can get pretty annoying. Clearly this is a major IoT problem. Tina Aspiala recommends trying to think this situation through with some design perspective, instead of just hacking more components and attaching them to breadboards with soldering irons. That’s a point of view that makes some sense, though, let’s face it, people are gonna want to do it the easy way.

ThingsCon abounded in talks and workshops, more than I can describe here, but the most interesting thing on offer at Thingscon 2015 was the “IOT Design Manifesto”.  That’s why I’m placing the manifesto here in this post.

iotmanifesto-big
A manifesto is a sign of creative health. It’s not that I agree with the “IoT Design Manifesto” — on the contrary, if everybody agrees with a manifesto, then the manifesto is vapid and useless and hasn’t really said anything. Even a manifesto that’s completely wrong can be useful, because it motivates people to rebel and try something else. This manifesto is pretty good, in my opinion, because it’s kindly in tone and well-mannered, it confronts quite a few of the IoT’s real problems.

Even the first declarations, one and two, “We don’t believe the hype, we design useful things,” singles out the ThingsCon crowd as people who are skeptical and yet also trying to get something done. It’s a good attitude for a young industry. The other declarations are about about participation, security, privacy, data collection, association, personal agency, sustainability and humanity. These are some big, hairy issues which aren’t going to get solved in anybody’s lifetime. However, if you spend your life with the Internet of Things you’re going to be dealing with situations of that kind all the time. So, might as well get used to that prospect now.

The authors of this IoT Manifesto are Andrew Spitz, Ruben van der Vleuten, Marcel Schouwenaar, Harm van Beek, Kevin Verelst, Anner Tiete, Jan Belon, Marcel van Heist and Holly Robbins. Before I went to ThingsCon I’d never heard of any of those people, but they were right to do what they did, and I’ll be watching them with a lot more interest from now on. People tend to grow by the size of their chosen problems. These people have some pretty big problems.

I closed the ThingsCon event by asking the people there to help us with our house.

It’s a bit scary to open the faucet in this way: we don’t know if we’ll get a huge flood, or just a groan in the pipe and some dripping. If we get a lot of interest, Casa Jasmina will be crowded and noisy; if interest is more modest, we’ll try to concentrate on a few core issues. In our Internet-of-Things house, we’ll have to acquire some things, accept some things, build some things and maybe commission some things, too. The project has started deliberately, we have paced ourselves, but as the months pass, Casa Jasmina will slowly become a unique and interesting place, a true place of difference.

I wondered, in starting this project, who would ever really want to stay in such a place, and, having been to ThingsCon, I now have a much better idea about that. ThingsCon had about 300 people attending it — the “new hardware movement” are not a mass movement of millions — but those three hundred people are real people. They are bright and committed, and they really exist. If we understand them as our natural guests and we try to please them, I think we’ll do well.

Bruce Sterling

casajasmina

Gen
27

[Nikhil] has been experimenting with human interface devices (HID) in relation to security. We’ve seen in the past how HID can be exploited using inexpensive equipment. [Nikhil] has built his own simple device to drop malicious files onto target computers using HID technology.

The system runs on a Teensy 3.0. The Teensy is like a very small version of Arduino that has built-in functionality for emulating human interface devices, such as keyboards. This means that you can trick a computer into believing the Teensy is a keyboard. The computer will treat it as such, and the Teensy can enter keystrokes into the computer as though it were a human typing them. You can see how this might be a security problem.

[Nikhil’s] device uses a very simple trick to install files on a target machine. It simply opens up Powershell and runs a one-liner command. Generally, this commend will create a file based on input received from a web site controlled by the attacker. The script might download a trojan virus, or it might create a shortcut on the user’s desktop which will run a malicious script. The device can also create hot keys that will run a specific script every time the user presses that key.

Protecting from this type off attack can be difficult. Your primary option would be to strictly control USB devices, but this can be difficult to manage, especially in large organizations. Web filtering would also help in this specific case, since the attack relies on downloading files from the web. Your best bet might be to train users to not plug in any old USB device they find lying around. Regardless of the methodology, it’s important to know that this stuff is out there in the wild.


Filed under: Arduino Hacks, security hacks
Mag
25

Arduino Garage Door Opener is Security Minded

arduino, arduino hacks, garage door opener, handshake, python, script, Security, sl4a Commenti disabilitati su Arduino Garage Door Opener is Security Minded 

Arduino garage door opener

Do it yourself garage door openers must be all the rage nowadays. We just got word of another take on this popular idea. [Giles] was commissioned by his friend to find a way to control the friend’s garage door using a smart phone. The request was understandable, considering the costly garage door remote and the fact that the buttons on the expensive remote tended to fail after a while. The inspiration for this project came from some YouTube videos of other similar projects. Those projects all paired an Arduino with a Bluetooth headset in order to control the door from a mobile phone. [Giles] understood that while this would get the job done, it wouldn’t be very secure. Bluetooth headsets typically connect to mobile phones using a four digit PIN. Many of them have known default PINs and even if the default is changed, it wouldn’t take very long to guess a four digit PIN. [Giles] knew he had to find a more secure way.

While WiFi was an option, [Giles] decided that having the garage door hooked up to the internet would likely be a security risk, even if it did offer some potential interesting use cases.  He therefore opted to stick with Bluetooth, but decided to use the Seedstudio Bluetooth shield instead of a basic headset. The electronics are relatively simple. [Giles] simply plugged the Bluetooth shield into an Arduino Uno. [Giles] did have one problem with the Bluetooth shield though. The Bluetooth module did not accept many standard AT commands. He needed a way to force a disconnect of a mobile device if it failed authentication. After digging around, he discovered that the module had some extra exposed pads that he could likely use to accomplish that goal. The only problem was that they were expecting a 3.3V signal, and the Arduino works at 5V. The solution was simple. He setup a basic voltage divider using two resistors. This lowered the 5V signal from the Arduino to the required 3.3V. This provides the communication functionality to the mobile phone. He then realized that he could use a simple 12V automotive relay to control the garage door. To control the relay, he used the Freetronics relay control shield. The end result is a relatively simple stack of shields hooked up to a relay.

For the smart phone interface, [Giles] started out by trying to write a native Android application. Having little experience in Android development, he soon realized that it was going to take him longer than anticipated to get anything usable this way. He then decided to use SL4A. SL4A provides a scripting environment for Android and supports several different scripting languages. [Giles] was then able to write a Python script that can be executed on the smart phone. Many people would be tempted to write a really simple script that would just open the door and connect without any real thought about security. After all, this is a one-off obscure garage door opener. Security through obscurity! [Giles] is smarter than that. (altro…)

Mar
31

A Real Malware In A Mouse

arduino hacks, mouse, peripherals hacks, Security Commenti disabilitati su A Real Malware In A Mouse 

mouseagain

After reading an April Fools joke we fell for, [Mortimer] decided to replicate this project that turns the common USB mouse into a powerful tool that can bring down corporations and governments. Actually, he just gave himself one-click access to Hackaday, but that’s just as good.

The guts of this modified mouse are pretty simple; the left click, right click, and wheel click of the mouse are wired up to three pins on an Arduino Pro Micro. The USB port of the ‘duino is configured as a USB HID device and has the ability to send keyboard commands in response to any input on the mouse.

Right now, [Mortimer] has this mouse configured that when the left click button is pressed, it highlights the address bar of his browser and types in http://www.hackaday.com. Not quite as subversive as reading extremely small codes printed on a mousepad with the optical sensor, but enough to build upon this project and do some serious damage to a computer.

Video of [Mort]‘s mouse below.


Filed under: Arduino Hacks, peripherals hacks


  • Newsletter

    Sign up for the PlanetArduino Newsletter, which delivers the most popular articles via e-mail to your inbox every week. Just fill in the information below and submit.

  • Like Us on Facebook