A team of researchers were able to unlock and start the ignition of Volkswagen cars with just $40 of electronic components.
The post Volkswagen Security Problems: Arduino Hack Reveals RFID Vulnerability appeared first on Make: DIY Projects and Ideas for Makers.
A team of researchers were able to unlock and start the ignition of Volkswagen cars with just $40 of electronic components.
The post Volkswagen Security Problems: Arduino Hack Reveals RFID Vulnerability appeared first on Make: DIY Projects and Ideas for Makers.
[Ido Gendel] was thinking about new and interesting ways to send data between devices, when he realized that the answer was right in his hand. Literally: he decided to try sending data using the mouse pointer. What he came up with was an interesting hack that uses small movements of the mouse pointer to send data at up to 1200bps, or about 150 bytes per second.
The way he did this was very, very clever. He used an Arduino Leonardo that is set to emulate a mouse, working alongside his existing mouse. This setup means that he can use his existing mouse: the system just sees the Arduino as a second mouse, and the pointer just looks a little jerky when you zoom in. That is because the Arduino is just sending tiny movements, each of which is a code that represents a nybble (4 binary bits) of data. By using both a combination of three left-right or up-down movements, he was able to create 16 movements, each of which can encode 4 bits of data. Each of these encoding movements also returns the mouse to its origin point, so the mouse doesn’t mysteriously scroll off the screen when data is being sent.
![The encoding scheme used by [Ido].](https://hackadaycom.files.wordpress.com/2015/08/encoding2.jpg)
Of course, this isn’t a practical way of sending secret data: it only works when the custom program is active, 150 bytes per second is rather slow and enabling mouse acceleration in Windows stops it working because it masks the small movement. But it is an awesome hack that shows how you can send data in ways that you might not first think of. When you are trying to make a device as simple as possible, this is an important lesson to learn.
Use an Apple Watch to automagically open doors at home or at work with a tap on your wrist.
The post Make an Apple Watch Door Unlocker appeared first on Make: DIY Projects, How-Tos, Electronics, Crafts and Ideas for Makers.
Riding a bike can be fun, great exercise, and, if you live in a city conducive to it, a great mode of transportation. According to author Scott Bennett who lives in Vancouver BC, Canada, a city with a high bike theft rate, he “wanted to have some peace of mind […]
The post Secure and Track Your Bike with this Arduino-Based GPS Lock appeared first on Make:.
Bruce Sterling went to Thingscon conference with a keynote about Casa Jasmina and then published the following essay.
—————-
This is the third of my Casa Jasmina essays. It’s about the recent “ThingsCon” conference in Berlin, May 2015.
This remarkable event was the second “ThingsCon,” a new gathering which makes itself useful to the European hardware startup scene, especially “connected products” designers and builders from Berlin and London. “ThingsCon” took place in Berlin’s “Culture Brewery,” which is a huge, defunct beer factory, currently re-zoned for theaters, bars, restaurants and design retail.
Anybody who has seen the Garrone Foundry (which houses Toolbox Co-Working, Fab Lab Torino and Casa Jasmina), would surely recognize the “Culture Brewery.” It’s the same European story: the old industrial hulk remade for today’s culture-industry. So we found the ThingsCon venue to be pretty cozy, even though the stairs are of odd sizes, the huge, lofty rooms don’t fit together properly, the events and workshops are on different floors and mysteriously distant from one another, and there was excellent beer everywhere and tiny, crooked bathrooms stuck nowhere in particular. There’s something fun about this steampunk disorganization — if you’ve built a weird open-source Internet-of-Things device out of glued plywood and steel rods, it really fits that atmosphere.
ThingsCon is not a Maker Faire for the general public, and attending it is not cheap. ThingsCon is aimed at designers, developers, engineers, entrepreneurs and similar stakeholder-types from the technology ecosystem. The presentations were full of practical wisdom about commercial tech-product development: scaring up funding money, allocating time and resources, packaging, promotion, marketing, founder exit-strategies, angel investment, the issues common to people who might like to sit down for a serious talk with, say, Intel.
The organizers of ThingsCon are Peter Bihr, Simon Hoher, Emanuel Schwarz, Max Kruger, Sonja Heinen, Alexandra Deschamps-Sonsino, Brady Forrest, Louisa Heinrich, and Marcel Schouwenaar. As conference organizers go, they won’t win any prizes for sleek efficiency. However when it comes to the Internet of Things, these activists know plenty. At ThingsCon you can learn a lot in a hurry.
So: now that we understand what ThingsCon is about and who ThingsCon is meant to please, let’s confront some of their native ThingsCon problems, because they have lots of interesting issues.
The guy who delivered the first ThingsCon opening keynote, Warren Ellis, really understands their pains. Warren Ellis is pretty well known as a comic book writer, film scriptwriter and novelist, but he was also in the brain-trust of BERG,the legendary and now-dead London interaction-design firm. Warren Ellis grasps the many thorny difficulties of modern connected-product design.
Ellis delivered a sardonically funny rant, warning designers, engineers and manufacturers about the fierce wrath of genuine consumers. Consumers — (they’re the people who are supposed to buy Internet-of-Things products) — are a fickle and treacherous group. Consumers are never grateful for the hard work of designers and technicians. On the contrary, consumers are suspicious, endlessly demanding of customer support, and they resent most things they buy. The Internet-of-Things is even worse than traditional consumer capitalism, because interactive products don’t just sit there, they are invasive and intimate. People treasure their homes as a safe space in a harsh, competitive world, and they feel emotionally wounded when anything in their house betrays them.
Warren Ellis is an intelligent and erudite man, and he was telling the crowd the truth, but they were all laughing nervously because they can’t really believe what he says. It’s all true, but it’s important to understand this and still have some courage about it. If you invent and manufacture something, and it’s a commercial success and ten million people buy the product, of course your life is going to change. You won’t be a “Maker” alone in a garage any more, you’ll be an Internet multimillionaire with customer-support issues. Warren Ellis is right to urge people to think these things through: you shouldn’t dabble in technology and business unless you’re ready to face the consequences of getting what you want.
Barriers to entry in manufacturing are collapsing, so the old lines between a do-it-yourself Maker and a commercial industrialist are blurring. But this doesn’t solve old problems, it just creates interesting new ones. This was the lesson conveyed by Tina Aspiala. Before ThingsCon 2015, I had never heard of Tina Aspiala. Thanks to ThingsCon, I will pay attention to Tina Aspiala from now on.
Tina, who achieved some success with a product of hers, has become a Kickstarter patroness. Tina Aspiala spends a lot of time on Kickstarter and likes to give people some crowdfunding money just to see what happens. She told the crowd that results were mixed. Kickstarter is a funding platform, but some people on Kickstarter are crooks, they’re Kickstarter embezzlers. Other people want to be honest, but they flee in terror when they realize what the real world expects from real design and manufacturing. Others just have bad luck with their Kickstarter: they really wanted to do the work, but they broke a leg, or Dad died, or there was a divorce… that mishap wouldn’t stop FIAT or General Electric, but it does stop the Kickstarter team because they are few in number, while FIAT and General Electric have thousands of personnel.
Many Kickstarter projects get built, despite the host of problems in shipping, supply chains, material costs and manufacturing — but that doesn’t end the story. The product might be workable, but just not much good. The product might do what is promised, but the thing that the product does is only interesting once or twice, not useful in daily life. It’s a “gonzo product” (in the term created by Alexandra Deschamps-Sonsino), because it physically works and it does something, but the thing it does is eccentric and weird, so it has no commercial potential or mass appeal.
Why do we have “gonzo products” nowadays? It’s because (as Tina Aspiala pointed out), cheap electronic components make new combinations easy. Projectors, motors, sensors, cameras, processors and various wireless connectivity chips are all drastically cheaper, so product development becomes like a card game, when any gambler can connect X with Y and add some Z, then hope for a jackpot payoff.
In the case of the Internet of Things, there are many possible inputs — dozens of sensors of all kinds — but very limited outputs, because most IoT gizmos can only do very limited things to get any human attention: they blink, or beep, or vibrate. Blinking, beeping, vibrating things that demand human attention can get pretty annoying. Clearly this is a major IoT problem. Tina Aspiala recommends trying to think this situation through with some design perspective, instead of just hacking more components and attaching them to breadboards with soldering irons. That’s a point of view that makes some sense, though, let’s face it, people are gonna want to do it the easy way.
ThingsCon abounded in talks and workshops, more than I can describe here, but the most interesting thing on offer at Thingscon 2015 was the “IOT Design Manifesto”. That’s why I’m placing the manifesto here in this post.
A manifesto is a sign of creative health. It’s not that I agree with the “IoT Design Manifesto” — on the contrary, if everybody agrees with a manifesto, then the manifesto is vapid and useless and hasn’t really said anything. Even a manifesto that’s completely wrong can be useful, because it motivates people to rebel and try something else. This manifesto is pretty good, in my opinion, because it’s kindly in tone and well-mannered, it confronts quite a few of the IoT’s real problems.
Even the first declarations, one and two, “We don’t believe the hype, we design useful things,” singles out the ThingsCon crowd as people who are skeptical and yet also trying to get something done. It’s a good attitude for a young industry. The other declarations are about about participation, security, privacy, data collection, association, personal agency, sustainability and humanity. These are some big, hairy issues which aren’t going to get solved in anybody’s lifetime. However, if you spend your life with the Internet of Things you’re going to be dealing with situations of that kind all the time. So, might as well get used to that prospect now.
The authors of this IoT Manifesto are Andrew Spitz, Ruben van der Vleuten, Marcel Schouwenaar, Harm van Beek, Kevin Verelst, Anner Tiete, Jan Belon, Marcel van Heist and Holly Robbins. Before I went to ThingsCon I’d never heard of any of those people, but they were right to do what they did, and I’ll be watching them with a lot more interest from now on. People tend to grow by the size of their chosen problems. These people have some pretty big problems.
I closed the ThingsCon event by asking the people there to help us with our house.
It’s a bit scary to open the faucet in this way: we don’t know if we’ll get a huge flood, or just a groan in the pipe and some dripping. If we get a lot of interest, Casa Jasmina will be crowded and noisy; if interest is more modest, we’ll try to concentrate on a few core issues. In our Internet-of-Things house, we’ll have to acquire some things, accept some things, build some things and maybe commission some things, too. The project has started deliberately, we have paced ourselves, but as the months pass, Casa Jasmina will slowly become a unique and interesting place, a true place of difference.
I wondered, in starting this project, who would ever really want to stay in such a place, and, having been to ThingsCon, I now have a much better idea about that. ThingsCon had about 300 people attending it — the “new hardware movement” are not a mass movement of millions — but those three hundred people are real people. They are bright and committed, and they really exist. If we understand them as our natural guests and we try to please them, I think we’ll do well.
Bruce Sterling
[Nikhil] has been experimenting with human interface devices (HID) in relation to security. We’ve seen in the past how HID can be exploited using inexpensive equipment. [Nikhil] has built his own simple device to drop malicious files onto target computers using HID technology.
The system runs on a Teensy 3.0. The Teensy is like a very small version of Arduino that has built-in functionality for emulating human interface devices, such as keyboards. This means that you can trick a computer into believing the Teensy is a keyboard. The computer will treat it as such, and the Teensy can enter keystrokes into the computer as though it were a human typing them. You can see how this might be a security problem.
[Nikhil’s] device uses a very simple trick to install files on a target machine. It simply opens up Powershell and runs a one-liner command. Generally, this commend will create a file based on input received from a web site controlled by the attacker. The script might download a trojan virus, or it might create a shortcut on the user’s desktop which will run a malicious script. The device can also create hot keys that will run a specific script every time the user presses that key.
Protecting from this type off attack can be difficult. Your primary option would be to strictly control USB devices, but this can be difficult to manage, especially in large organizations. Web filtering would also help in this specific case, since the attack relies on downloading files from the web. Your best bet might be to train users to not plug in any old USB device they find lying around. Regardless of the methodology, it’s important to know that this stuff is out there in the wild.
Do it yourself garage door openers must be all the rage nowadays. We just got word of another take on this popular idea. [Giles] was commissioned by his friend to find a way to control the friend’s garage door using a smart phone. The request was understandable, considering the costly garage door remote and the fact that the buttons on the expensive remote tended to fail after a while. The inspiration for this project came from some YouTube videos of other similar projects. Those projects all paired an Arduino with a Bluetooth headset in order to control the door from a mobile phone. [Giles] understood that while this would get the job done, it wouldn’t be very secure. Bluetooth headsets typically connect to mobile phones using a four digit PIN. Many of them have known default PINs and even if the default is changed, it wouldn’t take very long to guess a four digit PIN. [Giles] knew he had to find a more secure way.
While WiFi was an option, [Giles] decided that having the garage door hooked up to the internet would likely be a security risk, even if it did offer some potential interesting use cases. He therefore opted to stick with Bluetooth, but decided to use the Seedstudio Bluetooth shield instead of a basic headset. The electronics are relatively simple. [Giles] simply plugged the Bluetooth shield into an Arduino Uno. [Giles] did have one problem with the Bluetooth shield though. The Bluetooth module did not accept many standard AT commands. He needed a way to force a disconnect of a mobile device if it failed authentication. After digging around, he discovered that the module had some extra exposed pads that he could likely use to accomplish that goal. The only problem was that they were expecting a 3.3V signal, and the Arduino works at 5V. The solution was simple. He setup a basic voltage divider using two resistors. This lowered the 5V signal from the Arduino to the required 3.3V. This provides the communication functionality to the mobile phone. He then realized that he could use a simple 12V automotive relay to control the garage door. To control the relay, he used the Freetronics relay control shield. The end result is a relatively simple stack of shields hooked up to a relay.
For the smart phone interface, [Giles] started out by trying to write a native Android application. Having little experience in Android development, he soon realized that it was going to take him longer than anticipated to get anything usable this way. He then decided to use SL4A. SL4A provides a scripting environment for Android and supports several different scripting languages. [Giles] was then able to write a Python script that can be executed on the smart phone. Many people would be tempted to write a really simple script that would just open the door and connect without any real thought about security. After all, this is a one-off obscure garage door opener. Security through obscurity! [Giles] is smarter than that. (more…)
After reading an April Fools joke we fell for, [Mortimer] decided to replicate this project that turns the common USB mouse into a powerful tool that can bring down corporations and governments. Actually, he just gave himself one-click access to Hackaday, but that’s just as good.
The guts of this modified mouse are pretty simple; the left click, right click, and wheel click of the mouse are wired up to three pins on an Arduino Pro Micro. The USB port of the ‘duino is configured as a USB HID device and has the ability to send keyboard commands in response to any input on the mouse.
Right now, [Mortimer] has this mouse configured that when the left click button is pressed, it highlights the address bar of his browser and types in http://www.hackaday.com. Not quite as subversive as reading extremely small codes printed on a mousepad with the optical sensor, but enough to build upon this project and do some serious damage to a computer.
Video of [Mort]‘s mouse below.
Normally, internet-controlled household devices are a cobbled together mashup of parts. This is great for a prototype, but if you’re looking for something that will last a decade in your garage, you’ll need something a little cleaner and more robust. [Phil]‘s Internet-enabled garage door opener is just that, replete with a custom-made enclosure for his Arduino powered system.
The main hardware for [Phil]‘s build is a Freetronix EtherTen, an Arduino clone with a built-in Ethernet interface. Aside from that, the electronics are simple: a relay, transistor, and diode provide the connection from the EtherTen to the garage door opener.
The software for this setup consists of a main file that sets up the web page, the serial monitor, and loops through the main program. There are a bunch of classes for initializing the web page, writing passwords to the EEPROM, activating the door, and setting the MAC and IP addresses.
Opening the door with this remote is a snap: with any WiFi enabled smartphone or tablet, [Phil] only needs to log onto his network, surf on over to the page hosted on the Arduino, and enter a password. From there, opening the door is just a press of a button. Passwords and other configuration settings cane be entered with MegunoLink. This software also includes a serial monitor to log who opened the door and when.
It’s an interesting and compact system, and handy to boot. You might sometimes forget your garage door opener, but we’re thinking if you ever find yourself without your phone, a closed garage door is the least of your problems.
Planet Arduino is, or at the moment is wishing to become, an aggregation of public weblogs from around the world written by people who develop, play, think on Arduino platform and his son. The opinions expressed in those weblogs and hence this aggregation are those of the original authors. Entries on this page are owned by their authors. We do not edit, endorse or vouch for the contents of individual posts. For more information about Arduino please visit www.arduino.cc
You are currently browsing the archives for the Security category.
Arduino Blog Make Magazine Blog Hackaday Electronics-Lab Noel Portugal CNX-Software Matthew Rollings Chris Debenham Techatronic Giasone John Boxall Arduino++ Adafruit Blog EngineeringException Mamaus's Blog Tinker Hobby Bits and Pieces Wayne and Layne NerdyTechy Liudr's Blog Steve Marple b7arduino Chipwired Embedded-Lab 
