Posts with «announcements» label

Create Agent – Windows installer tampering while preserving Authenticode signature

Arduino Create Agent is a plug-in that was designed to help Arduino users connect their devices to the Arduino Create platform. The plug-in lets your browser communicate with your device’s serial port from a web application.  

We chose Bitrock’s InstallBuilder, a powerful and easy to use cross-platform installer creation tool, for generating the Arduino Create Agent installers (Windows, macOS, Linux). Those binaries are then served through our global CDN.

Yesterday, Bitrock has published an important security advisory in which they stated that Windows binaries generated with InstallBuilder versions earlier than 19.7.0 are vulnerable to tampering even if they contain a valid Authenticode signature. A specially crafted payload can be appended to an existing installer and trick the installer initialization code to execute code included in it, while the existing signature remains valid.

The issue, originally reported to them by Youfu Zhang of Chaitin Security Research Lab (@ChaitinTech), got addressed by releasing an updated version of InstallBuilder so all their customers could re-build and re-release their installers. CVE-2019-5530 has been assigned to this issue (CVSSv3 score of 6.7).

Once we’ve been notified, and given the potential impact of this security issue, we worked around the clock to re-build and re-release our Agent’s Windows installer. Version 1.1.89 has now been released through our official channels.

Please note that all versions of the Windows installer before version 1.1.89 are vulnerable to CVE-2019-5530.

Because this issue can be exploited with existing binaries already released, we also want to remind all of you to only download installers from official sources.

If you have any questions regarding this security issue, or if you need any help with upgrading your installer, please do not hesitate to contact Arduino Support through e-mail at support@arduino.cc.

Arduino Blog 13 Aug 11:53

Chirp brings data-over-sound capabilities your Arduino projects

We are excited to announce a new partnership with Chirp, a London-based company on a mission to simplify connectivity using sound. Chirp’s machine-to-machine communications software enables any device with a loudspeaker or microphone to exchange data via inaudible sound waves. 

Starting today, our Chirp integration will allow Arduino-powered projects to send and receive data wirelessly over sound waves, using just microphones and loudspeakers. Thanks to some compatible libraries included in the official Arduino Library Manager and in the Arduino Create — as well as further comprehensive documentation, tutorials and technical support — it will be easy for anyone to add data-over-sound capabilities to their Arduino projects.

Our new Nano 33 BLE Sense board, with a DSP-optimised Arm Cortex-M4 processor, will be the first board in the Arduino range with the power to transmit and receive Chirp audio signals leveraging the board’s microphone as a receiver. From now on, the Chirp SDK for Arduino will support the following boards in send-only mode: Arduino MKR Zero, Arduino MKR Vidor 4000, Arduino MKR Fox 1200, Arduino MKR WAN 1300, Arduino MKR WiFi 1010, Arduino MKR GSM 1400, Arduino MKR NB 1500 and the Arduino Nano 33 IoT.

Creative applications of Arduino and Chirp include, but certainly are not limited to:

  • Triggering events from YouTube audio
  • Securely unlocking a smart lock with sound 
  • Sending Wi-Fi credentials to bring offline devices onto a Wi-Fi network
  • Having a remote control that only interacts with the gadgets in the same room as you

Connectivity is a fundamental asset for our users, as the demands of IoT uptake require devices to communicate information seamlessly and with minimal impact for the end user. Chirp’s data-over-sound solution equips our boards with robust data transmission, helping us to deliver enhanced user experiences whilst increasing the capabilities of our hardware at scale,” said Massimo Banzi, Arduino co-founder.  

“Sound is prevailing as a highly effective and versatile means of seamless data transmission, presenting developers with a simple to use, software-defined solution which can connect devices. Working with Arduino to extend the integration of data-over-sound across its impressive range of boards will not only increase the reach of Chirp’s technology, but provide many more developers with an accessible and easily integrated connectivity solution to help them drive their projects forward in all purposes and environments. We can’t wait to see what the Arduino community builds,” commented James Nesfield, Chirp CEO. 

To learn how to send data with sound with an Arduino Nano 33 BLE Sense and Chirp, check out this tutorial and visit Chirp website here


Why we chose to build the Arduino Nano 33 BLE core on Mbed OS

This post is from Martino Facchin, who is in charge of the firmware development team at Arduino. Hopefully this is the first of a series of posts describing the inner workings of what we do.

The new, shiny and tiny Nano 33 BLE and Nano 33 BLE Sense are on their way to becoming a serious threat to any hacker’s summer vacation. (I’d recommend spending a couple of days at the lake or beach anyway despite the board’s awesomeness!)

Quoting Sir Isaac Newton (who walked the same streets of Cambridge, UK that the Arm engineers use to get to work everyday), starting from scratch is not always a clever idea. Tens of thousands of man-hours have been spent since the beginning of computer science to reinvent the wheel, sometimes with great results, other times just bringing more fragmentation and confusion.

Since we didn’t have an official Arduino core for the Nordic nRF52840 Cortex-M4 microcontroller, which the Nano 33 BLE and Nano BLE Sense are based upon, we took a look at the various alternatives:

  • Using Nordic softdevice infrastructure
  • Writing a core from scratch
  • Using Mbed OS as a foundation

Option one looks juicy but clashes with a cornerstone of Arduino: open-source software. In fact, softdevice’s closed source approach limits the user’s freedom.

Option two would take a lot of burden on our shoulders for a single board, making the core not very reusable.

So, we went to option three: basing the core on Mbed OS foundation, sharing its drivers and libraries.

As many of you may know, Mbed is a fully preemptive RTOS (real-time operating system), meaning you can run multiple “programs” (more specifically, threads) at the same time, much like what happens in your notebook or smartphone. At Arduino, we have been looking for an RTOS to use on our more advanced boards for a long time but we never found something we liked until we started working with the Mbed OS. Programming an RTOS is usually quite complicated (every university grade course on operating systems will be full of frightening terms like ‘mutex’ and ‘starvation’), but you don’t have to worry if you just want to use it as an Arduino; setup() and loop() are in their usual place, and nobody will mess with your program while it’s running.

But if you want to do MORE, all Mbed infrastructure is there, hidden under the mbed:: namespace. As a side effect of reusing its drivers, we can now support every Mbed board in Arduino with minimal to no effort. Plus, the structure of the core allows any Mbed developer to use Arduino functions and libraries, simply by prepending arduino:: before the actual function call.

Mbed also supports tickless mode; in this way, every time you write delay() in your code, the board will try to go in low power modes, knowing exactly when to wake up for the next scheduled event (or any external interrupt). We are able to achieve an impressive 4.5uA of lower consumption while running a plain old Blink on the Nano 33 BLE (a minimal hardware modification is needed to obtain this value but another blog post is coming). As for Bluetooth support, you can start creating your BLE devices today using the wonderful https://github.com/arduino-libraries/ArduinoBLE but we support plain Cordio APIs as well, in case you need features not yet available in Arduino BLE.

And of course, it’s all open-source! 

If you just want to make awesome projects with its plethora of onboard sensors, fire up your Arduino IDE, open the board manager and search for Nano 33 BLE; one click and you are ready to go! 

If you want to hack the core, add another Mbed board or merely take a look, your next entry point is the GitHub repo. Don’t be shy if you find a bug or have a suggestion; we love our community, and will try to be as responsive as possible. 

Arduino selects Auth0 as standardized login for ecosystem

We are excited to announce that we’ve selected Auth0 as the identity management platform of choice for Arduino. We will replace our own Single Sign On solution with Auth0 for all public facing web properties, including Arduino Create and other apps.

We discovered that our own homegrown authentication solution would not scale to meet the rapidly developing needs of the growing global community and decided to reach out to Auth0. In addition to Single Sign On, Arduino will take advantage of Auth0’s new Universal Login, which enables developers to completely customise their branded authentication experiences quickly, and Device Flow for browserless or input-constrained devices.

“We wanted a robust platform to replace our SSO solution but also give us the flexibility to do cool, new things in the device authentication space. Auth0 is a brand we admire, and their API-based approach makes it easy to migrate our login data in a way that’s completely transparent for the customer. We are excited to welcome them to our global community.” – Gianluca Varisco, Arduino CISO

We plan to leverage the power of both communities and events, and explore a technical partnership in the IoT domain. Auth0 currently secures more than 2.5 billion logins per month for 21 million users.

“I have been using Arduino for years as the brain for my personal projects, so working with them in a business capacity is really rewarding. When you empower the developer with simple, powerful tools, the whole business benefits. We are excited by the reach of the Arduino community and aligned in our mission to help the developer in their journey to innovate.” – Eugenio Pace, Auth0 CEO and co-founder 

Arduino Blog 28 Jul 11:13

Arduino SIM extends availability around the world

Hot on the heels of announcing the launch of the Arduino SIMin the US, we’re very pleased to further roll out availability of the data plan to Asia, Australia/NZ, Middle East and Africa, and the Americas (excluding Brazil).

With 10MB free data for up to 90 days and a global roaming profile, the new Arduino SIM offers the simplest path to cellular IoT device development.

The Plan:

  • Arduino SIMcomes with 10 MB of data free for the first days 90 days.
  • One simple subscription at 5 MB for $1.50 USD per month*.
  • Global roaming profile – enjoy the same amount of data traffic for the same price wherever you are operating the device around the world.
  • Cellular connectivity to the Arduino IoT Cloud – monitor and control your devices anytime, anywhere.
  • Ideal for connected devices on the go or in areas without reliable WiFi.
  • Scalable to large numbers of devices in the future with Arm Pelion Connectivity Management.

*Available worldwide except for the European Union and Brazil

Currently, the Arduino SIM will allow users to send data into the Arduino IoT Cloud, while later in the year they will also be able to use the Arduino SIM to connect to the Internet via a combination of webhooks and APIs.

Arduino SIM will initially be compatible with the MKR GSM 1400 (3G with 2G fallback) — an Arm Cortex-M0+ board supporting TLS and X.509 certificate-based authentication through an on-board secure element and crypto accelerator. The Arduino IoT Cloud makes it possible for anyone to connect to these boards securely without any coding required, but they are still programmable using open-source libraries and the traditional Arduino IDE.

Now available for order from the Arduino online store!

What’s new at Maker Faire Bay Area 2019

It wouldn’t be a Maker Faire Bay Area without some exciting announcements!

A New Nano Family

Designed with makers in mind, the new Nano represents a small, powerful and affordable solution for everyday projects. Retaining Arduino’s quality and reliability, they make it easier than ever to turn your project ideas into reality. They are compatible with classic Arduino boards, have low energy consumption, and are equipped with more powerful processors.

The family is comprised of four different boards:

Arduino Nano Every – perfect for everyday projects. (Pre-order here with headers or here without headers)

Arduino Nano 33 IoT – small, secure, and Internet-connected. (Pre-order here with headers or here without headers)

Arduino Nano 33 BLE – small, low-power, and Bluetooth-connected. (Pre-order here with headers or here without headers)

Arduino Nano BLE Sense – small, low-power, and Bluetooth-connected with a wide range of on-board sensors. (Pre-order here with headers or here without headers)

“The new Nanos are for those millions of makers who love using the Arduino IDE for its simplicity and open source aspect, but just want a great value, small and powerful board they can trust for their compact projects,” commented Massimo Banzi. “With prices from as low as $9.90 for the Nano Every, this family fills that gap in the Arduino range, providing makers with the Arduino quality they deserve for those everyday projects.”

Arduino SIM

Connect the Arduino IoT Cloud to the world around you! 10MB free data for up to 90 days (5MB per month for $1.50 USD thereafter).

Arduino SIM is the new cellular connectivity service for the Arduino IoT Cloud. The SIM aims to offer the simplest path to cellular IoT device development in an environment familiar to millions. The cellular service, provided by Arm Pelion Connectivity Management, has a global roaming profile meaning a single Arduino SIM can be used in over 100 countries worldwide with one simple data plan. Compatible with the MKR GSM 1400 board, it is ideal for connected devices on the go. Arduino SIM is currently only available in the US — more information can be found here.

If you’re coming along to the faire, remember to bring along your MKR GSM 1400 board and we’ll give you a free SIM to try out!

Arduino Certification Program: Arduino Fundamentals

The Arduino Certification Program (ACP) is an Arduino initiative to officially certify Arduino users at different levels and confirm their expertise in key areas. Arduino Fundamentals, representing the first level of the ACP, is now available in the U.S. — access to the exam can be purchased either in combination with the Arduino Starter Kit or as a standalone exam.  

But Wait, There’s More!

If you’ll be in San Mateo, don’t miss Massimo Banzi’s ‘State of Arduino’ talk on Saturday at 2pm PT on the Center Stage, where he will reveal more news and updates!

Good luck to OKdo, a brand-new global technology company in the microcontroller and IoT space

OKdo’s focus is to create an ‘outstanding’ experience for all microcontroller and IoT customers, whatever their background, goals and ambitions. Bringing them the latest products, solutions and ideas to inspire and enable them to create technology that makes life better.

Visit OKdo’s new website to see the Arduino based inspirational Industrial case study where Fluid Intelligence’s oil performance monitoring service enables  industrial customers in the Logistics, Pulp & Paper, Manufacturing, Chemical and Energy sectors to maximise their operational reliability and reduce the waste generated by up to 50%

Massimo Banzi, CTO and Co-founder of Arduino explains: “We’re excited to be partnering with OKdo. With our roots in open source, Arduino has transformed into a company that serves professional designers by providing complete IoT platforms, as well as continuing to enable students, educators and makers to innovate by making complex technology simple to use.  There are a lot of Enterprises that need simple and secure technology for adding connectivity to their devices, together, Arduino and OKdo can make that happen.”

Richard Curtin, SVP Technology at OKdo commented  “At OKdo we’re excited to work with Arduino to help them meet their objectives and grow their business. We support makers, entrepreneurs, start-ups and global businesses turn their visions into reality. Like Arduino, the philosophy behind OKdo is to put technology in the hands of those who have the biggest potential. Together with Arduino we can work with customers and businesses to help them do something amazing.”

To find out more about OKdo visit  https://www.okdo.com/industrial/ or follow them on Twitter | YouTube | LinkedIn | Facebook | Instagram.

Announcing the Arduino IoT Cloud Public Beta

In our pursuit to democratize Internet of Things development, today we are excited to announce the Arduino IoT Cloud!

The Arduino IoT Cloud is an easy-to-use platform that makes it very simple for anyone to develop and manage their IoT applications, then deploy them to a large number of users. It allows users to create applications that solve real-life problems, and hopefully, improve their lives.

With the launch of the Arduino IoT Cloud, Arduino now provides its one million users a complete end-to-end approach to IoT that includes hardware, firmware, cloud services, and knowledge. After six months of private beta testing, I am very pleased to release the public beta of the Arduino IoT Cloud with automatic dashboard generation, Webhooks support, and full TLS secure transport.

— Luca Cipriani, Arduino CIO

Convenience and flexibility are key considerations for the Arduino IoT Cloud. Arduino boards usually require you to program them by entering code by way of a sketch — now the Arduino IoT Cloud can do this for you. It will quickly and automatically generate a sketch when setting up a new thing, thus enabling a developer to go from unboxing their board to a working device within five minutes. The Arduino IoT Cloud also provides other methods of interaction, including HTTP REST API, MQTT, Command-Line Tools, Javascript, and Websockets.

Going from an idea to a fully-functional IoT device has been a tedious process even for the most advanced engineers and developers… until now. Arduino now offers a complete platform with the MKR family providing a streamlined way to create local IoT nodes and edge devices using a range of connectivity options and compatibility with third-party hardware, gateway, and cloud systems. Whilst the Arduino IoT Cloud lets users manage, configure and connect not only Arduino hardware but the vast majority of Linux-based devices — truly democratizing IoT development.
— Massimo Banzi, Arduino CTO and Co-Founder

Want to learn more or try out the Arduino IoT Cloud for yourself? You’re just a click away!

Announcing Arduino’s Coordinated Vulnerability Disclosure Policy

A little less than a month ago, I joined Arduino as their Chief Information Security Officer. I’ve been in touch with the team for the past couple of months and feel incredibly lucky to be part of such a talented and driven group of people.

We’re working hard on developing a robust, well-rounded security program that fits our organisation and busy improving our security posture across all departments. I am a true believer that it all starts from introducing a strong culture of security awareness — where employees feel confident and empowered to take action against security issues.  

Today, I’m thrilled to announce the first release of Arduino’s Coordinated Vulnerability Disclosure (CVD) Policy.

We used some great references when putting it together and we’d like to give them a shout out here: HackerOne’s VDP guidelines, CEPS’ report on “Software Vulnerability Disclosure in Europe,” and the US DoJ Cyber Security unit’s VDP framework. We also took into consideration recent Senate testimony of experts in vulnerability disclosure in the role hackers can play in strengthening security, Dropbox’s announcement on protecting researchers and 18F’s own policy. I even wanted to publicly thank Amit Elazari Bar On, a doctoral law candidate (J.S.D.) at UC Berkeley School of Law and a Lecturer at UC Berkeley School of Information Master in Cybersecurity program for her useful advices and for providing the amazing “#legalbugbounty” standardisation project.

We’re also happy to announce that all of the text in our policy is a freely copyable template. We’ve done this because we’d like to see others take a similar approach. We’ve put some effort in to this across our teams and if you like what you see, please use it. Similarly, if you have improvements to suggest, we’d love to hear from you.

What is CVD?

Coordinated vulnerability disclosure (CVD) is a process aimed at mitigating/eradicating the potential negative impacts of vulnerabilities. It can be defined as “the process of gathering information from vulnerability finders, coordinating the sharing of that information between relevant stakeholders, and disclosing the existence of vulnerabilities and their mitigation to various stakeholders, including the public.”

Figure 1: Relationships among actors in the CVD process. Source: “The CERT Guide to Coordinated Vulnerability Disclosure,” Software Engineering Institute, Carnegie Mellon University

Why is it important for us?

At Arduino, we consider the security of our systems and products a top priority. No technology is perfect, and Arduino believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. We want security researchers to feel comfortable reporting vulnerabilities they’ve discovered, as set out in this policy, so that we can fix them and keep our information safe.

If you believe you’ve found a security issue in our products or services, we encourage you to notify us. We welcome working with you to resolve the issue promptly.

This policy describes how to send us vulnerability reports and how long we ask security researchers to wait before publicly disclosing vulnerabilities.

Where can I find it?

A copy of the policy is published on our Vulnerability Disclosure Policy page. The official document lives in GitHub. If you would like to comment or suggest a change to the policy, please open a GitHub issue.

Thank you for helping keep Arduino and our users safe!

— Gianluca Varisco

Say hello to the next generation of Arduino boards!

We’re excited to kick off Maker Faire Bay Area by expanding our IoT lineup with two new boards: the MKR Vidor 4000 and the Uno WiFi Rev 2.

The MKR Vidor 4000 is the first-ever Arduino based on an FPGA chip, equipped with a SAM D21 microcontroller, a u-blox Nina W102 WiFi module, and an ECC508 crypto chip for secure connection to local networks and the Internet. MKR Vidor 4000 is the latest addition to the MKR family, designed for a wide range of IoT applications, with its distinctive form factor and substantial computational power for high performance. The board will be coupled with an innovative development environment, which aims to democratize and radically simplify access to the world of FPGAs.

“The new MKR Vidor 4000 will finally make FPGA accessible to makers and innovators,” said Massimo Banzi, Arduino co-founder. “And we are looking forward to changing the game yet again.”

“Maker Faire Bay Area is always an unparalleled opportunity to interact with the Arduino community and makers,” added Fabio Violante, Arduino CEO. “This year I’m extremely excited about the launch of the most flexible Arduino ever, the MKR Vidor 4000 and the development environment vision around it. With this new product we aim at putting in the hands of professionals, makers and educators the electronic equivalent of a resourceful Swiss Knife to bring their creativity to the next level. The applications are countless.”

Co-developed with Microchip, the Uno WiFi Rev 2 is built around the new ATmega4809, u-blox Nina W102 WiFi module, and an integrated IMU. The Uno WiFi will make it even easier to deploy products that need connectivity using the classic Arduino form factor, and is ideal for emerging IoT industries such as automotive, agriculture, consumer electronics, smart home, and wearables. Among its other features, the ATmega4809 provides 6KB of RAM, 48KB of Flash, three UARTS, Core Independent Peripherals (CIPs), and an integrated high-speed ADC. Combined with Microchip’s ECC608 crypto chip on the Uno board, the microcontroller also provides hardware-based security for connecting projects to the cloud including AWS and Google.

“As we grow, partner and invest, we will fuel the vast IoT and software markets across the industry,” said Banzi. “Inspiring the Arduino community with easy to deploy solutions that enable our users to have access to larger both flash and RAM memory for more demanding IoT projects.”

“Arduino aims at supporting professional developers, makers and educators during the entire lifecycle of IoT product development, from the initial learning phases to mass deployment,” noted Violante. “Being based on the popular AVR technology, but on steroids, and with an enhanced WiFi connectivity, the UNO WiFi Rev 2 is a big step forward for all users that want to leverage the vast ecosystem of shields and libraries available for the traditional UNO form factor, in connected use cases.”

Those heading to Maker Faire this weekend are invited to attend Massimo Banzi’s semi-annual ‘State of Arduino’ talk, where you can learn more about our latest developments including the MKR Vidor 4000, Uno WiFi Rev2, and our Arduino Day releases.

Both the MKR Vidor 4000 and Uno WiFi Rev2 will be available on the Arduino online store at the end of June.