Enigma machines are fascinating devices, especially for young Makers looking to explore the world of electronics. Awhile back we featured a similar project from Italy, and we’re once again amazed by the work of 14-year-old Andy Eggebraaten, who built a retro-modern gadget of his own. The project, which was for his high school’s science fair, took nine months to complete.

These electro-mechanical rotor cipher machines were developed  in the early 20th century to protect commercial, diplomatic and military communication, used especially by German military intelligence during World War II.

In the video below, Andy opens the machine to show its inner workings: the unit runs on Arduino Mega along with 1,800 other parts and 500 color-coded wires. We can see that he evolved the rotors into electronic modules that plug into D-Sub sockets, and the interface is made using a 16-segment display showing the rotor position as well as an LCD screen to read the plain- and the encoded text.

Hackaday.io user [Abderraouf] has written an implementation of the new(ish) Spritz cipher and hash for Arduino. While we’re not big enough crypto-nerds to assess the security of the code, it looks like it’s going to be pretty handy.

Spritz itself is a neat cipher. Instead of taking in fixed blocks of data and operating on them, it allows you to process it in (almost) whatever chunks it comes in naturally, and then extract out the encrypted results piecewise. It works both as a two-way cipher and as a one-way hash function. It looks like Spritz is a one-stop-shop for all of your encryption needs, and now you can run it on your Arduino.

In case you are afraid of new implementations of new ciphers (and you should be), Spritz’s pedigree should help to put you at ease: it was developed by [Ron Rivest] to be a successor to his RC4 algorithm, and it incorporates a lot of the lessons learned about that algorithm over the past. This doesn’t exclude subtle flaws in the implementation of the library (no offence, [Abderraouf]!) or your work downstream, but at least the underlying algorithm seems to be the real deal.

[Abderraouf] links it in his writeup, but just for completeness, here’s the Spritz paper (PDF). What crypto libraries do you currently use for Arduino or microcontroller projects? We’ve been fans of XXTEA for ages, but more because it’s simple and small than because it’s secure. Spritz may be simple enough to implement easily, and still more secure. Sweet.

We are excited to announce Arduino Wifi Shield 101 developed with Atmel is now available for purchase on the Arduino Store US (49.90$).

Arduino WiFi Shield 101 is a powerful IoT shield with crypto-authentication that connects your Arduino or Genuino board to the internet wirelessly. Connecting it to a WiFi network is simple, no further configuration in addition to the SSID and the password are required. The WiFI library allows you to write sketches which connect to the internet using the shield.

The shield is based on the Atmel SmartConnect-WINC1500 module, compliant with the IEEE 802.11 b/g/n standard. The WINC1500 module provided is a network controller capable of both TCP and UDP protocols.  The main feature is an hardware encryption/decryption security protocol provided by the ATECC508A CryptoAuthentication chip that is an ultra secure method to provide key agreement for encryption/decryption, specifically designed for the IoT market.

Last year, Massimo Banzi introduced the shield:

“In this increasingly connected world, the Arduino Wi-Fi Shield 101 will help drive more inventions in the IoT market. Expanding our portfolio of Arduino extensions, this new shield can flawlessly connect to any modern Arduino board giving our community more options for connectivity, along with added security elements to their creative projects.”

The WiFi Shield 101 is the first Arduino product fully supporting SSL and all the communication between your board and our secured server. With the power of the Arduino Zero and the WiFi Shield 101 it is possible to make secure IoT applications simply and just using the Arduino Language.

A working example and instructions on how to get started are available on Arduino Cloud, a work-in-progress project that gives you access to a pre-configured MQTT server for your IoT sketches using only your Arduino account. More examples and features will be available in the next months.

Feel like knowing more about the shield? Explore the  Getting Started guide.

Jochen Maria Weber is a Researcher and Designer at the intersection of Interaction- and Industrial Design. He shared with us Project Cuckoo, a project running on Arduino Yún and looking at our interactions with intercepted social networks and how alternative ways of communicating might change them:

Twitter, Facebook, Google+ and co. collect our data and are forced to have a backdoor for state surveillance. Therefore Cuckoo encrypts messages into randomly generated words, meanings and noise in order to scatter them over multiple communication networks simultaneously. Each letter of an original message gets translated into complex forms of certain length forming new sentences. Those sentences get posted to aforementioned social networks, next to randomly generated noise-sentences for distraction. The encryption method can be changed with every new message. Any receiving Cuckoo-unit following the respective social network accounts can filter and decrypt the important posts according to their encryption method and time stamp. Cuckoo combines social networks to build a hidden one on top of their infrastructure. An egg in the others’ nests.

Cuckoo uses an Arduino YUN to connect wirelessly as a stand-alone device to the internet. It also does the en- and decryption of all messenges and made it comfortable to connect to Twitter, Skype and Tumblr API with Temboo.

Take a look at the video on Cuckoo’s website.

In honor of DEFCON, this week we’re looking at some cryptography and reverse engineering projects over at Hackaday.io

Every hacker loves a hardware puzzle, and [Tom] has created a tool to make those puzzles. His Hardware Reverse Engineering Learning Platform consists of a shield with two ATmega328 chips and an I2C EEPROM. The two Atmel chips share a data bus and I2C lines. Right in the middle of all this is an ST Morpho connector, which allows an ST Nucleo board to act as a sniffer. The platform allows anyone to create a reverse engineering challenge!

To successfully reverse engineer a board, it sure helps to have good tools. [coflynn] is giving that to us in spaces with The ChipWhisperer. ChipWhisperer is an open source security research platform. The heart of the system is a Xilinx Spartan 6 FPGA. The FPGA allows very high speed operations for things like VCC and clock glitching. ChipWhisperer is an entire ecosystem of boards – from LNA blocks to field probes. The entire system is controlled from an easy to use GUI. The end result is a powerful tool for hardware attacks.

On the Encryption side of the house, we start by keeping the Feds at bay. The [Sector67] hackerspace has collectively created NSA AWAY. NSA AWAY is a simple method of sending secure messages over an insecure medium – such as email. A one-time use pad is stored on two SD cards, which are used by two Android devices. The message sender uses an Android device to encrypt the message. On the receive side, the message can be decoded simply by pointing an android device’s camera at the encrypted data. So easy, even a grandparent could do it!

Next up is [Josh's] Bury it under the noise floor. “Bury it” is an education for cryptography in general, and stenographic software in particular. [Josh] explains how to use AES-256 encryption, password hashing, and other common techniques. He then introduces stenography  by showing how to hide an encrypted message inside an image. Anyone who participated in Hackaday’s ARG build up to The Hackaday Prize will recognize this technique.

[yago] gives us encrypted voice communications with his ZRTP Hardphone. The hardphone implements the ZRTP, a protocol for encrypted voice over IP communications. The protocol is implemented by a Raspberry Pi using a couple of USB sound cards. User interface is a 16×2 Line character LCD, a membrane keypad, and of course a phone handset. Don’t forget that you need to build two units,or  whoever you’re trying to call will  be rather confused!

Finally we have the Mooltipass. Developed right here on Hackaday by [Mathieu Stephan] and the community at large, Mooltipass is a secure password storage system. All your passwords can be stored fully AES-256 encrypted, with a Smart Card key. Under the hood, Mooltipass uses an Arduino compatible ATmega32U4 microcontroller. UI is through a OLED screen and touch controls.

That’s it for this week! Be sure to check out next week’s Hacklet, when we bring you more of the best from Hackaday.io!

David Huerta is a technologist who recently published a provocative work to make everyone think a little bit more about privacy and what governments should be allowed to do or not:

I work outside the Pokemon business model of catching every user’s data or abusing it for state surveillance. I work instead surrounded by priceless art and in giving it a voice inside and outside the thick, Faraday cage walls of the museum it lives in.

He created an encrypted mixtape and sent it to NSA. The device runs on Arduino and other open hardware and for David is a:

machinery that can be trusted not to spy on you because of the disclosure of its design, schematics and bill of materials to anyone who wishes to inspect, build, or build upon the device. The device contains a soundtrack for the modern surveillance state. It’s designed to be enjoyed only by people I have consented it to be listened to. A second copy of this device will also be sent to the NSA’s headquarters in Maryland, but without the private key needed to decrypt it; a reminder that the rules of mathematics are more powerful than the rules of even the most powerful states.

We got in touch with him and was happy to answer a couple of questions for the blog:

Z: What makes you more uncomfortable about NSA actions which made you react and build this device?

D: The NSA’s mass surveillance encompasses a lot of programs which run counter to what I feel is a fundamental right to privacy. In the US Constitution there’s an expression of that in its fourth amendment.
What the NSA is doing goes against the spirit of that much like petting a cat backwards; It’s the wrong direction to go towards and a cat/society will swipe its paw at the offender.

Z: Arduino community is always interested in understanding how things are made. Where we can find source code and technical specs to build one? It would be great if we all could share more practical knowledge on these topics.

D: The mixtape device is basically just an Arduino and Adafruit wave shield. The code to play each wave file on the SD card on a loop (when unencrypted) is right off their list of examples.
I made one slight modification, which is to turn on a purple LED to indicate when it’s working. Purple is not an easy LED color to source, but it’s the global Pirate Party color and I wanted to give them subtle props for working towards a free and secure internet on the policy side of things.

I will at some point publish a way to do the encryption part of this using a Beaglebone Black and CryptoCape to make it a fully open hardware proof-of-concept, but in this case the SD card encryption was done off-device. I also plan on going through a full tutorial based on that at this year’s Open Hardware Summit in Rome.

Z: You said: “The NSA can read my stupid Facebook updates but without my consent it will never be able to listen to my kick-ass mix tape, even if it’s sitting right in front of them.” – What makes you believe that your encryption is strong enough?

D: The truth is that everyone sucks at information security, including myself, so no one can really make the claim something they’ve built is “NSA-proof.” Generally though, the less hardware and software you have, the less complexity and thus, opportunity for attack vectors or human errors there are. The playlist was kept offline, is not on the Arduino sketch, or anywhere in the hardware except encrypted in the SD card. The only place the audio existed aside from in the various sources I collected it from was on the hard drive of the PC I used to compose the mix tape, which has since been removed and stored offsite and offline. The encryption was also ran by a different machine, and one that I generally keep on my person. This goes beyond mass surveillance capabilities and into TAO/FBI “partyvan” surveillance; I can’t imagine an intelligence analyst is going to go to their very serious boss to explain that they need to expense a vehicle to go after some guy’s mix tape in a city where they won’t even be able to find a parking spot close enough to run a tempest attack from.

ZDo you have the pictures of the inside showing the components and the circuits?

D: They’re not too exciting since its just the Arduino + Wave Shield, but I attached a photo of the unencrypted version (clear acrylic instead of red clear acrylic), which I’ll also be bringing with me to the Open Hardware Summit.

Looking forward to meet him at Open Hadware Summit!