We’ve been waiting for this one. A worm was written for the Internet-connected Arduino Yun that gets in through a memory corruption exploit in the ATmega32u4 that’s used as the serial bridge. The paper (as PDF) is a bit technical, but if you’re interested, it’s a great read.
The crux of the hack is getting the AVR to run out of RAM, which more than a few of us have done accidentally from time to time. Here, the hackers write more and more data into memory until they end up writing into the heap, where data that’s used to control the program lives. Writing a worm for the AVR isn’t as easy as it was in the 1990’s on PCs, because a lot of the code that you’d like to run is in flash, and thus immutable. However, if you know where enough functions are located in flash, you can just use what’s there. These kind of return-oriented programming (ROP) tricks were enough for the researchers to write a worm.
In the end, the worm is persistent, can spread from Yun to Yun, and can do most everything that you’d love/hate a worm to do. In security, we all know that a chain is only as strong as its weakest link, and here the attack isn’t against the OpenWRT Linux system running on the big chip, but rather against the small AVR chip playing a support role. Because the AVR is completely trusted by the Linux system, once you’ve got that, you’ve won.
Will this amount to anything in practice? Probably not. There are tons of systems out there with much more easily accessed vulnerabilities: hard-coded passwords and poor encryption protocols. Attacking all the Yuns in the world wouldn’t be worth one’s time. It’s a very cool proof of concept, and in our opinion, that’s even better.
The apparent lull on the Arduino front the last few weeks was just the calm before the storm that is the Bay Area Maker Faire (BAMF). Both companies claiming the Arduino name were there over the weekend, with news and new products in tow. Ironically, you could see from one booth straight over to the other. Small world.
Perhaps the biggest news from Arduino LLC is that hacker-friendly Adafruit is now going to be making officially-licensed boards in the US. Competing with this news, Arduino SRL brought its new boards, including the Yun Mini and ARM-powered Arduino M0. And [Massimo Banzi] and Arduino LLC seem to be taking an end-run around the Arduino SRL trademark by announcing the “Genuino” brand for European production. For all the details, read on!
The Adafruit Connection
As announced by [Massimo] in his “State of the Arduino” keynote speech at the BAMF, Arduino is licensing Adafruit to produce a range of the “most-requested” Arduino boards at their factory in New York. So those of you looking to support Arduino LLC with your purchases also get to help line [Ladyada]’s pockets at the same time. That’s a big win in our book.
It’s not a complete surprise that Adafruit should get tapped as a US fab for Arduino.cc. They’ve been selling the boards and producing copious Arduino-related tutorials since their beginnings in 2005. More recently, Adafruit partnered with Arduino LLC to create the Gemma board, which is basically an ATTiny85-based Arduino-a-like in a tiny round, wearable-friendly board. (If you’re familiar with the Adafruit lineup, it’s essentially a Trinket in the round format of a LilyPad Arduino.)
Indeed, after the deal is done and the dust has settled, it’s a bit surprising to us that this hasn’t happened earlier, what with both Adafruit and Sparkfun producing licensed boards and Arduino LLC looking for new manufacturers. Anyway, good job Adafruit and Arduino (LLC)!
(New) Hardware from Arduino SRL
Arduino SRL had its Yun Mini, which is essentially a smaller version of the Yun — a mashup of an Arduino Leonardo with an OpenWRT-capable router chipset. We’ve reported on these previously but it’s fun to see them in the flesh.
The M0 is interesting. Before the troubles began, Arduino designed an ARM-M0+ based board with Atmel. Now Arduino LLC has it listed on their website as the Arduino Zero, but still hasn’t got any for sale yet. Arduino SRL has the boards on their website as the Arduino Zero Pro, with a different name, but is now touting this version as the “M0 Pro”. What’s in a name? Not much. The circuit layouts and parts appear identical.
The Portal Battle
Both of the Arduino companies are working on getting your Arduino development into “the cloud”. (Conscience compels us to note that “the cloud” is actually just other people’s computers.) Anyway, this essentially means new web-based and browser-based versions of the IDE that tie into web services. Interestingly enough, the two companies have different takes on what that entails.
Meanwhile, Arduino LLC displayed previously announced their alternative development platform, Arduino Create. Arduino Create lets you write, compile and upload sketches “directly from the browser with the Arduino Web Editor”, and store your code in the “Arduino Cloud”. Arduino Create looks slick: certainly a lot better than the homely Java IDE that we’re all used to. It’s too early to tell what this “cloud” is all about, but it looks like it will include code sharing, schematic and wiring hookup storage, and easy sharing among users.
We already use blogs, Hackaday.io (shameless plug!), Github, and other “cloud” services to store our projects and code, so we’re not entirely sure what either of these portal offerings will bring to the table. It’s 2015, is anyone still hurting for project hosting space on the web?
Cynically, we note that both of these companies are in a battle to “own” the Arduino community and that getting people to host code and projects on their servers is an obvious strategy, and providing a web-based IDE to facilitate this capture is the tactic.
Finally, as if it weren’t bad enough with Arduino LLC and Arduino SRL, [Massimo Banzi] also announced that licensed boards for the European market will be sold under the new “Genuino”.
Actually, this is a pretty cagey maneuver, because it side-steps the European trademark issues (which [Massimo] referred to as “the bullsh*t” in his talk) and is a cute name to boot. “Genuine”, get it?
Our take? As [Massimo] almost said in this video interview with Make, “a rose by any name would smell as sweet.” If Arduino LLC loses the trademark lawsuit in Italy, they’ll not be allowed to sell boards using the “Arduino” name. The best way to limit the damage in the future is to make the switch now, while everyone is watching, and give the market time to adapt.
We’ve all been there. You are having fun walking around the carnival when you suddenly find yourself walking past the carnival games. The people working the booths are taunting you, trying to get you to play their games. You know the truth, though. Those games are rigged. You don’t know how they do it. You just know that they do… somehow.
Now you can put your worries to rest and build your own carnival game! [John] built his own “Bass Master 3000” style carnival game and posted an Instructable so you can make one too.
The game is pretty straightforward. You have a giant fish-shaped target with a wide open mouth. You take hold of a small fishing reel with a rubber ball on the end. Your goal is to cast the ball out and hit the fish in its big mouth. If you hit the mouth, you get to hear a loud buzzer and see some flashing lights. The system also uses a webcam to take a candid photo of the winner. A computer screen shows all of the winners of the day.
The brain of the system is an Arduino Yún. The Yún is similar to an Uno but it also has some extra features. Some good examples are an Ethernet port, a wireless adapter, and an SD card slot. The mouth sensors are just two piezo elements. Each sensor is hooked up to the Arduino through a small trim pot. This allows you to dial in the sensitivity of each sensor. The lights and the buzzer are controlled via a relay, triggered by a 5V digital pin on the Arduino.
The Yún actually has a small on-board Linux computer that you can communicate with from inside the Arduino environment. This allows [John] to use the Yún to actually take photos directly from a web cam, store them on the local SD card, and display them on a local web server. The web server runs a simple script that displays a slide show of all of the photos stored on the card.
The final piece of the game is the physical target itself. The target is painted using acrylic paint onto a small tarp. The tarp is then attached to a square frame made from PVC pipe. The mouth of the fish is cut out of the tarp. A large piece of felt is then placed behind the hole with the piezo sensors attached. A short length of copper pipe helps to weigh down the bottom of the felt and keep it in place. The important thing is to make sure the felt isn’t touching the tarp. If it touches, it might be overly sensitive and trigger even when a player misses.
Now you know how to build your own Bass Master 3000 carnival game. Whether you rig the game or not is up to you. Also, be sure to check out a video of the system working below.