Fast-forward to the end of the talk, and you’ll hear someone in the audience ask [Ray] “Are there any Bluetooth locks that you can recommend?” and he gets to answer “nope, not really.” (If this counts as a spoiler for a talk about the security of three IoT locks at a hacker conference, you need to get out more.)
Unlocking a padlock with your cellphone isn’t as crazy as it sounds. The promise of Internet-enabled locks is that they can allow people one-time use or limited access to physical spaces, as easily as sending them an e-mail. Unfortunately, it also opens up additional attack surfaces. Lock making goes from being a skill that involves clever mechanical design and metallurgy, to encryption and secure protocols.
In this fun talk, [Ray] looks at three “IoT” locks. One, he throws out on mechanical grounds once he’s gotten it open — it’s a $100 lock that’s as easily shimmable as that $4 padlock on your gym locker. The other, a Master lock, has a new version of a 2012 vulnerability that [Ray] pointed out to Master: if you move a magnet around the outside the lock, it actuates the motor within, unlocking it. The third, made by Kickstarter company Noke, was at least physically secure, but fell prey to an insecure key exchange protocol.
Along the way, you’ll get some advice on how to quickly and easily audit your own IoT devices. That’s worth the price of admission even if you like your keys made out of metal instead of bits. And one of the more refreshing points, given the hype of some IoT security talks these days, was the nuanced approach that [Ray] took toward what counts as a security problem because it’s exploitable by someone else, rather than vectors that are only “exploitable” by the device’s owner. We like to think of those as customization options.
Finding a product that is everything you want isn’t always possible. Making your own that checks off all those boxes can be. [Peter Clough] took the latter route and built a small Bluetooth speaker with an LED visualization display that he calls Magic Box.
A beefy 20W, 4Ohm speaker was screwed to the lid of a wooden box converted to the purpose. [Clough] cut a clear plastic sheet to the dimensions of the box, notching it 2cm from the edge to glue what would become the sound reactive neopixel strip into place — made possible by an electret microphone amplifier. There ended up being plenty of room inside the speaker box to cram an Arduino Pro Mini 3.3V, the RN-52 Bluetooth receiver, and the rest of the components, with an aux cable running out the base of the speaker. As a neat touch, neodymium magnets hold the lid closed.
We gotta say, a custom speaker with LED visualization makes for a tidy little package — aside from the satisfaction that comes from building it yourself.
Last week, the latest and greatest member of the Bluetooth family of wireless specifications was announced to the world: Bluetooth 5! What main changes are in store? Read the FAQ (PDF), or dig into the full spec (bigger PDF) at 2,800 pages.
Their big-print selling points include “up to 4x the range, 2x the speed, and 8x the broadcasting message capacity” to power the Internet of Things. Etcetera. [Akiba] pointed out via Twitter that they get the fourfold increase in range by adding an extra zero to the “Maximum Output Power” spec, going from 10 mW maximum power to 100 mW. That would do it.
In less snarky news, they’re also allowing for a lower-bitrate mode that will also increase range without simply boosting the power. The spec is actually being changed to let the user work out their optimal blend of power, range, and bitrate. We’re down with that. But you’re not getting 4x the range and 2x the speed without paying the bandwidth piper. That’s just physics.
If you use the beacon mode in Bluetooth Low Energy (BLE), you’ll be happy to hear that they’re lengthening the beacon packet from 31 bytes to 255, so you can send a bunch more data without consuming too much power. That’s the “8x”. Bluetooth 5.0 is also backwards compatible with Bluetooth 4.2, so you don’t have to redo anything if you don’t want to take advantage of the newer features. Your current BLE beacons will keep working.
Finally, there’s some contention-detection and other bandwidth optimizing going on, which is welcome in our crowded 2.4 GHz office spectrum. Our guess is that’s where the “2x speed” is largely coming from, but there are about 2,750 pages that we haven’t read yet, so if you’re digging into the spec, let us know what you find in the comments.
There’s an iconic scene from the movie Big where [Tom Hanks] and [Robert Loggia] play an enormous piano by dancing around on the floor-mounted keys. That was the first thing we thought of when we saw [jegatheesan.soundarapandian’s] PC joystick rug. His drum playing (see the video below) wasn’t as melodious as [Hanks] and [Loggia] but then again they probably had a musical director.
At the heart of the project is, of course, an Arduino. An HC-05 provides a Bluetooth connection back to the PC. We thought perhaps an Arduino with USB input capability like the Leonardo might be in use, but instead, [jegatheesan] has a custom Visual Basic program on the PC that uses SendKeys to do the dirty work.
The switches are more interesting made with old CDs, foil, and sponges. The sponge holds the CDs apart until you step on them and the foil makes the CDs conductive. He uses a lot of Fevicol in the project–as far as we can tell, that’s just an Indian brand of PVA glue, so Elmer’s or any other white glue should do just as well.
The glue also handles the fabric parts. When a project says “no sewing” we realize how some people feel about soldering. The CD/foil/sponge switches might be useful in other contexts. We’d be interested in how the sponges wear with prolonged use.
We’ve seen other giant controllers before. Of course, if you really want a big controller, you can’t beat a Nissan (the link is dead, but the video will give ou the idea).
Your eyes are cool, but they aren’t very loud. You can remedy that with this build from [Sam Freeman]: a pair of Bluetooth speaker goggles. Combine a pair of old welders goggles with a Bluetooth receiver, a small amp and a couple of cheap speaker drivers and you’re well on your way to securing your own jet set radio future.
[Sam] found a set of speaker drivers that were the same size as the lenses of the goggles, as if they were designed for each other. They don’t do much for your vision, but they definitely look cool. [Sam] found that he could run the speakers for an hour or so from a small Lithium Ion battery that’s hidden inside the goggles, along with a large lever switch for that throwback electronics feel. The total cost of this build is a reasonably-low at $40, or less if you use bits from your junk pile.
The real trick is watching them in action and deciding if there’s any motion happening. Don’t get us wrong, they look spectacular but don’t have the visual feedback component of, say, the bass cannon. Look for yourself in the clip below. We might add a pair of googly eyes on the speakers that dance as they move, but that would get away from the more serious Robopunk look that [Sam] is going for. What would you add to build up the aesthetic of these already iconic goggles?
Everybody should have a few smoke alarms in their house, and everyone should go check the battery in their smoke alarm right now. That said, there are a few downsides to the traditional smoke alarm. They only work where you can hear them, and this problem has been solved over and over again by security companies and Internet of Things things.
Instead of investing in smart smoke alarms, [Johan] decided to build his own IoT smoke alarm. It’s dead simple, costs less than whatever wonder gizmo you can buy at a home improvement store, and reuses your old smoke alarm. In short, it’s everything you need to build an Internet-connected smoke alarm.
Smoke alarms, or at least ionization-based alarms with a tiny amount of radioactive americium, are very simple devices. Inside the alarm, there’s a metal can – an ionization chamber – with two metal plates. When smoke enters this chamber, a few transistors sound the alarm. If you’ve ever taken one apart, you can probably rebuild the circuit from memory.
Because these alarms are so simple, it’s possible to hack in some extra electronics into a design that hasn’t changed in fifty years. For [Johan]’s project, he’s doing just that, tapping into one of the leads on the ionization chamber, measuring the current through the buzzer, and adding a microcontroller with Bluetooth connectivity.
For the microcontroller and wireless solution, [Johan] has settled on TI’s CC2650 LaunchPad. It’s low power, relatively cheap, allows for over the air updates, and has a 12-bit ADC. Once this tiny module is complete, it can be deadbugged into a smoke alarm with relative ease. Any old phone can be used as a bridge between the alarm network and the Internet.
The idea of connecting a smoke alarm to the Internet is nothing new. Security companies have been doing this for years, and there are dozens of these devices available at Lowes or Home Depot. The idea of retrofitting smarts into a smoke alarm is new to us, and makes a lot of sense: smoke detectors are reliable, cheap, and simple. Why not reuse what’s easy and build out from there?
There’s been a lot of fuss over Apple’s move to ditch the traditional audio jack. As for me, I hope I never have to plug in another headphone cable. This may come off as gleeful dancing on the gravesite of my enemy before the hole has even been dug; it kind of is. The jack has always been a pain point in my devices. Maybe I’ve just been unlucky. Money was tight growing up. I would save up for a nice set of headphones or an mp3 player only to have the jack go out. It was a clear betrayal and ever since I’ve regarded them with suspicion. Is this the best we could do?
I can’t think of a single good reason not to immediately start dumping the headphone jack. Sure it’s one of the few global standards. Sure it’s simple, but I’m willing to take bets that very few people will miss the era of the 3.5mm audio jack once it’s over. It’s a global episode of the sunk cost fallacy.
In the usual way hindsight is 20/20, the 3.5mm audio jack can be looked at as a workaround, a stop over until we didn’t need it. It appears to be an historic kludge of hack upon hack until something better comes along. When was the last time it was common to hook an Ethernet cable into a laptop? Who would do this when we can get all the bandwidth we want reliably over a wireless connection. Plus, it’s not like most Ethernet cables even meet a spec well enough to meet the speeds they promise. How could anyone reasonably expect the infinitely more subjective and variable headphone and amplifier set to do better?
But rather than just idly trash it, I’d like to make a case against it and paint a possible painless and aurally better future.
Let’s say you had to design a consumer facing device that goes in someone’s pocket. A pocket is dusty. It’s moist and sweaty. You know your stuff so you’re already thinking about gaskets and IP ratings. Then someone hands you the spec sheet. They let you know that they want you to drill a hole right in it and put an unserviceable deep hole in the case. Now rinse repeat for every portable device on the planet and it seems like an odd mass hallucination.
There is no good way to seal or maintain a 3.5mm headphone jack. Some phone makers have tried by adding a little gasket or a flap, but this doesn’t last. There’s also a chance that it could be sealed off, but since it has to have little springs inside and holders it’s still susceptible to damage from liquids and dust by nature. I’ve even seen some get irreparably corroded by the salt from sweat alone.
It’s like we all agreed to ignore the fact that these connectors were designed to be used in a switch board. A nice clean dry switchboard in a professional location where it would be used by trained personnel and serviced regularly. It was designed to be an easy to use connector that could be plugged in and removed quickly for low-quality audio phone switching. It was never designed to be the end-all connector for quality audio signals. Moving it out into the world could arguably have just been a quick hack. Using a connector that was already adopted and manufactured on a large enough scale when home audio began to be a common thing.
Since we’ve already gotten rid of the keyboards on mobile devices (which is a shame, but that’s another article). Since every manufacturer seems to be horribly committed to irreplaceable batteries. There’s just no reason not to move towards fully waterproof and dustproof devices. There could at least be a bright side. The audio port is holding us back.
Next comes cable strain. People like to complain about how the iPhone earbuds would constantly break at the joint. This is true, and other brands had better strain relief. However, it’s also true that all audio cables that go into a pocket will break before any of the other components will reach their end of service life. By nature, a pocket exceeds every reasonable expectation of in-tolerance cable strain. It is a hostile environment. My last set of headphones went through two cables during regular use. Which segues right into the next design flaw, force.
As mentioned before, the audio connector was designed to be easily inserted inside a switch board room. It would see no dramatic force on it. So it’s a tall connector that is easy to hold and easy to use. It also is supposed to be a low insertion force connector. So it’s unreasonable to expect it to be able to hold a cable in place reliably.
However, when put into a pocket it suddenly sees forces perpendicular to its axis. This can cause some extremely large moments on a very tiny plastic and spring-metal socket. We all know that the longer we own our phones the less able our headphone socket will be to hold the jack in place. There’s simply no way to design something that small to take that much force and keep it cost effective. Rather it looks like we’ve just adjusted our expectations and then forgot that we even made that adjustment.
This seems even more insane from a design perspective when you consider that this connector which sees dramatic forces is actually attached to the mainboard of your device (to be fair, most smartphones do use spring connectors for jack to mainboard but think about laptops and other gear). Solder connections are not flexible. The metals we use for solder are very susceptible to work hardening and breaking under cyclical forces. So not only do you flex the connection of the port to the board itself, you also flex all the surrounding components. So It’s no mystery that one of the most common repairs on mobile devices are the audio and USB ports.
Right now there is still a difference in sound quality between Bluetooth and wired. There’s no reason to expect it to last long. Bluetooth is now capable of some seriously impressive bandwidth and with an actual market erupting for the headsets, it won’t be long before this is a moot point. I’m picking on Bluetooth specifically because it’s the only standard that’s both universal and intended, at least, for hooking peripherals up.
There’s a big argument for the sound quality aspect of the 3.5mm headphone jack. I think that, frankly, most of them make no sense against the transition. If you’re sitting still in your home-listening-chamber with a perfectly tuned preamplifier connected to quality headphones while listening to FLAC audio from your dedicated music computer you might be able to hear a perceptible difference from hooking directly to your phone with a Bluetooth headset. But you’re not. You have a noisy connection from a worn out port to a low quality cable with an unamplified signal to some cost engineered headphones. It’s a wash I think.
Plus, it’s not like switching to a wireless standard is going to absolutely kill the wired headphone market. You’ll still be able to get wired headphones for when the wire matters. People who are paying a hundred dollars plus for quality sound out of a wired headset will still have their toys. That market is very far from death. People who were paying ten bucks for whatever are not going to notice at all.
Most phones and portable devices waste zero energy trying to amplify the signal in a meaningful way. So if you want the full range of your headphones you have to add an amplifier. Then there’s the fact that they’re already class D audio amps trying to maximize the device’s battery life. By the time it gets to your ear it’s been triple digitized to death. Fortunately, we now have more processing power inside greeting cards than we reasonably know what to do with, so it’s unlikely that most would notice the difference.
However, the modern Bluetooth audio chips are actually really great, they’re only getting better. They’re ultra-low power class D amplifiers which were built and optimized for sound quality. With a lithium battery right there inside the headphone there’s no reason not to expect engineers to take advantage of that and stop designing every driver in the world to run off the two or three magic pixies a cell phone is willing to give it. It should actually be possible to have significantly better sounding wireless headphones than wired.
Convenience and User Experience
I bought a very cheap set of Bluetooth headphones off Amazon. I have rarely been so pleased with a purchase. Did they sound good? Not really, but I don’t expect any ten dollar headset to sound good. What I did get was an average of ten days of on and off use before the battery needed charging. I could go to the climbing gym and leave my cellphone on the ground while I climbed. When I worked on projects in the hackerspace I could walk up to thirty feet from my phone and not miss a word of my audio book. It connected automatically. It played nice. It was a better experience in every way.
With my headphones I’m always fighting with the cable. I’m always arranging my phone in my pocket so the cord isn’t flexed too much. It’s a cultural meme that headphones know more knots than we do.
Sure there are some flaws of the Bluetooth. Will we cover battery replacement hacks in a few years? Probably. Will there be growing pains? Of course. Will they be ironed out in the next few years? Most likely.
So how do we transition? Well, the first step is done. Have a big player finally give up on the port. It’s time. But what about all the things that are nice about corded headphones? The global standard? The fact that you can contribute to the complete devastation of our planet by buying them cheaply by the pound instead of being a grown adult who can hold on and take care of a quality item? How about their universal integration with every device that wants to put a sound out?
But we do have other global standards that can transmit sound signals. We have USB. While I hedge to give Apple too much credit after they threw their lot in with Beats, in this regard they are also showing the way. A dongle is an inelegant example, however, only as a transition out of the 3.5mm port. What if your headphones just had a USB C port on one end and you could plug the cable of choice right into your mobile. The phone has the ability to power some accessories and as long as it’s designed to switch off the charging circuit while it’s at it, there’s no reason it won’t work. We can all transition painlessly. We really won’t miss it.
Laptops could definitely simultaneously charge and play. If your battery is running low, just hook it up to USB. You get the cord experience and the universal standard experience we’ve all come to love. Just without a weird analog connector from the birth of electronics. All the LEGO pieces are there, we just need to build the spaceship.
All that is pedantic though. Portable audio has never been a power-hungry game and in the end I just don’t think people will notice the cable woes. I thought I would and I don’t. I’m already so used to plugging things in when the situation requires that I just do it and that’s that.
It’s time for the 3.5mm legacy to go. I hope others follow Apple’s lead. I hope all the major headphone makers turn their eyes to wireless audio and the possibilities it offers. There are already quality sets out there and it will only get better. I won’t miss it. I don’t miss magnetic hard drives. I don’t miss CDs and Mini Disks. I haven’t tuned the bunny ears on a television in at least a decade. I don’t even own an Ethernet cable nor have I used a DB9 serial cable for hardware development in years. The future moves on and this time I think it will show itself to move in exactly the right direction.
The theme of the last Hackaday Prize challenge was Assistive Technologies, and there is perhaps no assistive technology as desperately needed as a device to help people who can’t use common input devices. Using a keyboard, mouse, or touchscreen can be hard, but this Hackaday Prize project turns all these problems into a simple Bluetooth-enabled switch.
The BOSI – the Bluetooth Open Source Switch Interface – is, at its heart, just a big Bluetooth button inside a 3D-printed enclosure designed in Solidworks. These enclosures house a button connected to an Adafruit Bluefruit EZ-Key. Add a battery and a charging circuit, and you have a button that can be pressed by anyone, that connects to any device, and can do anything.
The real trick to a system like this is the software stack, and for this, BOSI can be used with iOS and OS X using the Switch Control interface. Android works, too, and the entire device is exceptionally usable for anyone that can’t use a normal input device. A great entry for the Hackaday Prize.
On the one hand, this is awesome functionality. The browser is the most ubiquitous cross-platform operating system that the world has ever seen. You can serve a website to users running Windows, Linux, Android, iOS, or MacOS and run code on their machines without having to know if it’s a cellphone, a desktop, or a virtual machine in the Matrix. Combining this ubiquity with the ability to control Bluetooth devices is going to be fun. It’s a missing piece of the IoT puzzle.
On the other hand, it’s a security nightmare. It’s bad enough when malicious websites can extract information from files that reside on your computer, but when they connect directly to your lightbulbs, your FitBits, or your BTLE-enhanced pacemaker, it opens up new possibilities for mischief. The good news is that the developers of Web Bluetooth seem to be aware of the risks and are intent on minimizing them, but there are still real concerns. How does security come out in the balance? Read on.
Nothing New, Everything Changes
Of course you could just write a Bluetooth LE application. But then your users have to be able to install it on their computers, on their phones, and on whatever other platforms people will be using in three years — perhaps the dashboard of their flying cars. Web applications are delivered to and deployed on your browser between those funny <script> tags with a click. They run anywhere you can install a browser, and there’s nothing easier.
For home automation applications, this is huge. The same app, a web page, will deploy on your phone and your computer. We can envision reactive websites and cool local controllers. And of course, the opposite — the physical world can react to websites. Web Bluetooth will provide a level of integration in the IoT scene that we frankly hadn’t even thought of, and web designers are salivating at the prospect of getting their bits out into the real world.
For Hackers: Some Assembly Still Required
There’s been a lot of thought put into the new types of threats that Web Bluetooth will open up. If you’re really interested, you should read through the Web Bluetooth draft group report’s security section yourself.
The obvious threats are old news. Attacks like cross-site scripting (XSS) that have been around since forever will be given a new arsenal. If your browser trusts a given server that’s vulnerable to XSS, anyone on the Internet could be connecting to your device. Because of the special sensitivity and power of physical devices, however, web exploits will become real-world exploits.
Web Bluetooth will expose more information about the user to the Internet, and the large monopolistic companies that serve as its gatekeepers will profit at the expense of our privacy. Build a BTLE LED that lights up when you have new Gmail? You’ll have to give permissions to Google. Since Bluetooth devices have a unique, persistent device ID, you can be pretty sure that Google will use this information to track you online, because that’s their business model.
We could just as easily worry about Facebook, especially given their hypocritical (and predictable) about-face on Whatsapp last month. Want to augment your Oculus VR experience with your FitBit? Now Facebook can correlate your heartbeat with which news stories you’re reading or which pictures of your friends you’re viewing. They’ll do it — no conspiracy theory required.
If we hadn’t already lost (or given up entirely on) the battle for privacy online, this would matter. You will be fingerprinted and tracked using Web Bluetooth, more precisely and more persistently than ever before: running in an incognito window or refusing cookies won’t change the physical token attached to your computer. Web Bluetooth runs both ways, connecting the physical world to the web as well.
The Device Itself
Finally, we don’t think it’s too much to assume that many BTLE devices are insecure. The protocol is still fairly new, and it’s significantly more complicated than USB which still makes our head spin. The security models underlying BTLE were developed with only local attackers in mind because it is a short-range radio protocol. Web Bluetooth opens BTLE up to all of the baddies out on the Internet, which is a significantly different threat. It’s a good bet that the cheap devices just won’t be designed for it. Even some of the expensive ones will fail.
Take the example of an IP-based child-monitor camera that’s relatively safe when it’s confined inside the firewall of your home router. We all know what happens when they jump out to the broader Internet. It’s probably not a big deal that someone can run a replay attack on your BTLE front door lock — they’d have to be in the neighborhood when you’re using the transmitter to compromise it. It’s totally a big deal when everyone who hits a website gets scanned. (Note: assumption of XSS or other web exploits here.)
The solution proposed by the Web Bluetooth group is basically to ensure that the browser makes sure that the user knows what devices are pairing and which services they’re exposing. This means clicking on popup dialogs. While empowering the user is probably the best way to go, it’s still imperfect.
Limiting the device to known services is great, but if the device itself is buggy, an intruder might be able to find a workaround. When a BTLE device requests an unknown service, there will be a pop-up so that the user can deny it. How many people are going to click “no” when they really wanted to control their (malicious) BTLE lightbulbs? How many users are going to worry about their eroding privacy, for which there is no popup?
It’s not too harsh to say that the most of the users out there are uninformed about the new attack surface of Web Bluetooth, and thus unable to make the decision rationally. Heck, we were uninformed just a week ago. And this all assumes that there will be no bugs in the browser, acting as the user agent in the authorization. Shoving all of the responsibility to the user seems a bit like passing the buck. They’re all just going to click “OK” all the time. That’s lousy, but we can’t think of anything better.
The Unknown Unknowns
All of the above is concerned with malicious webpages using the browser to take over your Bluetooth. The idea that bad Bluetooth devices could compromise browsers isn’t on the radar yet. We’re not even exactly sure how this attack would work — maybe a buffer overflow in handling BTLE data? — but we’re sure that some enterprising hacker out there will find a way and write the requisite firmware. Pull this off and you earn a genuine Hackaday Pat-on-the-Back, or a job at a three-letter agency. Your choice.
“With great power comes great responsibility.”
Web Bluetooth should become mainstream in a year or so. We’ll see BTLE become a lot more useful as it becomes simpler to write applications that interact with BTLE devices simply because they are web applications. You can try it out now, if you’re willing to jump through some minor hoops. It sounds like a lot of fun.
Those of you with a security mindset should also have a field day with Web BTLE, and frankly the more eyes on it now the better. (Google pays well for bug bounties.) It adds cool new weapons to old exploits, so you can get creative. The one thing we haven’t figured out is how to get our privacy back.
One of our existing products at work, which I designed about 2 years ago, makes use of the STM32F373 microcontroller interfaced to an AD7767 24-bit sigma-delta ADC, to create a smart sensor.
Whilst at the time of development, (Feb 2014) – this seemed to be an economical solution, our requirements have changed a little, in that we wish to add Bluetooth Low Energy Connectivity, LiPo battery support and the means to drive an OLED display. These functions could be added in the form of an additional pcb (similar to the Arduino shield concept), and provision had been made to accommodate such a board with an expansion connector, but after reviewing all of the costs, it was decided that a new approach – and a new dedicated pcb design would be ultimately preferable.