Okay, so I said in my introductory post that I'm a fan of Arduino,
and hope to get back into that side of my hobbies… And though this
isn't the post I was planning to do as number two, I think it should be.
I
went to University to learn Home Automation. Basically. Though I
didn't realise it until I was already there. I was never into
electronics enough to do the whole engineering route, with all that
messy analogue stuff — I much preferred the nice clean and crisp digital
life. Of course, that's not the reality of electronics, but hopefully
you know what I mean. On the flip-side, while programming is definitely a
hobby of mine, and I'm reasonably good at it (at least as good as a
couple friends of mine who are actually in the industry), I don't enjoy
the process as much as I wish I did. My first Arduino Blinky Light
project, however, gave me that warm fuzzy glow of success I've been
craving all these years! (Well, okay, maybe not quite that glowing, but it was a definite step in the right direction…) And I've gotten ahead of myself again…
During
Year 12, my science teacher put a small stack of flyers for various
University courses on a table while he talked to us about where we were
planning on going next, at the end, he told us to all come and grab a
couple of the flyers and have a look through them, see if there's
anything we liked. He also picked up one flyer in particular, and
handed it to me, specifically. Now this guy I used to call Mr Smiley,
because he was always smiling. But this was one of the times
when he seemed positively pleased with himself, and as I looked over the
flyer, it just clicked. Embedded Systems. Controlling stuff with
little computers. It was perfect. And that's what I applied to study.
As
you can probably guess, I floundered a little bit on the analogue
electronics, I was okay at it, and I passed, but I wasn't fantastic.
Digital electronics, though, building up a basic processor from its
fundamental components, writing its microcode, through to making it run a
simple machine code program using that same microcode, now that was an
experience to behold! (Better than sex, even! Sex is messy and
awkward, especially on your first time, this was beautiful and clean!
…ish…)
Anyhow, my plan was set… I wanted to finish Uni
(I had hoped to do it at Uni, preferably as part of my honours year,
and/or post-grad, but things didn't work out that way, and I quickly
decided I was better off pursuing it later on…), get a job, buy myself a
house (…like now), and deck the crap out of it with Home Automation.
And not that media centre rubbish, but the real stuff — lights, doors,
windows, blinds, aircon, the tea jug, fridge, ovan, washing machine,
shower, toilet, you know… all the important things in life. I wanted it
all under my control! (Insert evil laughter here.)
Well…
As I think I said something about (or at least intended to) in my
introductory post, that didn't quite go as planned either. In fact,
it's a decade and a half later, and I've done a grand total of two
Arduino projects: one blinky lights tutorial through to turning a simple servo,
and a desk clock. I will say, it's a pretty snazzy little clock (and totally my own creation, unlike the blinky light); a
single 4-digit 7-segment display (with dimming of selected characters —
mostly non-edit characters during configuation, and the likes), an RGB
LED (which was used purely as a quick temperature indicator), and a
single lonesome push button to drive it all. And "it", in that context,
was time (HH:MM, or :SS), temperature (in °C, °F, or °K - it had °R
available too, if you were desperate enough to turn it on in the
configuration, though there's only so much you can do with 7 segments, so I left it off by
default), alarm (HH:MM), and a configuration menu (set the time, zero
the seconds, set the alarm, set display brightness, select the order you
want your temperature measurements to show in, that sort of thing,
complete with little 7-segent animated icon things). Oh, and no buzzer —
that was intended for version 2, along with improved display driving.
Now…
In the meantime, I've been watching — and wincing — at the state of
security and privacy in the IoT field, particularly with respect to Home
Automation. All these gadgets, often sporting fairly potent
processors, and bugger all security. Routers, thermostats, TV's, and
all manner of other things being hacked and taken over, sometimes with
the hack lying dormant for months, just gathering information by
monitoring your network traffic, thermostats just waiting until you seem to have
disappeared for a long weekend, or your new smart TV listening in on your conversations, for example. And as much as I love the
Arduino platform, totally want to support Arduino and the fantastic job they're doing, especially love the MKR1000, I have to admit, I'm leaning a little more towards birds of a different feather… Sorry Massimo,
you've done some awesome stuff, and you were the flag that renewed my
interest anew, but you've kind of been left behind a little for me…
(Not your fault, you're doing a whole lot of really good stuff that I
whole heartedly encourage people to pay attention to, just not so much
that swings my particular way, unfortunately.)
And so I
finally get back to what I wanted to say… Right now, we seem to be on
the cusp of something (well, one more something at any rate). The world
has only just woken up to the fact that we need security in our IoT, we
can't just assume that no one's going to hack our refrigerator or TV,
because these things have cameras and/or microphones on them now, amongst
other things, even our internet controlled light globes are spreading malware, and they're within the primary network defence perimeter
that is, for most people, their internet modem/router. And we're
starting to realise that even the innocuous thermostat stuck to the
wall, might just be harbouring a secret foothold that's watching our
behaviour, looking around to see what else it can sneak into, or trying
to find an opportunity to slip some ransomware onto our computers, and
we'd never know this was even happening because it's just a little
device with a tiny screen (or maybe no screen at all!) and a couple buttons, that we barely even
think about, and which just happens to be exposed on the internet,
fetching weather forecasts or vaguely secured firmware updates with
default passwords on its internet-facing configuration ports. Oh my…
Now, I'm not an expert in all that, there are people much better at talking
about that than me, people whom I listen to myself to keep up to date on
these things. So I'm going to get back to me… and as I sit here with
my busted Arduino desk clock (the dogs got caught in the power cable and
yanked my PC along with the clock sitting atop it all onto the floor
one day, and the clock landed up on the bottom of the pile somehow), I
can't help feeling a little disturbed trying to figure out how to best
go about making sure version 2 has a bit of security as well — because
you just know I'm going to want it to have a web interface of some
kind. You see, the industry has only recently realised they need to
make a move on the issue, and there seems to be a flurry of new products
coming out. But as quickly as new products appear, new chips come
along as well, and you want them because they have better hardware
support, which means you won't be wasting battery power doing so much
crypto gruntwork in software, and so forth. But it takes time for the
Arduino's of the world to pick up and start using them in new products,
and at the same time they're getting too advanced to hack together on a
breadboard or a scrap of veroboard you have laying around, and
unfortunately, I don't have a budget for buying any of these gadgets… at
all. That is, after all, the primary thing that's kept me sliding time
and again from electronics back to merely programming. Arduino allowed
me to start making moves back into electronics, though I have to
admit I often find myself feeling like a noob all over again. Luckily,
this old dog does so enjoy the challenge of learning new tricks…
And then, when you do look at adding secure internet connectivity to your IoT device, to make that little light on the wall flash when you get a tweet, there's this huge disconnect. The internet is big, with protocols designed for computers, packet headers, even larger HTTP headers, and compression. Security is hard, with a ton of complex math, manipulating kilobyte keys and those data buffers again. That's lots of processing power, and storage buffers holding your keys and data… To securely turn a light on and off — a task that can be otherwise accomplished by a dinky little 8-bit µC that draws a few µW's of power at most, and less storage than a single good sized cryptography key. Which leads to HUB's. Now, if our IoT devices talk to HUBs, and it's the HUB that does the heavy lifting onto the internet. This works. Except the IoT device is probably using Wifi, that computer protocol that really should have security, which is now being provided only by your router again. And those HUBs — when they exist at all, because people don't want to buy yet another extra piece of hardware — are different for every company, so you need several of them, and each one has to be designed with proper security, because the malware doesn't care about branding! There's a whole world of further discussion just there…
But
whether my next steps into the IoT is with the MKR1000, or a feather,
one thing is certain… I for one won't be connecting an embedded
development board direct to the internet, that doesn't
have crypto. Just like it's no longer safe to put a PC online without
the protection of both a firewall and a NAT router, it's not safe for an
IoT device to go out and play among the intertubes without some serious
crypto security, as those many many devices with token efforts at
security (all too often, little more than the absolute minimum required
to be able to use the relevant buzzwords on the packaging) are starting
to discover — mostly at their customers expense.
No comments:
Post a Comment