Tag Archives: Security

Is your smartwatch stealing your passwords?


A computer science student has demonstrated that software running on a smartwatch could be used to record a user’s passwords and PINs.


Unless you eschew modern technology altogether (such as reading websites), chances are that data on you is being collected. Smartphones are capable enough data sponges, but smartwatches have the potential to extend this reach even further. According to Tony Beltramelli’s master’s thesis for the IT University of Copenhagen, the sensors on the Sony SmartWatch 3 (and likely many other present and future watches) are so accurate that they can be used to sense what button you press on a 12-segment keypad with “above-average” precision.

hackingwatchimage

As seen in the video below, it appears that this ability comes from the user actually moving their hand from button to button. The wearable’s built-in accelerometer and gyroscope can sense these motions and then feed that information into a recurrent neural network. Using a deep learning algorithm, Beltramelli is able to sift through all the “noisy data” and detect patterns for various events, such as when the user moves and taps their finger on a touchscreen to unlock a PIN-protected phone or when the user enters a code on an ATM’s keypad.

Interestingly, as reported in section 6.3 of the thesis, the device did a better job of “touchlogging” — recording virtual keystrokes on a touchscreen — at 73% acuracy, versus “keylogging” — where a physical keyboard is used for input — at 59% accuracy. The touchscreen used was larger in this experiment than the keypad, apparently leading to this discrepancy.

“By their very nature of being wearable, these devices, however, provide a new pervasive attack surface threatening users privacy, among others,” Beltramelli explains. “The goal of this work is to raise awareness about the potential risks related to motion sensors built-in wearable devices and to demonstrate abuse opportunities leveraged by advanced neural network architectures.”

As you can imagine, there are still a few limitations that make this type of approach with a smartwatch impractical as an attack against specific targets. For starters, it only works if the person is using the arm that the gadget is on. So, if you have a watch and are concerned about spying, you can simply strap it onto your less dominant wrist. Or alternatively, you could make a habit of typing with three fingers on numeric keypads.

SmartEverything is like the Swiss Army knife of IoT boards


The SmartEverything dev board is an Arduino form-factor prototyping platform that combines SIGFOX, BLE, NFC, GPS and a suite of sensors.


Announced earlier this year, SmartEverything is an IoT development platform from Arrow Electronics. Living up to its name, the latest iteration of the SoC, dubbed the SmartEverything Foxboasts a familiar Arduino form-factor with an array of factory-bundled I/O ports, sensors and wireless connectivity.

R9015121-01

Impressively, the kit combines SIGFOX, Bluetooth and NFC technologies with GPS and a suite of embedded sensors. An Atmel | SMART D21 at its heart is used to integrate the featured devices, while a SIGFOX module provides IoT enablement.

The SIGFOX standard is energy efficient and wide-transmission-range technology that employs UNB (Ultra Narrow Band) based radio and offers low data-transfer speeds of 10 to 1000 bits per second. However, it is highly energy-efficient and typically consumes only 50μW compared to 5000μW for cellular communication, meaning significantly enhanced battery life for mobile or portable smart devices.

R9015121-03

A Telit LE51-868 S wireless module gives design engineers access to the rapidly expanding SIGFOX cellular wireless network and covers the 863-870MHz unlicensed ISM band. It is preloaded with the SIGFOX network stack and the Telit proprietary Star Network protocol. What’s more, the Telit cloud management software provides easy connection up to the cloud.

Truly like the Swiss Army knife of the IoT, the SmartEverything board is equipped with: an Atmel Crypto Authentication chipset; an 868MHz antenna; a GPS module with embedded antenna for localizations applications, which supports the GPS, QZSS and GLONASS standards, and is Galileo ready; a proximity and ambient light sensor; a capacitive digital sensor for humidity and temperature measurement; a nine-axis 3D accelerometer, a 3D gyroscope and 3D magnetometer combination sensor; a MEMS-based pressure sensor; an NTAG I2C NFC module; and a Bluetooth Low Energy transceiver.

R9015121-04

The SmartEverything measures only 68.8mm x 53.3mm in size, and includes USB connectors, a power jack and an antenna extending that extend the board. The unit can be powered in one of three ways, either through two AA 1.5V batteries (1.4V to 3.2V), a 5 to 45V external supply or a 5V mini-USB connector.

For quick and easy software development, the SmartEverything Fox board is fully supported by the Arduino IDE and Atmel Studio. Can it get any better than that? If you’re looking for an IoT board that does just about everything, you may want to check this SoC out.

This $10 device can predict your next credit card number


MagSpoof is an ATtiny85 based device that can accurately predict your next Amex card number, disable chip-and-PIN and even spoof magnetic stripes wirelessly.


After recently losing his credit card, it wasn’t long before American Express sent Samy Kamkar a replacement. It was that moment in time that the serial hacker noticed something quite peculiar: the digits on the new card were similar to his previous ones. With a little more research, he uncovered a global pattern that would enable him to accurately predict the digits on any subsequent Amex card by knowing the preceding card’s full number.

687474703a2f2f73616d792e706c2f6d616773706f6f662f6d616773706f6f662e6a7067

“This means if I were to obtain your Amex card and you called it in as lost or stolen, the moment you get a new card, I know your new credit card number,” Kamkar explains. “I also know the new expiration date as the expiration date is fixed based on when the new card was requested, and you can determine if the new card has been requested by performing an auth on the existing card.”

Like many of his prior security-focused projects, this discovery yielded another opportunity to highlight a vulnerability. And so MagSpoof was born. Kamkar’s new $10 device is capable of emulating any magnetic stripe or credit card, entirely wirelessly, and storing more than 100 card numbers in various form factors. The unit works by generating an electromagnetic field that’s strong enough to reach a traditional reader’s sensor within close proximity, sending a signal that mimics the card being swiped.

“What’s incredible is that the magstripe reader requires no form of wireless receiver, NFC, or RFID — MagSpoof works wirelessly, even with standard magstripe readers. The stronger the electromagnet, the further away you can use it (a few inches in its current iteration),” he notes.

687474703a2f2f73616d792e706c2f6d616773706f6f662f636369726f6e2e6a7067

And that’s not all. MagSpoof features a button that employs his prediction algorithm. In order words, if a thief using the device finds out that the card they were trying to imitate had been cancelled, the gadget could instantly determine the victim’s next card number.

“As soon as the card gets declined, you press a button and it switches to the next number,” Kamkar tells WIRED. “It sucks for [Amex users], because they could have their new credit card stolen almost instantly.”

Aside from disabling chip-and-PIN protection (a function that he has since removed), accurately predicting expiration numbers and switching between different Amex cards (even when reported lost or stolen), MagSpoof can be employed for security research in any area that would traditionally require a magstripe, such as readers for drivers licenses, hotel room keys and automated parking lot tickets.

687474703a2f2f73616d792e706c2f6d616773706f6f662f6d657465722d736d616c6c322e676966

As you can tell, the MagSpoof’s hardware doesn’t look anything like a credit card, so a criminal couldn’t just simply hand it to a cashier or waiter without raising any red flags. However, Kamkar points out that he can use a digital credit card device like Coin to store the numbers that his system generates — a technique that would make his trickery much less noticeable.

Impressively, Kamkar built his prototype out of several off-the-shelf components. These included an ATtiny85, a 100mAh 3.7V LiPo battery, a motor driver, an LED, a capacitor, a resistor and some 24AWG magnet wire. He created a smaller version with an ATtiny10 as well. By simply pulsing the H-bridge and activating the coil of wire, the MagSpoof is capable of emulating the swipe of a card. MagSpoof is compatible with the Arduino framework and can work on traditional Arduino boards, as well as ATtiny chips.

According to the hacker, he has notified American Express of the issue and will not exploit their algorithm. Kamkar has made both MagSpoof’s source code and schematics available on GitHub, and elaborates upon his method on his page here.

[h/t WIRED via Samy Kamkar]

Dojo wants to monitor and secure your IoT devices


This IoT security device will notify you of any danger through a wireless, color-coded orb.


With billions of connected things already in existence today, and a few billion more expected in the next two years, the need for security has never been greater. Cognizant of this, one Bay Area startup has come up with an innovative solution that monitors the behavior of smart devices on your network to protect and ensure the privacy of your home. Introducing Dojo.

Dojo

The brainchild of Dojo-Labs, this IoT security system is comprised of a few parts: a white dock that plugs into your Internet gateway, a pebble-like unit which receives alerts over Bluetooth and an accompanying smartphone app that puts control right in the palm of your hand. Whenever activity occurs on the network worth your attention, the light rings on the stone will start to glow in one of three colors — red, yellow and green.

Once connected to your home network, Dojo will add each respective device and begin tracking their activity, informing you of any odd or peculiar behavior. A red light suggests action must be taken, orange signifies that a problem is being fixed, and green denotes that everything is fine.

“Dojo knows when the TV is still recording your voice even if it’s off and when that data is being uploaded to the cloud,” explains Yossi Atias, co-founder and CEO of Dojo-Labs. “We all lock our front doors and yet our devices are wide open. Our homes contain our most intimate data but the security of these things is an afterthought. We created Dojo as the first technology to help us safeguard our homes.”

dojo-app-screens.jpg

Dojo doesn’t examine the incoming and outgoing content on network, but instead analyzes metadata about who the gadgets are talking to and how. The system prevents attacks and detects intrusions through machine learning and behavior tracking. It learns what’s normal for each device and then checks to see whether it’s doing anything differently. Without even having to look at the data or knowing what those threats are, Dojo can block them. It grows increasingly intelligent as new attacks and equipment are introduced.

What’s more, Dojo can sense when something is up and will immediately notify the user by displaying a simple message in the mobile app, while also changing the color emanating from the pebble. You will be prompted to either allow or block the activity, as well as communicate back to the system through that same text-messaging interface.

The Dojo approach to security and its role in the home is incredibly unique and was designed by Gadi Amit and the team at NewDealDesign. With a growing number of appliances coming online, perhaps this could be the solution to put everyone’s mind at ease.

Intrigued? Head over to Dojo’s official page here.

Are you designing for the latest automotive embedded system?


Eventually, self-driving cars will arrive. But until then, here’s a look at what will drive that progression.


The next arrow of development is set for automotive

We all have seen it. We all have read about it in your front-center technology news outlets. The next forefront for technology will take place in the vehicle. The growing market fitted with the feature deviation trend does not appeal to the vision of customizing more traditional un-connected, oiled and commonly leveraged chassis vehicles of today. Instead, ubiquity in smartphones have curved a design trend, now mature while making way for the connected car platform. The awaiting junction is here for more integration of the automotive software stack.  Opportunities for the connected car market are huge, but multiple challenges still exist. Life-cycles in the development of automotive and the mobile industry are a serious barrier for the future of connected cars. Simply, vehicles take much longer to develop than smartphones other portable gadgetry. More integration from vendors and suppliers are involved with the expertise to seamlessly fit the intended blueprint of the design. In fact, new features such as the operating system are becoming more prevalent, while the demand for sophisticated and centrally operated embedded systems are taking the height of the evolution. This means more dependence on integration of data from various channels, actuators, and sensors — the faculty to operate all the new uses cases such as automatic emergency response systems are functionality requiring more SoC embedded system requirements.

A step toward the connected car - ecall and how it works

What is happening now?

People. Process. Governance. Adoption. Let’s look at the similarities stemmed from change. We are going to witness new safety laws and revised regulations coming through the industry. These new laws will dictate the demand for connectivity. Indeed, drawing importance this 2015 year with the requirement set by 2018, European Parliament voted in favor of eCall regulation. Cars in Europe must be equipped with eCall, a system that automatically contacts emergency services directing them to the vehicle location in the event of an emergency. The automotive and mobile industries have different regional and market objectives. Together, all the participants in both market segments will need to find ways to collaborate in order to satisfy consumer connectivity needs. Case in point, Chrysler has partnered with Nextel to successfully connect cars like their Dodge Viper, while General Motors uses AT&T as its mobile development partner.

General Motors selected AT&T as its mobile partner

What is resonating from the sales floor and customer perspective?

The demand is increasing for more sophistication and integration of software in the cabin of cars. This is happening from the manufacturer to the supplier network then to the integration partners — all are becoming more engaged to achieve the single outcome, pacing toward the movement to the connected car. Stretched as far as the actual retail outlets, auto dealers are shifting their practice to be more tech savvy, too. The advent of the smart  vehicle has already dramatically changed the dealership model, while more transformation awaits the consumer.

On the sales floor as well as the on-boarding experience, sales reps must plan to spend an hour or more teaching customers how to use their car’s advanced technology. But still, these are only a few mentioned scenarios where things have changed in relation to cars and how they are sold and even to the point of how they are distributed, owned, and serviced. One thing for certain, though, is that the design and user trend are intersecting to help shape the demand and experience a driver wants in the connected car. This is further bolstered by the fast paced evolution of smartphones and the marketing experiences now brought forth by the rapid adoption and prolific expansion of the mobile industry tethered by their very seamless and highly evolved experiences drawn from their preferred apps.

Today, customer experiences are becoming more tailored while users, albeit on the screen or engaged with their mobile devices are getting highly acquainted with the expectation of “picking up from where I left off” regardless of what channel, medium, device, or platform.  Seamless experiences are breaking through the market.  We witness Uber, where users initialize their click on their smartphone then follows by telemetry promoted from Uber drivers and back to the users smart phone.  In fact, this happens vis versa, Uber driver’s have information on their console showing customer location and order of priority.  Real life interactions are being further enhanced by real-time data, connecting one device to draw forth another platform to continue the journey.  Transportation is one of the areas where we can see real-time solutions changing our day-to-day engagement.  Some of these are being brought forth by Atmel’s IoT cloud partners such as PubNub where they leverage their stack in devices to offer dispatch, vehicle state, and geo fencing for many vehicle platforms.  Companies like Lixar, LoadSmart, GetTaxi, Sidecar, Uber, Lyft are using real-time technologies as integral workings to their integrated vehicle platforms.

The design trajectory for connected cars continues to follow this arrow forward

Cars are becoming more of a software platform where value chain add-ons tied to an ecosystem are enabled within the software tethered by the cloud where data will continue to enhance the experience. The design trajectory for connected cars follow this software integration arrow.  Today, the demand emphasizes mobility along with required connectivity to customer services and advanced functions like power management for electric vehicles, where firmware/software updates further produce refined outcomes in the driver experience (range of car, battery management, other driver assisted functionalities).

Carmakers and mobile operators are debating the best way to connect the car to the web. Built-in options could provide stronger connections, but some consumers prefer tethering their existing smartphone to the car via Bluetooth or USB cable so they can have full access to their personal contacts and playlists. Connected car services will eventually make its way to the broader car market where embedded connections and embedded systems supporting these connections will begin to leverage various needs to integrate traditional desperate signals into a more centrally managed console.

Proliferation of the stack

The arrow of design for connected cars will demand more development, bolstering the concept that software and embedded systems factored with newly-introduced actuators and sensors will become more prevalent. We’re talking about “software on wheels,” “SoC on wheels,” and “secured mobility.”

Design wise, the cost-effective trend will still remain with performance embedded systems. Many new cars may have extremely broad range of sensor and actuator‑based IoT designs which can be implemented on a single compact certified wireless module.

The arrow for connected cars will demand more development bolstering the concept that software and embedded systems factored with newly introduced actuators & sensors will become more prevalent; “software on wheels”, “SoC on wheels” and “secured mobility”.

Similarly, having fastest startup times by performing the task with a high-performance MCU vs MPU, is economic for a designer. It can not only reduce significant bill of materials cost, development resources, sculpted form factor, custom wireless design capabilities, but also minimize the board footprint. Aside from that, ARM has various IoT device development options, offering partner ecosystems with modules that have open standards. This ensures ease of IoT or connected car connectivity by having type approval certification through restrictive access to the communications stacks.

Drivers will be prompted with new end user applications — demand more deterministic code and processing with chips that support the secure memory capacity to build and house the software stack in these connected car applications.

Feature upon feature, layer upon layer of software combined with characteristics drawn from the events committed by drivers, tires, wheels, steering, location, telemetry, etc. Adapted speed and braking technologies are emerging now into various connected car makes, taking the traditional ABS concept to even higher levels combined with intelligence, along with controlled steering and better GPS systems, which will soon enable interim or cruise hands-free driving and parking.

Connected Car Evolution

Longer term, the technological advances behind the connected car will eventually lead to self-driving vehicles, but that very disruptive concept is still far out.

Where lies innovation and change is disruption

Like every eventual market disruption, there will be the in-between development of this connected car evolution. Innovative apps are everywhere, especially the paradigm where consumers have adopted to the seamless transitional experiences offered by apps and smartphones. Our need for ubiquitous connectivity and mobility, no matter where we are physically, is changing our vehicles into mobile platforms that want us users to seamlessly be connected to the world. This said demand for connectivity increases with the cost and devices involved will become more available. Cars as well as other mobility platforms are increasingly becoming connected packages with intelligent embedded systems. Cars are offering more than just entertainment — beyond providing richer multimedia features and in-car Internet access.  Further integration of secure and trusted vital data and connectivity points (hardware security/processing, crypto memory, and crypto authentication) can enable innovative navigation, safety and predictive maintenance capabilities.

Carmakers are worried about recent hacks,  especially with issues of security and reliability, making it unlikely that they will be open to every kind of app.  They’ll want to maintain some manufactured control framework and secure intrusion thwarting with developers, while also limiting the number of apps available in the car managing what goes or conflicts with the experience and safety measures.  Importantly, we are taking notice even now. Disruption comes fast, and Apple and others have been mentioned to enter this connected car market. This is the new frontier for technological equity scaling and technology brand appeal. Much like what we seen in the earlier models of Blackberry to smartphones, those late in the developmental evolution of their platforms may be forced adrift or implode by the market.

No one is arguing it will happen. Eventually, self-driving cars will arrive.  But for now, it remains a futuristic concept.

What can we do now in the invention, design and development process?

The broader output of manufactured cars will need to continue in leveraging new designs that take in more integration of traditional siloed integration vendors so that the emergence of more unified and centrally managed embedded controls can make its way. Hence, the importance now exists in the DNA of a holistically designed platform fitted with portfolio of processors and security to take on new service models and applications.

This year, we have compiled an interesting mixture of technical articles to support the development and engineering of car access systems, CAN and LIN networks, Ethernet in the car, capacitive interfaces and capacitive proximity measurement.

In parallel to the support of helping map toward the progress and evolution of the connected car, a new era of design exists. One in which the  platform demands embedded controls to evenly match their design characteristics and application use cases. We want to also highlight the highest performing ARM Cortex-M7 based MCU in the market, combining exceptional memory and connectivity options for leading design flexibility. The Atmel | SMART ARM Cortex-M7 family is ideal for automotive, IoT and industrial connectivity markets. These SAM V/E/S family of microcontrollers are the industry’s highest performing Cortex-M microcontrollers enhancing performance, while keeping cost and power consumption in check.

So are you designing for the latest automotive, IoT, or industrial product? Here’s a few things to keep in mind:

  • Optimized for real-time deterministic code execution and low latency peripheral data access
  • Six-stage dual-issue pipeline delivering 1500 CoreMarks at 300MHz
  • Automotive-qualified ARM Cortex-M7 MCUs with Audio Video Bridging (AVB) over Ethernet and Media LB peripheral support (only device in the market today)
  • M7 provides 32-bit floating point DSP capability as well as faster execution times with greater clock speed, floating point and twice the DSP power of the M4

We are taking the connected car design to the next performance level — having high-speed connectivity, high-density on-chip memory, and a solid ecosystem of design engineering tools. Recently, Atmel’s Timothy Grai added a unveiling point to the DSP story in Cortex-M7 processor fabric. True DSPs don’t do control and logical functions well; they generally lack the breadth of peripherals available on MCUs. “The attraction of the M7 is that it does both — DSP functions and control functions — hence it can be classified as a digital signal controller (DSC).” Grai quoted the example of Atmel’s SAM V70 and SAM V71 microcontrollers are used to connect end-nodes like infotainment audio amplifiers to the emerging Ethernet AVB network. In an audio amplifier, you receive a specific audio format that has to be converted, filtered, and modulated to match the requirement for each specific speaker in the car. Ethernet and DSP capabilities are required at the same time.

“The the audio amplifier in infotainment applications is a good example of DSC; a mix of MCU capabilities and peripherals plus DSP capability for audio processing. Most of the time, the main processor does not integrate Ethernet AVB, as the infotainment connectivity is based on Ethernet standard,” Grai said. “Large SoCs, which usually don’t have Ethernet interface, have slow start-up time and high power requirements. Atmel’s SAM V7x MCUs allow fast network start-up and facilitate power moding.”

Atmel has innovative memory technology in its DNA — critical to help fuel connected car and IoT product designers. It allows them to run the multiple communication stacks for applications using the same MCU without adding external memory. Avoiding external memories reduces the PCB footprint, lowers the BOM cost and eliminates the complexity of high-speed PCB design when pushing the performance to a maximum.

Importantly, the Atmel | SMART ARM Cortex-M7 family achieves a 1500 CoreMark Score, delivering superior connectivity options and unique memory architecture that can accommodate the said evolve of the eventual “SoC on wheels” design path for the connected car.

How to get started

  1. Download this white paper detailing how to run more complex algorithms at higher speeds.
  2. Check out the Atmel Automotive Compilation.
  3. Attend hands-on training onboard the Atmel Tech on Tour trailer. Following these sessions, you will walk away with the Atmel | SMART SAM V71 Xplained Ultra Evaluation Kit.
  4. Design the newest wave of embedded systems using SAM E70, SAM S70, or SAM V70 (ideal for automotive, IoT, smart gateways, industrial automation and drone applications, while the auto-grade SAM V70 and SAM V71 are ideal for telematics, audio amplifiers and advanced media connectivity).

IMG_3659

[Images: European Commission, GSMA]

Develop secure IoT apps with the Atmel Certified-ID platform


The Atmel Certified-ID security platform prevents unauthorized reconfiguration of an edge node to access protected resources on the network.


Atmel has announced a comprehensive security platform that enables businesses of all sizes to assign certified and trusted identities to devices joining the secure Internet of Things. The Atmel Certified-ID security platform prevents unauthorized reconfiguration of an edge node to access protected resources on the network. This new platform is available on the Atmel SmartConnect Wi-Fi, Bluetooth, Bluetooth Smart and ZigBee solutions that connect directly to Atmel Cloud Partners, providing a secure turnkey solution for IoT edge node-to-cloud connection.

Sec

The Atmel Certified-ID platform delivers a distributed key provisioning solution, leveraging internal key generation capabilities of the ATECC508A CryptoAuthentication device, without invoking large scale infrastructure and logistics costs. This platform even allows developers to create certified and trusted identities to any device before joining an IoT network.

With billions of devices anticipated by 2020 in the rapidly growing IoT market, security is a critical element to ensuring devices can safely and conveniently access protected assets through the Internet. Today, secure identities are commonly created through a centralized approach where IoT device keys and certificates are generated offline and managed in secure databases in Hardware Security Modules (HSM) to protect the keys. These keys are then programmed into the IoT devices by connecting the HSM to automation equipment during device manufacturing. This approach is indispensable in large deployments consisting of millions of devices. It can also entail significant upfront costs in infrastructure and logistics which must be amortized over a large number of devices for cost effectiveness.

By utilizing the unique internal key generation capabilities of ATECC508A device, the recently-unveiled platform enables decentralized secure key generation, making way for distributed IoT device provisioning regardless of scale. This method eliminates the upfront costs of the provisioning infrastructure which can pose a significant barrier in deploying devices in smaller scales. On top of that, developers will be able to create secure IoT devices compatible with partner cloud services and to securely join ecosystems.

Atmel is currently working with several cloud service companies, including Proximetry and Exosite, on the Certified-ID platform. These collaborations will give developers a wide range of ecosystem partners to choose from for a secure connection between the edge nodes and the IoT. Other partners will be announced as they are integrated in the Certified-ID platform.

“As a leader in the security space with a track record of over two decades, enabling secure networks of all sizes is our mission,” said Nuri Dagdeviren, Atmel Vice President and General Manager of Secure Products Group. “Streamlining secure processes and simplifying deployment of real world secure networks will be key to unlocking the potential and enabling rapid growth of IoT. We will continue delivering industry-leading solutions in security, a critical element in enabling billions of ‘things’ to be connected to the cloud.”

banner_AT88CKECCROOT-SIGNER

Atmel now offers security provisioning tool kits to enable independent provisioning for pilot programs or production runs when used in conjunction with the ATECC508A ICs. These devices are pre-provisioned with internally generated unique keys, associated certificates, and certification-ready authentication once it is connected to an IoT ecosystem.

Developers will need two kits to securely provision their gadgets: the AT88CKECCROOT tool kit, a ‘master template’ that creates and manages certificate root of trust in any ecosystem, and the AT88CKECCSIGNER tool kit, a production kit that enables partners to provision IoT devices.

The AT88CKECCSIGNER kit lets designers and manufacturers generate tamper-resistant keys and security certifications requiring hardware security in their IoT applications. These keys provide the level of trust demanded by network operators and allows system design houses to provision prototypes in-house—saving designers overall investment costs.

The tool kits also include an easy-to-use graphical user interface that allow everyone to seamlessly provision their IoT devices with secure keys and certificates without special expertise. With distributed provisioning, developers are not required to use expensive HSM for key management and certificate acquisition fees.

In addition to secure IoT provisioning, the new Certified-ID platform provides high-quality random number generation to guarantee a diverse set of public and private keys. It delivers solutions to a variety of IoT security needs including node anti-cloning protection, data confidentiality, secure boot, and secure firmware upgrades over-the-air. The tamper resistance built into the ATECC508A device continues to provide the desired protection even when the device is under physical attack.

Ready for the Internet of Trusted Things? Both the Atmel AT88CKECCROOT and AT88CKECCSIGNER are available today.

A $10 USB charger can record your keystrokes wirelessly


A security researcher has developed a USB wall charger that can eavesdrop on nearly every Microsoft keyboard.


Although we shared this discreet hack from Samy Kamkar back in January, a recent tweet from Lifehacker triggered our memory and we just had to share again! KeySweeper is an Arduino-based keylogger for Microsoft wireless keyboards (which use a proprietary 2.4GHz RF protocol) that is cleverly camouflaged as a functioning USB wall charger. The stealthy ATmega328 driven device can sniff, decrypt, log and report back all keystrokes — saving users both locally and online.

keysweepersmall

Keystrokes are then relayed back to the KeySweeper operator over the Internet via an optional GSM chip, or can be stored on a flash chip and delivered wirelessly when a secondary KeySweeper comes within range of the target KeySweeper. In fact, the well-known hardware hacker suggests that an effective reach of KeySweeper is that of a typical Bluetooth device, but could be extended using a low-noise amplifier. A web-based tool enables the live keystroke monitoring.

spysmall

Users can set up SMS alerts that are triggered when certain keystrokes in the form of words, usernames or URLS are being typed, e.g. “bank” or heck, even “www.atmel.com.” (*Shameless SEO plug.*) If KeySweeper is removed from AC power, it will give off the impression that it is shut off; however, the inconspicuous gadget continues to operate covertly using an internal battery that is automatically recharged upon reconnecting to AC power.

As you are well aware, wireless keyboards have become a popular option for users wanting to connect to a laptop. Kamkar said he picked Microsoft’s keyboards after going into Best Buy and seeing which models seemed to be the most prevalent. Such units often encrypt their data before sending it wirelessly, but Kamkar claims to have discovered multiple bugs that make it easy to decrypt. While the researcher hasn’t tested the device on every Microsoft keyboard, he does believe that due to given their similarities, they will all be affected.

The KeySweeper project builds on previous work from Travis Goodspeed, Thorsten Schröder and Max Moser around the megaAVR controlled KeyKeriki.

internal

Kamkar says the cost for KeySweeper can range anywhere from $10 to $80, depending on the operation and its necessary functions. Aside from the Arduino Pro Mini that he selected for its size, other components include:

  • nRF24L01+ 2.4GHz RF chip which communicates using GFSK over 2.4GHz
  • AC USB charger for converting AC power to 5v DC.
  • (Optional) A SPI Serial Flash chip can be used to store keystrokes on.
  • (Optional) Adafruit FONA which allows you to use a 2G SIM card to send/receive SMS, phone calls, and use the Internet directly from the device.
  • (Optional, if using FONA) The FONA requires a mini-SIM card — not a micro SIM.
  • (Optional, if using FONA): The FONA provides on-board LiPo/LiOn battery recharging, and while KeySweeper is connected to AC power, the battery will be kept charged, but is required nonetheless.

nrfgf2small

It should be noted that the hacker does say a Teensy MCU can be used in place of the ‘duino. As for the software, the primary code is installed on the microcontroller, while the web-based backend uses jQuery and PHP to log all keystrokes and provide an interface for live monitoring of target keyboards. KeySweeper’s source code and schematic are available on GitHub.

Intrigued? You can access the entire build on Kamkar’s official page.