Schlagwort: security

  • Opta: Enhanced cybersecurity after HWG Sababa’s testing

    Opta: Enhanced cybersecurity after HWG Sababa’s testing

    Reading Time: 2 minutes

    Connecting machines and equipment to the internet became easier than ever when we launched the Arduino Opta micro PLC, enabling real-time control, monitoring, predictive maintenance and more – in industries ranging from smart agriculture to large-scale manufacturing to building automation. 

    Supporting our well-known Arduino sketch programming experience and any of the five IEC 61131-3 PLC standard languages, the Opta was designed to be powerful yet easy to use from the start – as well as highly secure. Indeed, the Opta supports OTA firmware updates and ensures data security from the hardware to the Cloud thanks to the physical onboard secure element and X.509 Standard compliance. 

    In addition, as part of the go-to-market for this innovative hardware solution, we actively committed to verifying its security against the threats posed by cyberattacks. 

    To this end, in late 2023 we started a collaboration with global cybersecurity provider HWG Sababa: their Offensive Team engaged in a penetration test that lasted weeks, assessing Opta’s security posture and pinpointing any weaknesses. Their meticulous report allowed us to remedy any vulnerabilities before they became actual issues, and now we are proud to say the Opta is more secure than ever.

    The software patches and configuration updates we carried out are part of our ongoing commitment to providing you the most robust solutions on the market in every respect – including against ever-evolving cyber threats. The rigorous testing process and following activities our team completed only confirms Opta as an ideal candidate for any industrial automation project you have in mind. 

    To find out more about the testing process itself, check out the case study published by HWG Sababa

    The post Opta: Enhanced cybersecurity after HWG Sababa’s testing appeared first on Arduino Blog.

    Website: LINK

  • Arduino Cloud is ISO 27001 certified

    Arduino Cloud is ISO 27001 certified

    Reading Time: 2 minutes

    At Arduino, we embrace security as an integral part of the development lifecycle in order to provide secure hardware, software, and digital services to our customers. That’s why we are happy to announce that Arduino Cloud services are now certified for ISO/IEC 27001:2013 (ISO 27001) 

    ISO 27001 is an internationally recognized standard that provides a framework for establishing, implementing, maintaining, and continually improving an Information Security Management System (ISMS). The standard sets out the requirements for managing information security risks and protecting sensitive information within an organization. ISO 27001 takes a systematic and risk-based approach to ensure the confidentiality, integrity, and availability of information assets.

    In the words of our CIO Stefano Visconti: “This certification and the review from an external auditor are helping us to ensure that our internal security processes are robust and complete, fully aligned with the ISO27001 standard, so that we can offer secure and reliable services in Arduino Cloud.”

    “We are all experiencing the crucial importance of information security, and we can only be pleased to give the ISO 27001 certification to Arduino Cloud,” says Massimo Alvaro, Italy Managing Director for Business Assurance at DNV. “Our audits confirmed that Arduino Cloud is proactively managing and protecting their information assets and to managing and mitigating security events.”

    Our compliance with ISO 27001 demonstrates that Arduino is committed to the best possible security posture for Arduino Cloud services, thus ensuring the best possible protection from cybersecurity risks for Arduino Cloud users.

    You can read more about security at Arduino here.

    The post Arduino Cloud is ISO 27001 certified appeared first on Arduino Blog.

    Website: LINK

  • How a Smart Home Can Be A Safer Home

    How a Smart Home Can Be A Safer Home

    Reading Time: 4 minutes

    Security is one of the things we value most in our homes. A home is somewhere to feel safe, protected from the harms of the outside world. As a result, we tend to invest a lot of money in security features like well-locked doors, alarms, and cameras.

    Most of the tools we use to keep our homes safe are decades or even centuries old. Can smart technology and automation help make our homes even safer? In this article, we’ll take a look at some of the ways you can use automation and other tools to keep your smart home as secure as possible.

    Smart home security

    There are lots of ways you can harness technology to improve the security of your home, such as:

    • Smart doorbells with attached cameras, that can film the person ringing your doorbell at any given time and transmit the video to your smartphone. This helps you quickly register who is at your door and alert you to any suspicious behavior, even when you’re not at home.
    • Smart alarm systems that use sensors to monitor movement around your home and send alerts to your phone. These can also use camera footage to record any suspicious activity
    • Smart locking features that allow you to open your doors using a digital keypad or even an app on your phone 

    Project examples

    Let’s take a look at some smart home security projects from the Arduino community.

    Auto-locking door

    Arduino member Jayesh Naweni wanted to build a password-based door locking system. The project involved creating a keypad where you can enter the password and unlock the door without the need for carrying any keys.

    This type of project is very simple to get started, requires only a few materials, and can be done by someone with a beginner-level understanding of programming.

    Home automation and security system

    Hussien Mohamed and Ahmed Ismail built this home automation and security system with 1Sheeld.

    The project works by using a sensor which detects movement outside the door of your home. When it picks you up, an LED will switch on and you’ll be required to say a specific, pre-set password to gain access. If it’s correct, this will trigger another LED and a music player and you will be allowed to enter. If you say the wrong password, a buzzer will sound and the camera will capture a photo of you (or your intruder) and post it on Twitter.

    This system also helps keep the home safe by detecting if the water and gas in your kitchen pass a certain threshold. If so, you’ll receive an alert on your phone and the fan will be turned on to push gas out of the home.

    IoT Home Security Model

    Aaron Kow built this entire IoT security model as the final year project submission during his last year of engineering at University. It’s designed to be remotely accessible from any smart device or PC, allowing you to quickly stay on top of the security of your entire home.

    The project relies on multiple sensors set up throughout the house. When the system is activated, any harmful activities taking place will be detected and a message alert will be sent to the homeowner.

    On top of this, data collected by the sensors will be stored in the cloud and displayed on a website via a custom web-based application. This allows you to monitor any suspicious activity that takes place in real time. The project also features Access Control Technology, using the “Near Field Communication” approach that can recognize trusted individuals with the right to enter the house.

    Create a safer home with Arduino

    Smart homes are often safer homes. It’s fairly easy to build simple home security systems, drawing on technologies like automation and the cloud to detect intruders, alert you to any suspicious activity, and make it easier for you to protect your home and the people in it.

    Arduino’s products can help you do this, and it doesn’t take long to learn the basics and start putting together your own cloud projects for all kinds of fascinating purposes. Visit our homepage to find out more and get started.

    Browse all projects
    Boards:Arduino CloudIoT Cloud
    Categories:ArduinoHome AutomationSecurity

    You can follow any responses to this entry through the RSS 2.0 feed.
    You can leave a response, or trackback from your own site.

    Website: LINK

  • Introducing the Arduino secure boot

    Introducing the Arduino secure boot

    Reading Time: 5 minutes

    To increase the range of features and firmware safety of Arduino products, we decided to release a new bootloader based on MCUboot. Here is a quick introduction on everything you need to know about it.

    Introduction to MCUboot

    MCUboot is a secure bootloader solution offering fail-safe firmware authentication and secure firmware update mechanism, plus many other functionalities such as update encryption, update rollback, and application bootstrap.

    MCUboot does not depend on any specific hardware and operating system; as of writing, the following RTOS are supported: zephyr, nuttx, mynewt, and mbed.

    Our efforts have been focused on keeping things simple and reusing the existing OTA design in place on Arduino boards.

    MCUboot base blocks

    To access the microcontroller flash, MCUboot relies on the operating system driver layer. MCUboot supports multi-image booting, therefore its configuration can be difficult; for a basic MCUboot setup two flash areas have to be defined.

    • SLOT 0: Represents the portion of flash containing the current application image;
    • SLOT 1: Represents the portion of flash containing the update application image.

    An additional flash area is needed to support MCUboot swap scratch algorithm, which is called SCRATCH.

    Arduino MCUboot scratch

    For switching between slot 1 and slot 0 MCUboot offers multiple algorithms.

    • Overwrite: This is the basic upgrade method supported by MCUBoot and it simply copies SLOT 1 over SLOT 0; rollback is not supported but it is the fastest way to upgrade an image.
    • Swap Scratch: This upgrade method relies on an extra flash area where data is temporarily stored during image swapping. Using this method we have the possibility to recover the initial application image if something is not working with the updated one. One of the major drawbacks of this upgrade method is flash wearout, because the scratch area is written and erased multiple times during a swap.
    • Swap Move: Instead of using an external scratch area, this upgrade method uses some extra space inside SLOT 0. The main advantage of swap move over swap scratch is the reduced wear factor of the flash.

    To be able to perform all operations and checks, MCUboot needs to store some metadata alongside the application image. This is done using a tool called imgtool that processes the application binary image, reserving space and adding all the required information to perform image verification and implement a fault-tolerant swap.

    Looking into an image slot in more detail we can split it into these flash areas:

    • Header: Mostly used to indicate the length of other parts of the slot; header size, code size and TLV size. It also includes The application load address and the slot magic number used to identify a compatible MCUboot image.
    • Code: The application binary.
    • TLV: Sequence of tuples with tag length and value. For example, image hash, key hash, image signature.
    • Trailer: Used to store swap status during image swaps.
    Arduino MCUboot flash areas

    In order to support Arduino OTA, the update file is written to memory and processed by the bootloader to update the application. With regards to Portenta products, the file is placed into the second partition of the board’s QSPI flash. This means that our SLOT 1 is placed into the QSPI flash. The default swap method it uses is swap scratch. The scratch region, mapped to a file called scratch.bin, is placed into the QSPI flash. When encrypted images are chosen firmware copies between external memories are always encrypted; by default, MCUboot decrypts an update, taking care of the needed offsets, before writing it into the scratch area. To keep data safe an extra step is executed re-encrypting the whole scratch data before writing it. When images are rolled back data from unencrypted internal memory is encrypted before being written into SLOT 1.

    Note: Using this flash layout, it’s possible to load an update over the Internet, mounting the device as mass storage or using its DFU interface.

    Arduino MCUboot flash layout

    When a new update is available and marked as pending at the next reset, MCUboot will take care of swapping the slots and applying the new application image.

    Security aspects

    MCUboot uses two different keys to provide image signature verification and image encryption. For image signature verification the private key is used by imgtool to sign the update, and the public key is used by MCUboot to verify it.

    For image encryption the elliptic curve integrated encryption scheme (ECIES) is used with a secp256r1 ephemeral keypair and a random AES key used to encrypt the image.

    In both cases MCUboot needs to know its part of the input keys. Therefore, they are saved in the flash memory alongside the bootloader binary.

    Looking closely at the bootloader flash sector we will find the following data:

    Arduino MCUboot bootloader

    By default, keys are not loaded in flash, and the bootloader will boot any sketch. Once the keys are loaded MCUboot will always verify the image signature and boot only valid sketches; if an encrypted update is detected by reading the TLVs, MCUboot will unwrap the encryption key and decrypt the image on-the-fly while moving it into the internal flash.

    Click below to give the Arduino MCUboot a try, and join us on social media or in the forums to tell us what you think!

    You can follow any responses to this entry through the RSS 2.0 feed.
    You can leave a response, or trackback from your own site.

    Website: LINK

  • Arduino Security Primer

    Arduino Security Primer

    Reading Time: 5 minutes

    SSL/TLS stack and HW secure element

    At Arduino, we are hard at work to keep improving the security of our hardware and software products, and we would like to run you through how our IoT Cloud service works.

    The Arduino IoT Cloud‘s security is based on three key elements:

    • The open-source library ArduinoBearSSL for implementing TLS protocol on Arduino boards;
    • A hardware secure element (Microchip ATECCX08A) to guarantee authenticity and confidentiality during communication;
    • A device certificate provisioning process to allow client authentication during MQTT sessions.

    ArduinoBearSSL

    In the past, it has been challenging to create a complete SSL/TLS library implementation on embedded (constrained) devices with very limited resources. 

    An Arduino MKR WiFi 1010, for instance, only has 32KB of RAM while the standard SSL/TLS protocol implementations were designed for more powerful devices with ~256MB of RAM.

    As of today, a lot of embedded devices still do not properly implement the full SSL/TLS stack and fail to implement good security because they misuse or strip functionalities from the library, e.g. we found out that a lot of off-brand boards use code that does not actually validate the server’s certificate, making them an easy target for server impersonation and man-in-the-middle attacks.

    Security is paramount to us, and we do not want to make compromises in this regard when it comes to our offering in both hardware and software. We are therefore always looking at “safe by default” settings and implementations. 

    Particularly in the IoT era, operating without specific security measures in place puts customers and their data at risk.

    This is why we wanted to make sure the security standards adopted nowadays in high-performance settings are ported to microcontrollers (MCUs) and embedded devices.

    Back in 2017, while looking at different SSL/TLS libraries supporting TLS 1.2 and modern cryptography (something that could work with very little RAM/ROM footprint, have no OS dependency, and be compatible with the embedded C world), we decided to give BearSSL a try.

    BearSSL: What is it?

    BearSSL provides an implementation of the SSL/TLS protocol (RFC 5246) written in C and developed by Thomas Pornin.

    Optimized for constrained devices, BearSSL aims at small code footprint and low RAM usage. As per its guiding rules, it tries to find a reasonable trade-off between several partly conflicting goals:

    • Security: defaults should be robust and using patently insecure algorithms or protocols should be made difficult in the API, or simply not possible;
    • Interoperability with existing SSL/TLS servers; 
    • Allowing lightweight algorithms for CPU-challenged platforms; 
    • Be extensible with strong and efficient implementations on big systems where code footprint is less important.

    BearSSL and Arduino

    Our development team picked it as an excellent starting point for us to make BearSSL fit in our Arduino boards focusing on both security and performance.

    The firmware developers team worked hard on porting BearSSL to Arduino bundling it together as a very nice and open-source library: ArduinoBearSSL.

    Because the computational effort of performing a crypto algorithm is high, we decided to offload part of this task to hardware, using a secure element (we often call it a “cypto chip”). Its advantages are:

    • Making the computation of cryptography operations faster;
    • You are not forced to use all the available RAM of your device for these demanding tasks;
    • Allows storing private keys securely (more on this later);
    • It provides a true random number generator (TRNG).

    How does the TLS protocol work?

    TLS uses both asymmetric and symmetric encryption. Asymmetric encryption is used during the TLS handshake between the client and the server to exchange the shared session key for communication encryption. The algorithms commonly used in this phase are based on Rivest-Shamir-Adleman (RSA) or Diffie-Hellman algorithms. 

    TLS 1.2 Handshake flow

    After the TLS handshake, the client and the server both have a session key for symmetric encryption (e.g. algorithms AES 128 or AES 256).

    The TLS protocol is an important part of our IoT Cloud security model because it guarantees an encrypted communication between the IoT devices and our servers.

    The secure element

    In order to save memory and improve security, our development team has chosen to introduce a hardware secure element to offload part of the cryptography algorithms computational load, as well as to generate, store, and manage certificates. For this reason, on the Arduino MKR family, Arduino Nano 33 IoT and Arduino Uno WiFi Rev2, you will find the secure element ATECC508A or ATECC608A manufactured by Microchip.

    How do we use the secure element?

    A secure element is an advanced hardware component able to perform cryptographic functions, we have decided to implement it on our boards to guarantee two fundamental security properties in the IoT communication: 

    • Authenticity: You can trust who you are communicating with;
    • Confidentiality: You can be sure the communication is private.

    Moreover, the secure element is used during the provisioning process to configure the Arduino board for Arduino IoT Cloud. In order to connect to the Arduino IoT Cloud MQTT broker, our boards don’t use a standard credentials authentication (username/password pair). We rather opted for implementing a higher-level authentication, known as client certificate authentication.

    How does the Arduino provisioning work?

    The whole process is possible thanks to an API, which exposes an endpoint a client can interact with.

    As you can see in the diagram below, first the Client requests to register a new device on Arduino IoT Cloud via the API, to which the server (API) returns a UUID (Universally Unique IDentifier). At this point, the user can upload the sketch Provisioning.ino to the target board. This code is responsible for multiple tasks:

    • Generating a private key using the ATECCX08A, and store it in a secure slot that can be only read by the secure element;
    • Generating a CSR (Certificate Signing Request) using the device UUID as Common Name (CN) and the generated private key to sign it;
    • Storing the certificate signed by Arduino acting as the authority.

    After the CSR generation, the user sends it via the API to the server and the server returns a certificate signed by Arduino. This certificate is stored, in a compressed format, in a slot of the secure element (usually in slot 10) and it is used to authenticate the device to the Arduino IoT Cloud.

    Such a human-unfriendly process is hidden from our users thanks to the work our design team did to build a user-friendly plug-and-playGetting Started” process in the browser, to help configure the IoT devices and Arduino IoT Cloud. Our users simply connect their Arduino boards and follow the steps. 

    In addition, Arduino offers two-factor authentication across all web services, so users can add an additional security layer to their accounts and IoT devices connected to Arduino IoT Cloud.

    You can follow any responses to this entry through the RSS 2.0 feed.
    You can leave a response, or trackback from your own site.

    Website: LINK

  • Setting up two-factor authentication on your Raspberry Pi

    Setting up two-factor authentication on your Raspberry Pi

    Reading Time: 7 minutes

    Enabling two-factor authentication (2FA) to boost security for your important accounts is becoming a lot more common these days. However you might be surprised to learn that you can do the same with your Raspberry Pi. You can enable 2FA on Raspberry Pi, and afterwards you’ll be challenged for a verification code when you access it remotely via Secure Shell (SSH).

    Accessing your Raspberry Pi via SSH

    A lot of people use a Raspberry Pi at home as a file, or media, server. This is has become rather common with the launch of Raspberry Pi 4, which has both USB 3 and Gigabit Ethernet. However, when you’re setting up this sort of server you often want to run it “headless”; without a monitor, keyboard, or mouse. This is especially true if you intend tuck your Raspberry Pi away behind your television, or somewhere else out of the way. In any case, it means that you are going to need to enable Secure Shell (SSH) for remote access.

    However, it’s also pretty common to set up your server so that you can access your files when you’re away from home, making your Raspberry Pi accessible from the Internet.

    Most of us aren’t going to be out of the house much for a while yet, but if you’re taking the time right now to build a file server, you might want to think about adding some extra security. Especially if you intend to make the server accessible from the Internet, you probably want to enable two-factor authentication (2FA) using Time-based One-Time Password (TOTP).

    What is two-factor authentication?

    Two-factor authentication is an extra layer of protection. As well as a password, “something you know,” you’ll need another piece of information to log in. This second factor will be based either on “something you have,” like a smart phone, or on “something you are,” like biometric information.

    We’re going to go ahead and set up “something you have,” and use your smart phone as the second factor to protect your Raspberry Pi.

    Updating the operating system

    The first thing you should do is make sure your Raspberry Pi is up to date with the latest version of Raspbian. If you’re running a relatively recent version of the operating system you can do that from the command line:

    $ sudo apt-get update $ sudo apt-get full-upgrade

    If you’re pulling your Raspberry Pi out of a drawer for the first time in a while, though, you might want to go as far as to install a new copy of Raspbian using the new Raspberry Pi Imager, so you know you’re working from a good image.

    Enabling Secure Shell

    The Raspbian operating system has the SSH server disabled on boot. However, since we’re intending to run the board without a monitor or keyboard, we need to enable it if we want to be able to SSH into our Raspberry Pi.

    The easiest way to enable SSH is from the desktop. Go to the Raspbian menu and select “Preferences > Raspberry Pi Configuration”. Next, select the “Interfaces” tab and click on the radio button to enable SSH, then hit “OK.”

    You can also enable it from the command line using systemctl:

    $ sudo systemctl enable ssh $ sudo systemctl start ssh

    Alternatively, you can enable SSH using raspi-config, or, if you’re installing the operating system for the first time, you can enable SSH as you burn your SD Card.

    Enabling challenge-response

    Next, we need to tell the SSH daemon to enable “challenge-response” passwords. Go ahead and open the SSH config file:

    $ sudo nano /etc/ssh/sshd_config

    Enable challenge response by changing ChallengeResponseAuthentication from the default no to yes.

    Editing /etc/ssh/ssd_config.

    Then restart the SSH daemon:

    $ sudo systemctl restart ssh

    It’s good idea to open up a terminal on your laptop and make sure you can still SSH into your Raspberry Pi at this point — although you won’t be prompted for a 2FA code quite yet. It’s sensible to check that everything still works at this stage.

    Installing two-factor authentication

    The first thing you need to do is download an app to your phone that will generate the TOTP. One of the most commonly used is Google Authenticator. It’s available for Android, iOS, and Blackberry, and there is even an open source version of the app available on GitHub.

    Google Authenticator in the App Store.

    So go ahead and install Google Authenticator, or another 2FA app like Authy, on your phone. Afterwards, install the Google Authenticator PAM module on your Raspberry Pi:

    $ sudo apt install libpam-google-authenticator

    Now we have 2FA installed on both our phone, and our Raspberry Pi, we’re ready to get things configured.

    Configuring two-factor authentication

    You should now run Google Authenticator from the command line — without using sudo — on your Raspberry Pi in order to generate a QR code:

    $ google-authenticator

    Afterwards you’re probably going to have to resize the Terminal window so that the QR code is rendered correctly. Unfortunately, it’s just slightly wider than the standard 80 characters across.

    The QR code generated by google-authenticator. Don’t worry, this isn’t the QR code for my key; I generated one just for this post that I didn’t use.

    Don’t move forward quite yet! Before you do anything else you should copy the emergency codes and put them somewhere safe.

    These codes will let you access your Raspberry Pi — and turn off 2FA — if you lose your phone. Without them, you won’t be able to SSH into your Raspberry Pi if you lose or break the device you’re using to authenticate.

    Next, before we continue with Google Authenticator on the Raspberry Pi, open the Google Authenticator app on your phone and tap the plus sign (+) at the top right, then tap on “Scan barcode.”

    Your phone will ask you whether you want to allow the app access to your camera; you should say “Yes.” The camera view will open. Position the barcode squarely in the green box on the screen.

    Scanning the QR code with the Google Authenticator app.

    As soon as your phone app recognises the QR code it will add your new account, and it will start generating TOTP codes automatically.

    The TOTP in Google Authenticator app.

    Your phone will generate a new one-time password every thirty seconds. However, this code isn’t going to be all that useful until we finish what we were doing on your Raspberry Pi. Switch back to your terminal window and answer “Y” when asked whether Google Authenticator should update your .google_authenticator file.

    Then answer “Y” to disallow multiple uses of the same authentication token, “N” to increasing the time skew window, and “Y” to rate limiting in order to protect against brute-force attacks.

    You’re done here. Now all we have to do is enable 2FA.

    Enabling two-factor authentication

    We’re going to use Linux Pluggable Authentication Modules (PAM), which provides dynamic authentication support for applications and services, to add 2FA to SSH on Raspberry Pi.

    Now we need to configure PAM to add 2FA:

    $ sudo nano /etc/pam.d/sshd

    Add auth required pam_google_authenticator.so to the top of the file. You can do this either above or below the line that says @include common-auth.

    Editing /etc/pam.d/sshd.

    As I prefer to be prompted for my verification code after entering my password, I’ve added this line after the @include line. If you want to be prompted for the code before entering your password you should add it before the @include line.

    Now restart the SSH daemon:

    $ sudo systemctl restart ssh

    Next, open up a terminal window on your laptop and try and SSH into your Raspberry Pi.

    Wrapping things up

    If everything has gone to plan, when you SSH into the Raspberry Pi, you should be prompted for a TOTP after being prompted for your password.

    SSH’ing into my Raspberry Pi.

    You should go ahead and open Google Authenticator on your phone, and enter the six-digit code when prompted. Then you should be logged into your Raspberry Pi as normal.

    You’ll now need your phone, and a TOTP, every time you ssh into, or scp to and from, your Raspberry Pi. But because of that, you’ve just given a huge boost to the security of your device.

    Now you have the Google Authenticator app on your phone, you should probably start enabling 2FA for your important services and sites — like Google, Twitter, Amazon, and others — since most bigger sites, and many smaller ones, now support two-factor authentication.

    Website: LINK

  • Create Agent – Windows installer tampering while preserving Authenticode signature

    Create Agent – Windows installer tampering while preserving Authenticode signature

    Reading Time: 2 minutes

    Create Agent – Windows installer tampering while preserving Authenticode signature

    Arduino TeamAugust 13th, 2019

    Arduino Create Agent is a plug-in that was designed to help Arduino users connect their devices to the Arduino Create platform. The plug-in lets your browser communicate with your device’s serial port from a web application.  

    We chose Bitrock’s InstallBuilder, a powerful and easy to use cross-platform installer creation tool, for generating the Arduino Create Agent installers (Windows, macOS, Linux). Those binaries are then served through our global CDN.

    Yesterday, Bitrock has published an important security advisory in which they stated that Windows binaries generated with InstallBuilder versions earlier than 19.7.0 are vulnerable to tampering even if they contain a valid Authenticode signature. A specially crafted payload can be appended to an existing installer and trick the installer initialization code to execute code included in it, while the existing signature remains valid.

    The issue, originally reported to them by Youfu Zhang of Chaitin Security Research Lab (@ChaitinTech), got addressed by releasing an updated version of InstallBuilder so all their customers could re-build and re-release their installers. CVE-2019-5530 has been assigned to this issue (CVSSv3 score of 6.7).

    Once we’ve been notified, and given the potential impact of this security issue, we worked around the clock to re-build and re-release our Agent’s Windows installer. Version 1.1.89 has now been released through our official channels.

    Please note that all versions of the Windows installer before version 1.1.89 are vulnerable to CVE-2019-5530.

    Because this issue can be exploited with existing binaries already released, we also want to remind all of you to only download installers from official sources.

    If you have any questions regarding this security issue, or if you need any help with upgrading your installer, please do not hesitate to contact Arduino Support through e-mail at support@arduino.cc.

    You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

    Website: LINK

  • Arduino selects Auth0 as standardized login for ecosystem

    Arduino selects Auth0 as standardized login for ecosystem

    Reading Time: 2 minutes

    Arduino selects Auth0 as standardized login for ecosystem

    Arduino TeamJuly 28th, 2019

    We are excited to announce that we’ve selected Auth0 as the identity management platform of choice for Arduino. We will replace our own Single Sign On solution with Auth0 for all public facing web properties, including Arduino Create and other apps.

    We discovered that our own homegrown authentication solution would not scale to meet the rapidly developing needs of the growing global community and decided to reach out to Auth0. In addition to Single Sign On, Arduino will take advantage of Auth0’s new Universal Login, which enables developers to completely customise their branded authentication experiences quickly, and Device Flow for browserless or input-constrained devices.

    “We wanted a robust platform to replace our SSO solution but also give us the flexibility to do cool, new things in the device authentication space. Auth0 is a brand we admire, and their API-based approach makes it easy to migrate our login data in a way that’s completely transparent for the customer. We are excited to welcome them to our global community.” – Gianluca Varisco, Arduino CISO

    We plan to leverage the power of both communities and events, and explore a technical partnership in the IoT domain. Auth0 currently secures more than 2.5 billion logins per month for 21 million users.

    “I have been using Arduino for years as the brain for my personal projects, so working with them in a business capacity is really rewarding. When you empower the developer with simple, powerful tools, the whole business benefits. We are excited by the reach of the Arduino community and aligned in our mission to help the developer in their journey to innovate.” – Eugenio Pace, Auth0 CEO and co-founder 

    You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

    Website: LINK

  • Three-factor authentication is the new two-factor authentication

    Three-factor authentication is the new two-factor authentication

    Reading Time: 3 minutes

    Two-factor authentication continues to provide our online selves with more security for our email and online banking. Meanwhile, in the physical world, protecting our valuables is now all about three-factor authentication.

    A GIF of a thumbprint being scanned for authentication - three-factor authentication

    Not sure what I mean? Here’s a video from Switched On Network that demonstrates how to use a Raspberry Pi to build a three-factor door lock comprised of an RFID keyring, 6-digit passcode, and one-time access code sent to your mobile phone.

    Note that this is a fairly long video, so feel free to skip it for now and read my rather snazzy tl;dr. You can come back to the video later, with a cup of tea and 20 minutes to spare. It’ll be worth it, I promise.

    Build a Raspberry Pi Smart Door Lock Security System with Three Factor Authentication!

    https://amzn.to/2A98EaZ (UK) / https://amzn.to/2LDlxyc (US) – Get a free audiobook with a 30-day trial of Audible from Amazon! Build the ultimate door lock system, effectively turning your office or bedroom into a high-security vault!

    The tl;dr of three-factor door locks by Alex Bate

    To build Switched On Network’s three-factor door lock, you need to source a Raspberry Pi 3, a USB RFID reader and fob, a touchscreen, a electronic door strike, and a relay switch. You also need a few other extras, such as a power supply and a glue gun.

    A screenshot from the three-factor authentication video of a glue gun

    Once you’ve installed the appropriate drivers (if necessary) for your screen, and rotated the display by 90 degrees, you can skip ahead a few steps by installing the Python script from Switched On Network’s GitHub repo! Cheers!

    A screenshot from the three-factor authentication video of the screen attached to the Pi in portrait mode

    Then for the physical build: you need to attach the door strike, leads, and whatnot to the Pi — and all that together to the door and door frame. Again, I won’t go into the details, since that’s where the video excels.

    A screenshot from the video of the components of the three-factor authentication door lock

    The end result is a superior door lock that requires you to remember both your keys and your phone in order to open it. And while we’d never suggest using this tech to secure your house from the outside, it’s a perfect setup for inside doors to offices or basement lairs.

    A GIF of Dexter from Dexter's Laboratory

    Everyone should have a lair.

    Now go watch the video!

    Website: LINK

  • Announcing Arduino’s Coordinated Vulnerability Disclosure Policy

    Announcing Arduino’s Coordinated Vulnerability Disclosure Policy

    Reading Time: 3 minutes

    Announcing Arduino’s Coordinated Vulnerability Disclosure Policy

    gvariscoOctober 10th, 2018

    A little less than a month ago, I joined Arduino as their Chief Information Security Officer. I’ve been in touch with the team for the past couple of months and feel incredibly lucky to be part of such a talented and driven group of people.

    We’re working hard on developing a robust, well-rounded security program that fits our organisation and busy improving our security posture across all departments. I am a true believer that it all starts from introducing a strong culture of security awareness — where employees feel confident and empowered to take action against security issues.  

    Today, I’m thrilled to announce the first release of Arduino’s Coordinated Vulnerability Disclosure (CVD) Policy.

    We used some great references when putting it together and we’d like to give them a shout out here: HackerOne’s VDP guidelines, CEPS’ report on “Software Vulnerability Disclosure in Europe,” and the US DoJ Cyber Security unit’s VDP framework. We also took into consideration recent Senate testimony of experts in vulnerability disclosure in the role hackers can play in strengthening security, Dropbox’s announcement on protecting researchers and 18F’s own policy. I even wanted to publicly thank Amit Elazari Bar On, a doctoral law candidate (J.S.D.) at UC Berkeley School of Law and a Lecturer at UC Berkeley School of Information Master in Cybersecurity program for her useful advices and for providing the amazing “#legalbugbounty” standardisation project.

    We’re also happy to announce that all of the text in our policy is a freely copyable template. We’ve done this because we’d like to see others take a similar approach. We’ve put some effort in to this across our teams and if you like what you see, please use it. Similarly, if you have improvements to suggest, we’d love to hear from you.

    What is CVD?

    Coordinated vulnerability disclosure (CVD) is a process aimed at mitigating/eradicating the potential negative impacts of vulnerabilities. It can be defined as “the process of gathering information from vulnerability finders, coordinating the sharing of that information between relevant stakeholders, and disclosing the existence of vulnerabilities and their mitigation to various stakeholders, including the public.”

    Figure 1: Relationships among actors in the CVD process. Source: “The CERT Guide to Coordinated Vulnerability Disclosure,” Software Engineering Institute, Carnegie Mellon University

    Why is it important for us?

    At Arduino, we consider the security of our systems and products a top priority. No technology is perfect, and Arduino believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. We want security researchers to feel comfortable reporting vulnerabilities they’ve discovered, as set out in this policy, so that we can fix them and keep our information safe.

    If you believe you’ve found a security issue in our products or services, we encourage you to notify us. We welcome working with you to resolve the issue promptly.

    This policy describes how to send us vulnerability reports and how long we ask security researchers to wait before publicly disclosing vulnerabilities.

    Where can I find it?

    A copy of the policy is published on our Vulnerability Disclosure Policy page. The official document lives in GitHub. If you would like to comment or suggest a change to the policy, please open a GitHub issue.

    Thank you for helping keep Arduino and our users safe!

    — Gianluca Varisco

    You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

    Website: LINK

  • MagPi 73: make a video game!

    MagPi 73: make a video game!

    Reading Time: 3 minutes

    Hi folks, Rob from The MagPi here! As far back as I can remember, I always wanted to learn to code to make a video game. I’m technically working on one right now! It’s wildly behind my self-imposed schedule, though. If you too wish to learn how to make games, then check out issue 73 of The MagPi, out today!

    The MagPi 73

    Make video games in the latest issue of The MagPi!

    Let’s play a game

    There are many classifications of video games these days, and many tools to help make it easy. We take you through making a purely narrative experience on Twine, up to programming a simple 8-bit game for Pico-8 in this month’s main feature. Don’t forget our ongoing series on how to make games in C/C++ and Pygame as well!

    The MagPi 73

    Make games today on your Pi!

    Boost your home security

    If making games aren’t quite your thing, then we also have a feature for our more serious-sided readers on how to secure your home using a Raspberry Pi. We show you how to set up a CCTV camera, an IoT doorbell, and a door security monitor too.

    Home security made easy with a Raspberry Pi

    Maker Faire Tokyo

    We also have a bumper five pages on Maker Faire Tokyo and the Japanese Raspberry Pi community! I went out there earlier this month and managed to drag myself away from the Gundam Base and the Mandarake in Akihabara long enough to see some of the incredible and inventive things Japanese makers had created.

    The MagPi 73

    See our report from Maker Faire Tokyo!

    All of this along with our usual selection of tutorials, projects, and reviews? We spoil you.

    The MagPi 73

    Amazing projects to inspire!

    Get The MagPi 73

    You can get The MagPi 72 today from WHSmith, Tesco, Sainsbury’s, and Asda. If you live in the US, head over to your local Barnes & Noble or Micro Center in the next few days for a print copy. You can also get the new issue online from our store, or digitally via our Android or iOS apps. And don’t forget, there’s always the free PDF as well.

    Rolling subscription offer!

    Want to support the Raspberry Pi Foundation and the magazine? You can now take out a monthly £5 subscription to the magazine, effectively creating a rolling pre-order system that saves you money on each issue.

    The MagPi subscription offer — The MagPi 73

    You can also take out a twelve-month print subscription and get a Pi Zero W plus case and adapter cables absolutely free! This offer does not currently have an end date.

    That’s it for now, see ya real soon!

    Edit: I’m sure he’ll run out of Star Trek GIFs eventually – Alex

    Website: LINK

  • Mayank Sinha’s home security project

    Mayank Sinha’s home security project

    Reading Time: 2 minutes

    Yesterday, I received an email from someone called Mayank Sinha, showing us the Raspberry Pi home security project he’s been working on. He got in touch particularly because, he writes, the Raspberry Pi community has given him “immense support” with his build, and he wanted to dedicate it to the commmunity as thanks.

    Mayank’s project is named Asfaleia, a Greek word that means safety, certainty, or security against threats. It’s part of an honourable tradition dating all the way back to 2012: it’s a prototype housed in a polystyrene box, using breadboards and jumper leads and sticky tape. And it’s working! Take a look.

    Asfaleia DIY Home Security System

    An IOT based home security system. The link to the code: https://github.com/mayanksinha11/Asfaleia

    Home security with Asfaleida

    Asfaleia has a PIR (passive infrared) motion sensor, an IR break beam sensor, and a gas sensor. All are connected to a Raspberry Pi 3 Model B, the latter two via a NodeMCU board. Mayank currently has them set up in a box that’s divided into compartments to model different rooms in a house.

    A shallow box divided into four labelled "rooms", all containing electronic components

    All the best prototypes have sticky tape or rubber bands

    If the IR sensors detect motion or a broken beam, the webcam takes a photo and emails it to the build’s owner, and the build also calls their phone (I like your ringtone, Mayank). If the gas sensor detects a leak, the system activates an exhaust fan via a small relay board, and again the owner receives a phone call. The build can also authenticate users via face and fingerprint recognition. The software that runs it all is written in Python, and you can see Mayank’s code on GitHub.

    Of prototypes and works-in-progess

    Reading Mayank’s email made me very happy yesterday. We know that thousands of people in our community give a great deal of time and effort to help others learn and make things, and it is always wonderful to see an example of how that support is helping someone turn their ideas into reality. It’s great, too, to see people sharing works-in-progress, as well as polished projects! After all, the average build is more likely to feature rubber bands and Tupperware boxes than meticulously designed laser-cut parts or expert joinery. Mayank’s YouTube channel shows earlier work on this and another Pi project, and I hope he’ll continue to document his builds.

    So here’s to Raspberry Pi projects big, small, beginner, professional, endlessly prototyped, unashamedly bodged, unfinished or fully working, shonky or shiny. Please keep sharing them all!

    Website: LINK

  • MagPi 67: back to the future with retro computing on your Pi

    MagPi 67: back to the future with retro computing on your Pi

    Reading Time: 3 minutes

    Hey folks, Rob from The MagPi here! While we do love modern computers here at The MagPi, we also have a soft spot for the classic machines of yesteryear, which is why we have a huge feature on emulating and upcycling retro computers in The MagPi issue 67, out right now.

    The MagPi 67 Retro Gaming Privacy Security

    Retro computing and security in the latest issue of The MagPi

    Retro computing

    Noted retro computing enthusiast K.G. Orphanides takes you through using the Raspberry Pi to emulate these classic machines, listing the best emulators out there and some of the homebrew software people have created for them. There’s even a guide on how to put a Pi in a Speccy!

    The MagPi 67 Retro Gaming Privacy Security

    Retro fun for all

    While I’m a bit too young to have had a Commodore 64 or a Spectrum, there are plenty of folks who read the mag with nostalgia for that age of computing. And it’s also important for us young’uns to know the history of our hobby. So get ready to dive in!

    Security and more

    We also have an in-depth article about improving your security and privacy online and on your Raspberry Pi, and about using your Pi to increase your network security. It’s an important topic, and one that I’m pretty passionate about, so hopefully you’ll find the piece useful!

    The new issue also includes our usual selection of inspiring projects, informative guides, and definitive reviews, as well as a free DVD with the latest version of the Raspberry Pi Desktop for Windows and Apple PCs!

    Get The MagPi 67

    Issue 67 is available today from WHSmith, Tesco, Sainsbury’s, and Asda. If you live in the US, head over to your local Barnes & Noble or Micro Center in the next few days for a print copy. You can also get the new issue online from our store, or digitally via our Android and iOS apps. And don’t forget, there’s always the free PDF as well.

    New subscription offer!

    Want to support the Raspberry Pi Foundation and the magazine? We’ve launched a new way to subscribe to the print version of The MagPi: you can now take out a monthly £4 subscription to the magazine, effectively creating a rolling pre-order system that saves you money on each issue.

    You can also take out a twelve-month print subscription and get a Pi Zero W, Pi Zero case, and adapter cables absolutely free! This offer does not currently have an end date.

    We hope you enjoy this issue! See you next time…

    Website: LINK

  • Security Breach: Email Addresses & Passwords of Gearbest Users Leaked Online

    Security Breach: Email Addresses & Passwords of Gearbest Users Leaked Online

    Reading Time: 4 minutes

    A Reddit user recently discovered that sensitive customer information from hundreds of GearBest users was hacked and uploaded into a Pastebin file. 

    The Chinese electronics online retailer GearBest is a popular outlet for a variety of affordable consumer electronics, including 3D printer kits like the Creality CR-10, Anet A8, among others.

    The 3D printing community has developed mixed feelings towards GearBest, some speak positively about the affordable pricing, while others are skeptical about the product quality and customer service. One Reddit user named “jamesdownwell” recently discovered that the Chinese retailer may have been subject to a hack.

    After performing a “random security check” on his personal email account, the Redditor discovered that the email addresses, password, and purchase information of around 150 supposed GearBest users was posted online in a Pastebin file.

    Redditor Discovers GearBest User Information Hacked and Shared Online

    The Reddit user “jamesdownwell” alleges that his post on the matter was deleted from r/GearBest for no reason, but his claims eventually ended up being crossposted in r/3DPrinting. He also stated that although he immediately emailed GearBest, the initial response to this urgent matter seemed a bit lackluster.

    “I immediately contacted them through Customer Support and Facebook. Their Customer Support didn’t answer until the next day, clearly not understanding the request, despite me including a screenshot of the online leak. I replied with a link and they didn’t respond until a day later saying that they “take matters of security very seriously” they “will investigate” and ever so generously donated $10 credit to my account.”

    Here’s the email exchange between the Reddit user and GearBest, which was shared via this Reddit thread:




    However, the Italian Android fan-site Tutto Android claims that it had gotten in touch with GearBest. According to their article (translated from Italian using Google Translate), the online retailer said that they are aware of the situation and have already warned users involved in the hack to change their passwords.

    Shortly after the news surfaced on Reddit, GearBest released a full statement of their own:

    Our IT department have investigated this issue and we have identified a few hundred accounts that may have been exposed. Immediately after this knowledge came to our attention we have frozen these accounts and contacted the affected users.

     Our investigation concludes that it is unlikely that our users information can be leaked from our system. What has likely happened is that ill-intentioned people bought and/or hacked user login information from other websites and were trying to see if those data could access GearBest. As far as we know, those hackers used some special software to facilitate uploading large volumes of leaked data from other sites to try to deceptively login with Gearbest from a group of high risk IPs.

    Apart from the steps we have taken above to alert our customers to update their passwords, we are also urgently working on risky IP identification and a more complicated verification code to prevent systematic password testing.

    We would like to take this opportunity to thank you for raising this issue. Please rest assured that Gearbest remains a safe website and will strive to keep protecting the interest of our users to the best of our abilities.

    GearBest claims that the leaked information was unlikely to have come from their system, but rather through other websites and “ill-intentioned people”. The company also alleges that number of hacked accounts is only in the hundreds, and that all affected users have been notified have had their accounts frozen.

    Either way–just to be on the safe side–it would probably be wise for any GearBest users out there to change their password and check to see if their information was hacked.


    Website: LINK