With distance learning happening in many schools, what can you do to teach or learn about science? As you might expect, at Make: we believe that the best way to learn these subjects is through experiential, hands-on learning. In other words, “learning by doing.” If you want to learn science, […]
Silicon Labs held its first-ever Works With conference last week to push forward the Internet of things, which, thankfully, has been acronymed to IoT. Twenty years after “visionary technologist” Kevin Ashton coined the term Internet of things consumers exactly haven’t lined up to jump on board.
For the residential market, before it was Internet of things, the term was home automation, which wasn’t very catchy, either. The idea that a home would be automated — making its own decisions about what went on inside — spooked people. It still does. A lot of people don’t like the idea of HAL 9000 in the hallway.
Sci-fi writers love to riff on the hacked smart home, depicting lights going on and off, room temperatures plunging and soaring to uncomfortable levels, alarms sounding at piercing decibel levels and doors sliding shut with occupants trapped inside. The rogue hacked home may be fiction on Mr. Robot, but it’s all too frightening a scenario for the average Josephine.
The term “smart home” is a little friendlier. The National Association of Home Builders is credited with coining the moniker in 1984, and forward-thinking builders who wanted to differentiate their designs looked for ways to offer it. Under the smart home technology section on the NAHB website, written in 2017, the trade association announces “The Internet of Things (IoT) is here.”
But as much as NAHB is a proponent of the smart home, it’s also realistic about the potential pitfalls and risks. It lays them out with a list of blunt caveats on its website. Quality of build is one of them: “Some of these devices are poorly designed and made,” it says, and there’s little “independent product assessment of anything, including useful life.” Potential failures could exist for a long time, it says, “with results that range from annoying to catastrophic.” Ouch.
Standards are an issue, too — or, more accurately, lack of them. “To the extent that there are some standards, they are not necessarily consistent and the law is not well developed,” NAHB says. Another warning: There’s no consensus on standards governing design, manufacture or performance of smart home devices. Of the regulations that do exist, they’ve been enacted by different agencies, “leaving a hodge-podge of rules with no consistent regulatory or legal direction. And there are very few cases outlining liability and how judges and juries may treat liability questions.”
Other warnings surround software updates and a lack of commitment by manufacturers or developers to keep products up to date: “We often don’t know how long the company plans to support a product with software security upgrades or what a consumer must do to install the upgrades.” Privacy and security, the top concern of consumers, rounds out the list.
If I were building a home, I would be cautious about installing a smart home system for all of those reasons. Not that I don’t believe in what it can do because I’ve seen a lot of very cool smart home wizardry over the years. I’ve also seen too many latests and greatests sent to the recycle bin. I’d worry about being in constant upgrade mode. A previous home of mine had a defunct intercom system, leaving each room with nonworking skeleton of 1960s technology.
As for standards and protocols, I don’t like to be locked in. I like choice. I also don’t want to choose the wrong one. What if I had gone with Lowe’s Iris smart home platform a few years ago? It shut down in March of last year, and I’d have been SOL like all those that bought into the platform. The Lowe’s website says, “You’re on your own” in the FAQ on whether there’s a migration tool to transfer to another platform: “You will be responsible for resetting and re-pairing any devices to the platform of your choosing.” That sounds fun.
Participants at the Works With conference last week seemed to get it … finally … maybe.. Though billions of devices and sensors are said to have been linked in the IoT, it still hasn’t gone mainstream. Executives from heavy hitters including Amazon, Google and Comcast talked about incompatibility as a smart home stopper at retail and on e-commerce sites. People are confused about what works with which and are afraid of making a mistake or don’t want to bother with complicated setup and operation, execs acknowledged. They’re also really, really concerned about privacy and security.
Though billions of devices are connected in the IoT, Jamie Siminoff, CEO of Amazon’s Ring, envisions “hundreds of billions,” he said during the conference. That’s mainstream adoption, and builders and multi-dwelling units are key reaching those numbers.
Silicon Labs CEO Tyson Tuttle talks about the Works With conference in our September 11, 2020, podcast.
Amazon and Google recognize that. Amazon recently announced a program integrating the Alexa voice engine into residential properties, making it easier for property managers to work with smart home devices. Alexa for Residential promises to remove consumer and property manager pain points by allowing residents to walk in to a “ready-to-use, Alexa-powered smart apartment, with no account or device setup required.” In addition to typical Alexa features, they’ll be able to get property-specific info, such as the schedule for recycling.
Property managers can create custom Alexa skills, allowing residents to manage rent, maintenance requests and amenity reservations. They can set an Alexa-enabled device in vacant units to answer common questions, enable self-guided tours, or “demo smart home features available in each unit.” When a resident moves out, the manager can reset the Alexa device remotely.
Google, meanwhile, is talking up Connected Home over IP (CHIP), a Zigbee-led effort launched in late 2019 to develop a smart home standard, a “unified solution” for the industry. Now at 145 members, the group plans to deliver a draft specification by year-end 2020. Grant Erickson, a Google principal engineer, called CHIP a “critical movement to break through the fragmentation that’s holding the market back” with interoperable standards “people can rely on” and that will instill “builder confidence.”
In Google’s vision of the future IoT, based on ambient computing, “We won’t talk about connected,” said Erickson. At home, “we’re not going to talk any more about smart devices or connected devices,” he said. “It is just going to be the de facto ways things are,” and devices will “orchestrate themselves.”
Bring it on.
App note from ON Semiconductors on the do’s and don’ts when using zero-drift precision op amps. Link here (PDF)
Zero?drift precision op amps are specialized op amps designed for applications that require high output accuracy due to small differential voltages. Not only do they feature low input offset voltage, but they also have high CMRR, high PSRR, high open loop gain, and low drift over temperature and time. These features make them ideal for applications such as low?side current sensing and sensor interface, particularly with very small differential signals.
Precision op amps are able to achieve “zero?drift” offset voltage, maintaining low input offset voltage over temperature variation and time, through a number of techniques. One of the ways that an amplifier can achieve this is by using a design technique that periodically measures the input offset voltage and corrects the offset at the output. This type of architecture is referred to as chopper?stabilized. Like all engineering solutions, zero?drift op amps also have their limitations. One of the less obvious is a result of the fact that the internal circuit of the chopper?stabilized amplifier contains a clocked system.
The report evaluating policies at 13 Spanish Internet companies also indicates that a handful are taking seriously their obligations under the new General Data Protection Regulation (GDPR), the European Union’s data privacy law that sets tough standards for protecting customers’ private information and gives users more information about and control over their private data. The law went into effect in December 2018.
But the good news for most of the companies pretty much stops there. All but the largest Internet providers in Spain are seriously lagging when it comes to transparency around government demands for user data, according to the Eticas report released today.
While Orange commits to notify users about government requests and both Vodafone and Telefónica clearly state the need for a court order before handing users’ communications to authorities, other featured companies have much to improve. They are failing to provide information about how they handle law enforcement requests for user data, whether they require judicial authorization before giving personal information to police, or if they notify users as soon as legally possible that their data was released to law enforcement. The lack of disclosure about their practices leaves an open question about whether they have users’ backs when the government wants personal data.
The format of the Eticas report is based on EFF’s Who Has Your Back project, which was launched nine years ago to shine a light on how well U.S. companies protect user data, especially when the government wants it. Since then the project has expanded internationally, with leading digital rights groups in Europe and the Americas evaluating data privacy practices of Internet companies so that users can make informed choices about to whom they should trust their data. Eticas Foundation first evaluated Spain’s leading providers in 2018 as part of a region-wide initiative focusing on Internet privacy policies and practices in Iberoamerica.
In today’s report, Eticas evaluated 13 companies, including six telecom providers (Orange, Ono-Vodafone, Telefónica-Movistar, MásMóvil, Euskatel, and Somos Conexión), five home sales and rental apps (Fotocasa, Idealista, Habitaclia, Pisos.com, and YaEncontré), and two apps for selling second hand goods (Vibbo and Wallapop). The companies were assessed against a set of criteria covering policies for data collection, handing data over to law enforcement agencies, notifying customers about government data requests, publishing transparency reports, and promoting user privacy. Companies were awarded stars based on their practices and conduct. In light of the adoption of the GDPR, this year’s report assessed companies against several new criteria, including providing information on how to contact a company data protection officer, using private data to automate decision making without human involvement and build user profiles, and practices regarding international data transfers. Etica also looked at whether they provide guidelines, tailored to local law, for law enforcement seeking user data.
The full study is available in Spanish, and we outline the main findings below.
An Overview of Companies' Commitments and Shortcomings
Telefonica-Movistar, Spain’s largest mobile phone company, was the most highly rated, earning stars in 10 out of 13 categories. Vodafone was a close second, with nine stars. There was a big improvement overall in companies providing information about how long they keep user data—all 13 companies reported doing so this year, compared to only three companies earning partial credit in 2018. The implementation of the GDPR has had a positive effect on privacy policies at only some companies, the report shows. While most companies are providing contact information for data protection officials, only four—Movistar, Fotocasa, Habitaclia, and Vibbo—provide information about their practices for using data-based, nonhuman decision making, and profiling, and six—Vodafone, MásMóvil, Pisos.com, Idealista, Yaencontré, and Wallapop—provide information only about profiling.
Only Telefónica-Movistar and Vodafone disclose information to users about its policies for giving personal data to law enforcement agencies. Telefonica-Movistar is vague in its data protection policy, only stating that it will hand user data to police in accordance with the law. However, the company’s transparency report shows that it lets police intercept communications only with a court order or in emergency situations. For metadata, the information provided is generic: it only mentions the legal framework and the authorities entitled to request it (judges, prosecutors, and the police).
Orange Spain is the only company that says it’s committed to telling users when their data is released to law enforcement unless there’s a legal prohibition against it. Because the company didn’t make clear it will do so as soon as there's no legal barrier, it received partial credit. Euskatel and Somos Conexión, smaller ISPs, have stood out in promoting user privacy through campaigns or defending users in courts. On the latter, Euskatel has challenged a judicial order demanding the company reveal IP addresses in a commercial claim. After finally handing them over once the sentence was confirmed by a higher court, Euskatel filed a complaint with the Spanish data protection authority for possible violation of purpose limitation safeguards considering how the claimant used the data.
The report shows that, in general, the five home apps (Fotocasa, Idealista, Habitaclia, Pisos.com, and YaEncontré) and two second-hand goods sales apps (Vibbo and Wallapop) have to step up their privacy information game considerably. They received no stars in fully nine out of the 13 categories evaluated. This should give users pause and, in turn, motivate these companies to increase transparency about their data privacy practices so that the next time they are asked if they protect customers’ personal data, they have more to show.
Through ¿Quien Defiende Tus Datos? reports, local organizations in collaboration with EFF have been comparing companies' commitments to transparency and users' privacy in different Latin American countries and Spain. Earlier this year, Fundación Karisma in Colombia, ADC in Argentina, and TEDIC in Paraguay published new reports. New editions in Panamá, Peru, and Brazil are also on their way to spot which companies stand with their users and those that fall short of doing so.
La Toulouse Robot Race is an annual racing event held in Toulouse, France, which includes a 10-meter autonomous sprint for multi-legged robots. The current record for quadrupeds is 42 seconds, so Sebastian Coddington decided to construct a robot in hopes of taking the category at the next race in January 2021.
His “GorillaBot” quadruped features limbs made from two-servo five-bar linkage systems, controlled using an Arduino Nano. In autonomous mode, the robot stays on course thanks to a magnetometer; however, if it does lose its way, an on-board ultrasonic sensor helps to keep it from crashing.
Apart from electronics and fasteners, the inexpensive build is completely 3D-printable, and assembly directions with some videos are available in the project write-up. From the demo clip below, the GorillaBot looks like it will be quite a competitor, and perhaps Coddington will even be able to enhance the design before the event!
- Inside the Pulsar Calculator watch from 1975
- Simrefinery recovered
- Putting the coronavirus under the microscope
- The helium shortage has ended, at least for now
- Ken Shirriff looks at the 8086 processor
- Strike a solder joint behind enemy lines
- Testing the Mars helicopter in a simulated martian atmosphere
- A project to make a DEC H-500 Computer Lab Reproduction
- Visualizing brain activity with an AxiDraw
This article was written by Luigi Gubello, Arduino Security Team.
Be kind to the end user. At Arduino, we like to develop powerful ideas into simple tools. This is the spirit behind our team’s efforts in launching our IoT Cloud platform: making the Internet of Things accessible and easy for everyone. We can now offer a complete low-code IoT application development platform that seamlessly integrates with our hardware products: Arduino IoT Cloud.
Behind such simplicity, you’ll always find a thorough design study carried out by our team in order to offer a user-friendly IoT cloud solution, which is suitable for everything from your first IoT project to state-of-the-art professional use — what the user needs to do is connect their compatible Arduino board to a computer and follow the steps displayed in the browser window. The process will configure the device to securely connect to the Arduino IoT Cloud, thus creating an Internet-connected device in minutes.
So how does Arduino IoT Cloud provisioning work?
TLS Client Authentication
In a previous blog post titled “Arduino Security Primer,” we began to introduce how the device provisioning works, showing how security is a fundamental requirement for us. The Arduino IoT Cloud security model is based on three key elements: an open-source library named ArduinoBearSSL, a Hardware Secure Element, and a device certificate provisioning for TLS Client Authentication.
The TLS Client Authentication (or TLS Mutual Authentication) is an authentication method in which the server verifies the client’s identity through a certificate to grant or deny access to the device. In the standard TLS handshake, only a client authenticating a server is required, while in TLS Client Authentication, the server also needs to authenticate the client by verifying its identity. If the server cannot trust the client’s identity, it does not authorize a connection.
In the TLS Client Authentication system, the device’s credentials are replaced by a signed certificate that guarantees the device identity, thereby eliminating some security risks such as credentials stealing, weak passwords, or brute-force attacks. During the device provisioning process, a certificate — signed by our certificate authority — is stored inside the hardware secure element of supported Arduino boards to be used when identity verification is required.
In order to communicate with the Microchip secure element (ATECC508A or ATECC608A) mounted on some Arduino boards, our engineering team developed an open-source library (ArduinoECCX8) which is used for device provisioning by the Arduino IoT Cloud. This library is responsible for writing and reading data from the secure element. In particular — during the provisioning stage — it manages the generation of private keys, certificate signing requests, and certificate storage. This library can also be used to generate self-signed certificates and to sign JWT, using the public key generated by the crypto chip.
Arduino Provisioning Sketch
The entire device provisioning process is hidden behind a browser based user-friendly interface, so that users can quickly and easily connect their Arduino boards to the Arduino IoT Cloud by following a step-by-step procedure from the Getting Started page. During this process, the provisioning sketch is uploaded to the Arduino board and the open-source Arduino Create agent interacts with the browser content to help complete the device registration procedure. Taking a look at the provisioning source code to better understand what happens “behind the scenes,” it is possible to see how we use the hardware secure element.
The secure element’s slot 0 is used for storing the device private key, only the secure element can access its content. Slots 10, 11, and 12 are used for storing the compressed certificate, signed by Arduino’s certificate authority.
const int keySlot = 0; const int compressedCertSlot = 10; const int serialNumberAndAuthorityKeyIdentifierSlot = 11; const int deviceIdSlot = 12;
At first, the sketch configures and locks the hardware secure element. This process is required to begin using the device.
#include "ECCX08TLSConfig.h" [...] if (!ECCX08.writeConfiguration(DEFAULT_ECCX08_TLS_CONFIG)) Serial.println("Writing ECCX08 configuration failed!"); while (1);
After the hardware secure element has been configured, a private key and a certificate signing request (CSR) are generated.
if (!ECCX08Cert.beginCSR(keySlot, true)) Serial.println("Error starting CSR generation!"); while (1); String deviceId = promptAndReadLine("Please enter the device id: "); ECCX08Cert.setSubjectCommonName(deviceId); String csr = ECCX08Cert.endCSR();
The Create Agent takes the generated CSR and sends it to the server via the Arduino IoT Cloud API in order to receive a signed certificate. At this point the signed certificate is sent to the Arduino board and stored in the secure element.
if (!ECCX08Cert.beginStorage(compressedCertSlot, serialNumberAndAuthorityKeyIdentifierSlot)) Serial.println("Error starting ECCX08 storage!"); while (1); [...] if (!ECCX08Cert.endStorage()) Serial.println("Error storing ECCX08 compressed cert!"); while (1);
Once the signed certificate is successfully stored, the device provisioning is complete and the Arduino board is ready to connect to the Arduino IoT Cloud.
The Arduino IoT Cloud facilitates the first approach to the Internet of Things, providing a simple user experience, but beneath its simplicity lies a powerful tool to develop professional projects. Our platform offers access to the Arduino IoT Cloud API, which is ideal for automation workflows.
In this use case, we will demonstrate how a user in need of provisioning a device fleet can automate and improve the process through the use of the Arduino IoT Cloud’s API and our open-source Arduino_JSON library. The following code is a self-provisioning sketch optimized for the Arduino Nano 33 IoT, which automatically takes care of registering the board to the Arduino IoT Cloud once uploaded to the board and executed.
Self-provisioning for MKR WiFi 1010 and Nano 33 IoT in prod:
To further enhance this process, we use our open-source Arduino CLI to quickly upload the code to the board. All that’s needed is a simple command:
arduino-cli compile -b arduino:samd:nano_33_iot -u -p /dev/ttyACM0 SelfProvisioning
These are only a few of the features that show how the Arduino hardware products and cloud service can automate processes and create an interconnected system to improve users’ projects and businesses. There will be an increasing number of connected and communicating devices added in the near future, and we are working to make this IoT revolution user-friendly, accessible, and open-source.