1. Clock is automatically updated from the internet
2. The microwave has a web page so you can control it
from your phone (why not), and set up cooking
instructions for products
3. Tweets after it's finished cooking something
4. Can be controlled with voice commands ∗∗
∗∗ ...not that bad, but subject to pranks and false positive
microwave commands, from people in the same room
This is all REALLY bad from a safety perspective. Exposing household appliances to the wilds of the internet is all kinds of dangerous. You shouldn't advertise that this is a good idea, and leave readers with the assumption that maybe it's password protected or maybe not (it is: http://www.microwavecookingdb.com/products/new?upc=871100027...), or maybe it's wrapped up in TLS/SSL and maybe not (it's not: http://www.microwavecookingdb.com/users/sign_in). Is the internet control framework just security by obscurity, operated by arbitrarily obscure URL parameters? Who knows? Maybe? (here's the code: https://github.com/ndbroadbent/raspberry_picrowave) I mean, yeah it's just a DIY project, but immediately, I see some opportunities to wreak havoc.
First of all, it's not merely polling an internet time server, but that's one port exposed to the internet, that anybody can just start dumping malicious payloads on. Second, and worst, it can be switched on from the internet. Third, it gives feedback that can be accessed by the entire internet, tells the internet what it is, and what it's doing, right now in real time, allowing an attacker to monitor the success of malicious efforts. This way, you'll know as soon as you're able to send a command to power up the microwave for one second, to test and prove the ability to control it.
People will attack these kinds of openings, just for the sheer amusement of running up a total stranger's electric bill, nevermind start a fire. This article seems relatively smart and competent, and so maybe we should ASSUME that proper security exists?
This is the kind of design inspiration that's going to encourage some other engineer (or worse, an MBA in charge of some stupid startup) to go out and expose the electric grid to twitter with some poorly tested SCADA system, and on a dark, stormy night, in the far flung future, I'm going to be eating cold beans from a can, in the dark, because of it.
> This article seems relatively smart and competent, and so maybe we should ASSUME that proper security exists?
Or, maybe the guy just likes playing around with electronics for fun? Perhaps he doesn't really consider this a production ready appliance and just wants to share his hobby with the world.
If everyone adhered to your cautious approach no experimentation would ever take place as all new things carry risks and lessons to be learned. You can't always nail it first time round, you have to make mistakes to make progress. And there is absolutely nothing wrong with sharing your experiments.
> This is the kind of design inspiration that's going to encourage some other engineer...
This makes me think your whole comment is just trolling.
A port is a port is a port. You can send anything you like to that port and it's not like the computer will say "Oop, I have no programs listening on this port, so I'll just execute what you're sending me"
What is the danger in having a port exposed that can receive updates for time? Are there huge vulnerabilities in the ntpd? Seems like a pretty small attack surface to me.
actually... Is that port even open?!
This is polling a time server through NAT right? So the ports get negotiated. We're not listening, were asking. So I guess the danger would be that your time server of choice could be compromised, and then start sending out malicious packets that... confuse ntpd? Seems like were back where we started.
There was some stupid stuff in that article, twitter updates being perhaps the most colossal (and voice control coming in a neat second, web control @ 3). However, once you take flame decals off and remove the card in the spokes, this ceases to be the danger it once was.
ntpd is usually run as a daemon, which is run as root, and if you can overflow a buffer somewhere, given you know the architecture and platform (arm, raspberry pi), and don't have data execution prevention, you can inject assembly instructions and jump a function pointer like any other stack overflow.
Then you have arbitrary code execution as ntpd. Unless you have apparmor, or some other MAC.
ntpd is usually ran as the ntp on debian based systems at least. Most rpi distros are debian based.
Given that the same ntpd code is running on many many internet connected computers around the world, I don't think a microwave is worth a 0day remote root exploit on.
> This is the kind of design inspiration that's going to encourage some other engineer (or worse, an MBA in charge of some stupid startup) to go out and expose the electric grid to twitter with some poorly tested SCADA system, and on a dark, stormy night, in the far flung future, I'm going to be eating cold beans from a can, in the dark, because of it.
Wait... are you saying this as reason why this guy shouldn't be doing what he's doing? Because somebody somewhere who might be in a position of public trust might be incompetent? SCADA security is a big deal, but I think your energy is a bit misplaced here...
Party on, Mr. Broadbent. Keep making that Raspberry Pi make you some Raspberry Pie.
I don't care if Mr. Broadbent does this. And I'll admit, that yeah, this project is way cool!
But if I live in an apartment building, and my belongings can be burned to the ground because the apartment above me decided to put their microwave on the internet, I wouldn't want any of my neighbors doing this. It's not a good idea for everyone, everywhere, all the time.
* EDIT: Just the "internet enabled" parts mostly (unless you're qualified/experienced enough to understand the hazards), not all the other hardware hacks (i would estimate that anybody etching their own circuit boards would have a pretty firm understanding of electrical safety).
Great points! I agree with the concerns, and I don't leave the microwave turned on at the moment.
I agree that the microwave webpage should be password-protected or disabled, because really, it's not the most important feature. If I was living in an apartment with a shared network, everything would be running behind a firewall.
The cooking database website is the only part accessible from the internet, and is running on a separate server. I've added a temporary lock for my products, so no-one can edit or delete them at the moment. In the future I might implement some better ways to prevent abuse. I haven't set up SSL yet, but will do it if the site starts getting some use. I've added the following notice for now:
> This website is not currently secure. If you submit your password on this form, a hacker will be able to read it, especially if you are using an unsecured wifi connection. However, it is safe to sign in with Facebook, Google, or GitHub.
Linux (Raspbian) is in charge of setting the time via NTP, so any vulnerability is not specific to my project. The tweeting is dumb, but just a fun thing to put in a blog post. And voice commands must be prefixed with the 'microwave' keyword, unless the microwave door has been closed less than 10 seconds ago.
Totally cool. I understand that it's a custom prototype/ proof-of-concept project. Network topology is definitely the major factor determining any real security exposure of the appliance on a given network, but it seemed like an undocumented variable that exists outside the scope of this particular project, so I figured it's worth pointing out.
As zanny pointed out (https://news.ycombinator.com/item?id=6030206), since we know the chipset, and can anticipate available features, given that we know the networked device is a Raspberry Pi, and that we have the source code of the project, this provides us with enough information to craft possible payloads to drop onto the system. It's certainly not a huge attack surface, but there might be _just_ enough wiggle room to bust in.
As for the QR Code concept, any chance of some plans for adding a small low-end camera?
Even if the camera is not very good (maybe a $20 USB webcam), and the picture is poor quality (perhaps a ~0.3 megapixel image), as long as the image of the QR Code can be captured, the software that attempts to discover the QR Code and pull the information out of the low-quality image will do the rest. Then, it's just up to the user to print out some QR code stickers. Actually, come to think of it, I bet there are probably some burritos out there with QR codes on the wrappers, pointing to some burrito website, that could be re-purposed to trigger the microwave.
There is a funny scene at the end of Disney's Carousel of Progress ride that shows exactly this -
a "futuristic" family is gathered for the holidays while their voice-activated oven cooks in the background. As they make various unrelated comments that contain words like "up," "heat" etc, the oven responds and continues to increase the temperature on their Christmas turkey (while the family obliviously chatters on) until it is burnt to a crisp.
I think the moment you're thinking of is when the son is playing video games, and mentions his high score. The score was some absurdly high number like 12 million, one of the other family members hears this and repeats it aloud (I believe this family member was previously controlling the microwave); the microwave hears this number and replies "heating to 12 million degrees", burning their Christmas turkey (just like they did every iteration in the ride, even as the technology progresses). I'm not sure why I bothered typing all of that, I haven't been to that ride since I was ~ 12.
First of all, it's not merely polling an internet time server, but that's one port exposed to the internet, that anybody can just start dumping malicious payloads on. Second, and worst, it can be switched on from the internet. Third, it gives feedback that can be accessed by the entire internet, tells the internet what it is, and what it's doing, right now in real time, allowing an attacker to monitor the success of malicious efforts. This way, you'll know as soon as you're able to send a command to power up the microwave for one second, to test and prove the ability to control it.
People will attack these kinds of openings, just for the sheer amusement of running up a total stranger's electric bill, nevermind start a fire. This article seems relatively smart and competent, and so maybe we should ASSUME that proper security exists?
This is the kind of design inspiration that's going to encourage some other engineer (or worse, an MBA in charge of some stupid startup) to go out and expose the electric grid to twitter with some poorly tested SCADA system, and on a dark, stormy night, in the far flung future, I'm going to be eating cold beans from a can, in the dark, because of it.