Wednesday, January 8, 2020

Arduino Project One: Secure communications through the firewall

Bad luck: I broke the camera connector on my Raspberry Pi Zero W, and then I think I zapped the Pi itself. It's dead, Jim. Fortunately, I have a Pi 3B lying around, waiting to be useful, so I think I'll press it into service.

My original plan was to set up a web page on the Pi, and to communicate with the Pi through a browser or a smartphone app. That would entail setting up port forwarding on my home network's router, or as they say, "punching a hole in the firewall." And that's always a network security risk.

Today, a co-worker gave me a better idea. It stems from the work I'm doing at FreeWave with MQTT.

Use MQTT to talk to the garage door

MQTT is a data communications protocol used widely in the Internet of Things (IoT) —the world of connected appliances, automobiles, doorbells, and so on. It's intended for sporadic communication of small amounts of data, perfect for this application.

MQTT follows a client-server model. However, the server doesn't really save the data: it just receives it from clients who send it data (that's called publishing), and distributes it to other clients that have asked to see the data (or subscribed to it). It doesn't actually save any data; it's just a go-between. For this reason, the server is more of a broker than a server.

A good, widely used, open-source MQTT broker is Mosquitto. Mosquitto is ridiculously simple to set up and run in the background. So I will set up Mosquitto to run on a cloud server somewhere.

The Raspberry Pi will subscribe to garage-door-opener messages received by the broker. It will publish a couple of messages of its own, in response to the messages it receives. I can use a Corona app, a webpage, or a Python or JavaScript script to publish messages to the broker.

By setting it up this way, I can totally bypass my router.

Messages to send to the Pi:
  • Request status of the garage door (closed, or not closed)
  • Push the button, Max.
Messages to be sent by the Pi:
  • Status of the garage door is closed, or not closed
    • ... including a camera image
  • The button has been pushed 
Data security is still a concern

MQTT transactions can be sent as binary data or as plain text. Anybody who knows the MQTT broker's IP address can snoop on the MQTT messages. Once they know the message tags, they can subscribe to those tags and intercept the data. If they can intercept the data, there's the chance that they can hack the system. At the very least, they can know the status of my garage door and maybe see what's in my garage. At worst, they can open and close the door at will.

An MQTT message can contain one or more metrics, the data items being transmitted. I can encrypt the data, and then send both the encrypted data and an encryption key, so the subscriber will have to utilize the key to decrypt the data. But if I do that for the "Push the button, Max" message, then a hacker can just copy the message and use it as is to push the button. I need a key that will change regularly, and that only the Raspberry Pi knows.

So another idea is to use a challenge-response algorithm, something like this.

Me: Hey, garage door. I want you to—
Pi: Wait wait wait, here's a randomly generated key. Use it to encode your message.

Me: Here's a huge number, which I created from your randomly generated key to prove that I'm me, and my request, which I encrypted using your randomly generated key.

Pi: Good, that's the right number. Now I know that you're you. Here's a response to your message, also encrypted using the randomly generated key.

Me: Thanks. We're done.

The idea of the Pi generating a random key, and both the Pi and the client using that key to generate an encryption key, has some holes in it. The NSA can hack something like that pretty quickly, if they can figure out the key-generation algorithm. But it might be enough to defeat neighborhood hackers. I think it's at least as secure as the mechanical lock-and-key on my front door.

Counting cards

Even if a hacker can't decrypt the messages, he might be able to deduce from the pattern of messages that someone is trying to operate the garage door opener. Since the normal state of the door is closed, if a hacker sees two clusters of messages a few minutes apart, for example, he can reasonably deduce that the garage door was opened and then closed. And if the hacker sees only one cluster of messages, with no other action for a while, he can reasonably deduce that the door's status was checked, but not changed.

It's like counting cards at the blackjack table.

So it might be a good idea to have the client and the Pi swap some bogus messages once in a while, encoded, of course, and the same size as real messages, to confuse any hackers monitoring the broker.


To read the other postings about this project, click here and scroll to the end.

Tuesday, October 22, 2019

The Seven-Day Book Cover Challenge: The Honorable Mentions

This is a list of other good books that I was considering for the seven days.

Like I told Don Bugg, it was hard to choose just seven.

Most of these books, like Dumas' The Three Musketeers, are really old, but some, like Craig's Missing, Presumed Dead, are relatively new. Some, like White's North American Indian Footwear, are surprisingly still in print, and others, like the 1974 EMS catalog, are long gone. Most of these titles can be found online. Besides Amazon, you can check Goodreads and ThriftBooks. Project Gutenberg is a good source for the classics, such as The Count of Monte Cristo. And it's always a delight to discover any of these books in a real brick-and-mortar bookstore.

There is no significance to the order in which the books appear in this list. Seriously, the order does not matter.

I left off a lot of really good books. I don't know why; that's just the way my brain works. Don't ask me for their titles. If I could remember their titles, they would be on the list. Duh.

There is a quartet of books that doesn't even need to be mentioned: the holy books, the sacred texts, which guide my life. They are superior to any book list I could ever compile.

After that long preface, here's the list of Honorable Mentions.

The Art of Electronics, by Horowitz and Hill
The Complete Walker, by Colin Fletcher
Craft Manual of North American Indian Footwear, by George White
Outdoor Survival Skills, by Larry Dean Olson
The 1974 Eastern Mountain Sports catalog
The Complete Calvin and Hobbes, by Bill Watterson
Betty Crocker's Cookbook, New and Revised Edition (1979)
The original Harry Potter series, all seven books, by J. K. Rowling
The Chronicles of Narnia, by C. S. Lewis
The Chronicles of Prydain, by Lloyd Alexander
Missing, Presumed Dead, by Craig Depew
The Princess Bride, by William Goldman. The book is great; the movie is even greater
The Scarlet Pimpernel, by Baroness Orczy
(also about France, before and after the Revolution:
  • The Three Musketeers, by Alexandre Dumas
  • A Tale of Two Cities, by Charles Dickens
  • Les Miserables, by Victor Hugo
  • The Count of Monte Cristo, also by Alexandre Dumas)
Three programming classics:
  • The C Programming Language, by Kernighan and Ritchie
  • Who's Afraid of C++, by Steve Heller - that title is obsolete, but his later C++ books are just as good
  • Common Lisp: The Language, by Guy Steele

Monday, October 21, 2019

The Seven-Day Book Cover Challenge, Day Seven: the official Boy Scout Handbook

The 7th edition, the one on the left, is from when I was a boy. The 9th edition, the one on the right, is from when I was a Scoutmaster and a Boy Scout dad. I have seen other editions, and IMHO these two are the most solid, most useful, and best written, but my bias is clear.

The journalist and author Peter Applebome wrote a book, Scout's Honor, about his experiences as a Boy Scout dad. Being a reporter and a problem-solver at heart, he takes a long, hard look at what Scouting could be (and should be), compares it to what it is, and makes several really good recommendations for fixing Scouting. 

One of the most interesting things he says is that the Scout Oath and the Scout Law, the moral foundations for Scouting (in the U.S.A.), are rock-solid and it would be a very good thing if all boys (and men!) lived by those tenets. He also says (either himself, or quoting someone) that the Boy Scout Handbook, any edition, is just the kind of "advice to boys" that people have been longing to give to boys today.

Sunday, October 20, 2019

The Seven-Day Book Cover Challenge, Day Six: The Organization Guerilla: Playing the Game to Win

This one is going to have a few of you scratching your heads. It's a book I picked up off the 99-cent table at a bookstore, at the beginning of my career. It's easily worth 20 or 30 times what I paid for it.

This is a very cynical book, with practical advice that will save (and maybe even advance) your career, whether you work in a small business or a giant corporation. You may disagree with some of its principles, and you may go "well, duh" at some others, but after reading the book, you will see its truisms everywhere.

Here are three examples:

1. In business, as in politics, nobody ever gives you the real reason for their decisions/actions.

2. If you want to know who has the real power in an organization, watch where the money comes from, and where it goes -- in short, Power Follows Money.

3. I can't put this into a pithy sentence, but there's an entire chapter in the book about the politics behind distribution lists: who do you put in the From, To, Cc and Bcc fields of a memo or, in today's world, an email? There's a whole science behind it. Make sure you get it right.


Saturday, October 19, 2019

The Seven-Day Book Cover Challenge, Day Five: The History of the Decline and Fall of the Roman Empire

But first, a joke.

At a major league baseball game, the batter hit a line drive right that caught the second-base umpire right behind the ear. He staggered a bit, but shook it off, and play continued. But as time went on, he began to act a little loopy. He wandered around the field, and eventually started walking in little circles just behind third base, finishing in a beautiful death spiral. He lay there on the ground until a medical crew ran out and hauled him off on a stretcher.

One of the TV commentators turned to the other and said, "We have just witnessed the Decline and Fall of the Roamin' Umpire."

Now to the serious stuff.

The 19th-Century historian Edward Gibbon changed the way history books are written. He also changed the way, and the reasons why, history books are read.

It took me seven years to finish this six-volume masterpiece, a few pages at a time. When I finally closed the last volume, I understood more about the entirety of western civilization than I ever had before
.
  
 

Friday, October 18, 2019

The Seven-Day Book Cover Challenge, Day Four: The Sneetches and Other Stories

My own children will tell you that this is one of my favorite read-aloud books.

Did I ever tell you that Mrs. McCave had twenty-three sons and she named them all Dave?

Well, she did. And that wasn't a smart thing to do. You see, ...

Thursday, October 17, 2019

The Seven-Day Book Cover Challenge, Day Three; Alvin's Secret Code

This was one of my favorite pre-teen books. After all these years, it's back in print.

I'm delighted. Now a new generation can discover the fun of codes and ciphers.