JON HONEYBALL
Jon questions whether a smart garage door opener is such a smart idea, before sharing his recipe for video-creation success
Jon questions whether a smart garage door opener is such a smart idea, before sharing his recipe for video-creation success.
One of my friends pointed me in the direction of a new CVE listing, which is the database containing known exploits. One description immediately caught my eye: “ismartgate Pro 1.5.9 is vulnerable to malicious file uploads via the form for uploading sounds to garage doors.”
Remote hack into a web-based controller when doing a firmware upgrade? Maybe. Sending a malformed request causing a buffer overrun? Yes, I could see that too. Sending a sound to a garage door? This had to be worth digging into.
You can check out the CVE listing yourself at pcpro.link/315cve, which includes a handy link direct to ismartgate.com. Looking at the site, it’s clear that this is a fully featured IoT-style garage door controller. It has bells, whistles and many more waveforms besides. Digging deeper reveals that, “ismartgate acts as its own server. In other words, all information is stored locally,” which certainly sounds like a good thing. Then, in red for added importance:
“No data is stored in the cloud.”
It supports Apple HomeKit, Google Assistant, SmartThings, Alexa and IFTTT. So all those boxes are ticked appropriately. Going further down the features list we find “Your music in your garage! Define which song you want to play when coming home and which one when leaving home.”
Now I guess your reaction is probably the same as mine. Music to play when coming home isn’t exactly a top feature for me when choosing a garage door opener. But maybe you need to always hear The Best by Tina Turner every time you get out of your Porsche. Or some soothing birdsong if you have a Prius.
And that’s fine, providing it all works well. Let’s go to the second link on the CVE, pcpro.link/315carhack, which takes you to a paper written by Madeleine Berner who is studying Computer Science and Engineering at the KTH Royal Institute of Technology in Stockholm.
It’s a paper worth reading. Well written, coherent and clearly laid out, Berner goes into interesting detail on how the product was evaluated, how the security flaws where found, and all the methodology and tools used. It’s a 140-page paper, so make yourself a large mug of hot tea before you start. Chapter 6 lists the 11 CVEs that were generated from this report.
I particularly liked Berner’s comment towards the end: “Garages can be chained together with other neighbours’ garages, thus if one of them has this smart garage installed it is enough to break into all the neighbours’ garages in the same chain. Another type of garage is the ones that are linked together with the actual house. There is a chance that the door between the garage and the house is unlocked, due to the safety the garage door is supposed to provide. If that type of garage has a compromised smart garage, the attacker would have access to the whole house and not only the garage.”
I’ll leave reading the rest as an exercise for the reader to go through the somewhat gory details, but there’s a much more important issue here. Clearly the vendor thought that this functionality would be a good thing, and that customers would want it and value it highly. Even the capability of playing music when you arrive or leave: there must have been a meeting by R&D where this was approved as a must-have feature.
The problem is that poor coding can then leave you exposed. The mantra must be to ask: what’s the task that needs to be solved? And does the product in question perform it well? Is there a heap of added stuff that really shouldn’t be there?
It’s easy to get seduced by the convenience of the technology.
Saying “Alexa, open the garage door” as you’re putting on your shoes might seem to be a very 21st century, switched-on and hip capability. But what’s the risk/reward ratio here? Needing a key, and actually having to manually open a door yourself, isn’t a huge hardship. And the risk of a hack gaining access, whilst small, is still a risk to be considered.
I’m happy to have Alexa and other technologies in the house. They can control the heating and lighting, and sometimes play me a tune. The worst that can go wrong is that I’m sat in the dark, shivering, listening to Justin Bieber. However, I’ll not have a smart door lock, or a smart garage door opener, or anything else that purports to be “smart” that impacts on my home and office security. We need to o educate the public that seeing claims laims such as
Alexa support, and IFTTT, might seem fun, but when applied to a security product, they should make all the alarm bells ring.
Recipe for YouTube success
Andre and I were getting a lot of recipe requests from friends. We sometimes post these things onto our private Facebook pages, but a list of ingredients wasn’t enough. They wanted proper instructions.
This laid the foundation for an idea: how about doing a YouTube channel containing all these recipes, as well as how to cook and present them? Obviously, being the meanhearted capitalist that I am, I decided that it would be nice if we showcased some of our ManFood products too. However, I was determined that this wouldn’t turn into one of those stereotypical “30 minutes of huff about one item” just to get the YouTube advertising revenue. We wanted to use YouTube as a distribution medium, not as a money generator. Anyway, we were starting from scratch, so it was unlikely that we would be challenging The Great British Bake Off anytime soon.
Naturally, I wanted to do this properly. First, I scoped out the cost of building a kitchen area into one of our garages. I already had some nice studio floodlighting from Arri for use in the lab, so all I’d need was a couple of cameras. The new Blackmagic
URSA Mini Pro 12K camera seemed ideal, and would produce fabulously crisp video footage. “Just look at the wrinkles on that lettuce leaf,” I imagined our viewers remarking.
However, at £10,000 per camera, Andre seemed to think that such an expenditure was somewhat over the top. I decided to think more radically. If it was possible to produce an advert for Bentley using iPhones ( pcpro. link/315bentley), it should be possible to record how to make the ultimate onion bhajis on one. Given that both Andre and I have iPhone 11 Pros, with their three-lens camera setups, it should be easy, right?
As we’d be shooting in our kitchen at home, I decided to forego the tungsten flood lamps and just rely on normal room lighting. This left the vexatious issue of how to mount and hold the two iPhones. Apparently, the trendy thing to do in food videos is the overhead shot. So I needed to find a suction clamp with a mount that could hold one of the phones in place. Joby makes just the device, and it costs a small amount. Then it was clear that the other iPhone had to be handheld, to get those “point of view” shots. Hand-holding an iPhone turned out to be a little more awkward than I thought. One benefit of professional cameras being heavy is that they are inherently more stable. A light iPhone held in your hand is somewhat of a wobbly thing.
Fortunately, DJI has just released the ideal tool: the OM4. It’s more spindly than a simple suction cup mount or basic gimbal arrangement, and costs a juicy £140. However, I really like DJI kit. We’ve used and tested its entire range of drones in the lab, and they’re almost always head and shoulders better than the competition. Surely a handheld phone mount, using DJI’s stabilisation techniques, was the ideal solution?
And so it proved. The handhe ld part folds out to create a grip, a gimble arm and a mounting point. There’s a super-strong magnetically held grip that you can mount the phone into. You can also permanently fit a sticky mount to the phone, but we like to have the Apple battery packs on our phones to eliminate any battery life worries. For us, it’s easier just to pull the phones from their battery packs and use the clip-on mounting.
DJI has an app that you install onto the iPhone. This establishes a Bluetooth connection with the handheld grip, and allows you to use the physical buttons and controllers on the grip to control what the photo and video modes do within the app. It’s seamless and, without question, an awful lot more stable than using the phone handheld by itself. There are useful features too: for example, you can lock onto an object in the video and then automatically keep it centred, which is perfect for an “around the item” shot. Battery life is excellent: I’ve recharged it only once over the past month of five video sessions, lasting between 30 minutes and an hour each.
The final part of the puzzle was obviously going to be putting together the video itself, and then submitting to YouTube. I took the courageous decision that I wasn’t going to do that bit. Although Andre isn’t technically minded, he’s handy enough with his iPhone and MacBook Pro laptop. I gave him a five-minute fast tour around the basics of iMovie and left
him to it. He then explored further, and referred to some online training videos that he found.
He also discovered a number of useful sites on the web to help with some design concepts. He’s particularly enamoured with the free account at canva.com, as well as the facilities at lunapic.com. As his needs grow, we might upgrade to subscriptions to get more capabilities, but these are doing just fine so far.
It’s a testament to the capabilities of iMovie, and other similar apps, that it’s entirely possible for someone to put together a professional-looking video, with multiple cameras angles, stills, titling and so on, and do so with minimal training and no handholding. Our plan is to do one per week, and our friends are enjoying them so far. We don’t claim to be doing “professional-grade production” but it’s a great demonstration of what can be created using a smartphone, simple desktop software and publishing to a platform like YouTube. It’s a work in progress and it’s fun – don’t think that this stuff is difficult because it isn’t.
Obviously, I’d be grateful if a few of you “liked and subscribed” – then we could get a proper URL to share
– so head to pcpro.link/315manfood for some gourmet inspiration.
Defender PUPs
I had an interesting problem with a laptop belonging to a friend. She lives some distance away, meaning that dropping in to see her wasn’t practical or advisable in these current difficult times. I established a remote desktop connection to her Dell laptop using one of the various free tools when a quick scan with Defender showed that she had downloaded a potentially unwanted program (PUP) the previous week. Searching the hard disk showed that Defender had correctly deleted the offending code as soon as it arrived, but that didn’t explain why Defender kept saying that the PUP was still on her system. It made no sense because the code had definitely been removed.
It turns out that Defender in Windows 10 2004 has a bug. If it identifies a PUP, it removes it with no problems, but on subsequent runs of Defender it still reports it. I tracked down a post about this on Microsoft’s support forum at pcpro.link/315pup.
It seems that since update 2004, Windows 10 defines PUPs as being a bad thing and removes them for you. In doing this it blocks the code, and then leaves it in Protection History.
The post details what you need to do to clear this out, but the steps are simple enough: find the “Detection History” file in the Service folder under C:\ProgramData\Microsoft\
Windows Defender\Scans\ History\Service. Note that \ ProgramData\ is a hidden folder, so make sure you enable the “Hidden Items” checkbox under the “View Tab”. If you do this, then the next run of Defender will correctly identify that the machine is clean. However, until this bug is fixed, it will reoccur if you get another PUP onto the machine. This solution worked just fine for this Dell laptop, and I was able to hand it back to its owner, happy in the knowledge that it was now properly sanitised.
Plugins in my browser
A couple of weeks ago, I gave a lecture to the Coventry branch of the British Computer Society. I believe it went well, although doing this through a large videoconferencing app means that you, as the speaker, are hidden away from the booing and shuffling of feet. Or even worse, when someone falls asleep.
One item I touched upon was the range of good browser plugins available today, so I thought I’d bring you up to date with what I’m using. This isn’t meant to be a definitive list, and I’m sure you’ll have your own favourites, but what follows works for me in Firefox.
“It’s a work in progress and it’s fun – don’t think that this stuff is difficult because it isn’t”