Security Experts:

Connect with us

Hi, what are you looking for?


Network Security

New Prototyping Boards Make DIY Hardware Hacks Easy

Vendors That Don’t Test Products Before Selling Them are Doomed to be Targets of Future Research and Attacks

Vendors That Don’t Test Products Before Selling Them are Doomed to be Targets of Future Research and Attacks

In several of the talks at Black Hat and again DefCon, both in early August, I noticed a number of security researchers using the open source Arduino boards for their projects. Arduino, which is Italian for “strong friend,” is useful among security researchers for rapid prototyping of tools used in hardware analysis. The most recent releases include 54 digital input and output pins, up to 256KB of memory, serial connectivity, and power, and a reprogrammable USB interface for program uploading. In September, Arduino announced a new open source hardware specifically targeting ARM prototyping and one model with a full TCP/IP stack.

Arduino Uno, Hardware HackingThe Arduino circuit board is pretty basic and can be easily configured to control lights, motors, and other actuators. Projects listed on the company site include “intrusion alarm, thermostat, line follower robot, RBS lights and switches, an intelligent bug zapper that shows how many bugs were zapped and average/cumulative zap time, a photovore robot that goes to the brightest source of light and a Poo and Pee detector, with a Diaper Shield, for use with newborn babies.” These projects take advantage of the Arduino programming language (which is based on the open source Wiring project) and the open source Arduino development environment (which is based on the open source Processing project).

Arduino boards can be purchased directly from the company or from third parties, with programs already installed. But there’s also a vibrant community of security researchers who prefer to build their own and go well beyond the basic weekend-hobbyist DIY projects. For example at DefCon, Steve Ocepek presented “Blinkie Lights: Network Monitoring with Arduino,” using a 8×8 multicolor LED matrix, an Arduino board, and a network monitoring program to make a low-cost LED-based network sniffer for around $60. While it is a minor example, I expect to see more uses for Arduino and other boards at future security conferences.

Introduction to Security for Smart Object Networks Devices w/ Free Software

The Arduino Due, the first ARM-based single-board development system, offers a 32-bit ATMEL SAM3U Cortex-M3 ARM-based processor running at 96MHz. Like the basic version already available, the Arduino Due includes 256KB of flash memory, 50KB of SRAM, 5 SPI busses, 2 I2C interfaces, 5 UARTs, and 16 analogue inputs offering a 12-bit resolution.

Since the Due will be a big departure from Arduino’s usual fare, it is expected to undergo a beta testing period with selected developers. Following the Maker Faire in New York last week, a Developer Edition became available to those who want to shape the final design, which the company has promised will go on sale before the end of the year.

In addition, Arduino announced the Arduino Leonardo, which is able to simulate a mouse, a keyboard, and a serial port. And the Arduino Wifi Shield, which adds wi-fi capabilities to the basic Arduino board. The board uses a wifi micro module made by H&D Wireless and an AVR32 processor with the full TCP-IP stack.

With the Arduino board and other open source tools now available via the Internet, the days of saying it would take the resources of a nation-state to discover or exploit vulnerabilities in a particular piece of hardware in an industrial control system or a healthcare environment are rapidly fading. Vendors who do not test their products before selling them into the field are doomed to be targets of future research and, perhaps, attacks. Hopefully, future security disclosures will be handled responsibly. Hopefully, the good guys can also learn from products such as the Arduino.

Related Reading: Attacks on Mobile and Embedded Systems: Current Trends

Read More in SecurityWeek’s Smart Device Security Resource Center

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.