“ Suddenly one day about a week in I got a random anonymous message on Signal containing a single file of 1,704 bytes. I cautiously examine this rogue file in a hex editor and find that it looks like a real private key.”
I’m very unfamiliar with Android development so I’m not sure what the author is implying here. Is this some random Humane owner sending his key to him, or maybe a former Humane employee?
I'm strangely comforted by the fact that OP had to work so hard to get in.
I was expecting that the pin software would be IoT-standard terrible, so it was a pleasant surprise to see that the Humane team did their best to use SELinux and lock it down.
No knock on them for not getting it 100% right here, and besides, it's always been the case that once an attacker has physical access they will eventually get in.
It would, but the vulnerability was found and patched in mainline Android a few months after the device came out, but with over half a year until support was dropped. We obviously can't expect them to have kept the OS up to date, especially given the pressure they were under, but applying security patches seems very reasonable.
Is it that flawed? Maybe a bit early and not enough cash behind them as say a company like Meta or Apple (planning to pivot the VR headset into AR glasses).
Ooh, this is cool. The Humane was a cool form factor, and I always thought that hand laser projection thing looked awesome. Upshot is the author is a ninja and is building an open assistant platform on the pin, which first requires that the old pins be jailbroken. Significant (successful) effort ensues.
Wow this is such a cool hack. It seemed like a simple "known vuln" situation but there was so much more that had to be figured out! I wish I had one of these just to play with the open stack.
A bit off topic perhaps but what's difficult about making this a product? Please forgive my ignorance. Its just a microphone, speaker, could be a Bluetooth controller and a battery, and have it go through your phone. Maybe a small local neural net to monitor for keyword locally.
I guess it's a few more parts if you don't want it to go through your phone, but is that all that's happening here? What am I missing?
Is the hard part just the size? Or battery efficiency? Seems like all stuff i have in my drawer from messing around w raspberry pis over the last ten years
This is something you can accomplish very easily in a ESP32 form factor, streaming audio over wifi/bluetooth. However, it doesn't fully deliver the same experience; the goal was for it to replace your phone, so it needs to support a lot more functionality such as data persistence, offline support, notifications, cellular, maybe some form of visual IO (the laser projector), etc.
From my perspective I was just interested in the excellent industrial design, which is something that is virtually impossible for a DIY setup to attain.
> From my perspective I was just interested in the excellent industrial design
Debatable. The pin ran hot and had a short battery life, often less than a day even with the extended battery. The magnetic attachment was fiddly to use, and some users had trouble with it not staying put. The laser projector had serious usability problems - it wasn't very bright or clear, and interacting with the projected image (which was required to unlock the device, among other features) was extremely awkward.
One can argue that some of these are implementation issues, but working within the limitations of available technology is an inextricable part of industrial design. Dreaming up a perfect fantasy device is easy; designing one which can actually be implemented is much harder.
They are cool but both Humane pin and the Rabbit R1 products were largely flops and failures. I do hope in the next 10-20 years this same tech will advance and actually work and be cool.
The actual idea itself seems flawed rather than just the implementation. Ordering an uber on your phone and seeing where it is on the map is always going to be easier than trying to do it through voice and a hand projector.
And the rabbit was just an android app bundled with a low end phone.
I agree. It looked like a solution in search of a problem.
Which is very common when everyone has big hires screens and oodles of compute power in their pocket. What can a new entrant offer which couldn't be an app?
Some people think it is the eyeball (glasses), some people think it is the brain (NeuraLink). Some people think it is the wristwatch. The pins were an attempt at a pendant. I don't think anyone has tried the necklace, yet. A glove might also be interesting. If the peripheral keeps shrinking, it could be a ring, or set of rings, or an earring. Or a fairy that follows you around like in Ocarina of Time. We could write a theorem about convenience of use and capabilities at different scales for peripherals. It is worth noting that some sizes never really go obsolete, but rather enhance in power and capability.
Smartphones exploded when devs were given a bunch of cool new I/O followed by rapid cost reduction. Shame that the startups doing the cool hardware don’t do that… can’t say it’s the funding. They sure had enough.
Smartphones exploded because they introduced a new, better form of input to the general market. Most use cases do NOT require fine precision of input, so buttons were unnecessary, and the market had already tried both few and many buttons. Smart on-screen keyboards and an UI entirely controllable with touch was a revolution people don't want to come back from until they DO need that precision, which is why gaming accessories like the bone exist, but are a niche.
A projector is none of that. A projector is a gimmick. The projector could cost $5 and it would still fail to capture an audience if it wasn't just a side-feature on a more conventional phone.
I guess I just don’t see the appeal over a smartphone. How often are your hands incapacitated where it warrants all the other advantages of that form factor? And the R1 form factor largely didn’t even have that advantage.
This part confused me:
“ Suddenly one day about a week in I got a random anonymous message on Signal containing a single file of 1,704 bytes. I cautiously examine this rogue file in a hex editor and find that it looks like a real private key.”
I’m very unfamiliar with Android development so I’m not sure what the author is implying here. Is this some random Humane owner sending his key to him, or maybe a former Humane employee?
Right. I think it's just a way of saying that he got the key through unorthadox means. But I'd say it's quite likely via a former employee.
I'm strangely comforted by the fact that OP had to work so hard to get in.
I was expecting that the pin software would be IoT-standard terrible, so it was a pleasant surprise to see that the Humane team did their best to use SELinux and lock it down.
No knock on them for not getting it 100% right here, and besides, it's always been the case that once an attacker has physical access they will eventually get in.
Using a vulnerability not found until after the software stopped being maintained feels a bit like cheating :)
It would, but the vulnerability was found and patched in mainline Android a few months after the device came out, but with over half a year until support was dropped. We obviously can't expect them to have kept the OS up to date, especially given the pressure they were under, but applying security patches seems very reasonable.
I definitely agree. Humane cared about physical device security a lot and it really shows with how they built out the firmware.
Best of all, their security through obscurity.
Me too. Kudos to the team.
Seeing that it's a super flawed idea, surprising that Humane put in so much effort in this product. I thought it was just a quick cash grab attempt.
Is it that flawed? Maybe a bit early and not enough cash behind them as say a company like Meta or Apple (planning to pivot the VR headset into AR glasses).
Reminds me of juicero, apperently it's engineering was also pretty solid.
Ooh, this is cool. The Humane was a cool form factor, and I always thought that hand laser projection thing looked awesome. Upshot is the author is a ninja and is building an open assistant platform on the pin, which first requires that the old pins be jailbroken. Significant (successful) effort ensues.
Wow this is such a cool hack. It seemed like a simple "known vuln" situation but there was so much more that had to be figured out! I wish I had one of these just to play with the open stack.
Wow, there’s so many levels of investigation and depth to getting this device opened. The short section on the eSIM seems like a story in of itself!
Somewhat incredible people have this much dedicated focus.
When it takes a ninja-level hacker to break in, at least they tried harder than most IoT companies.
Sometimes the best treasures are found in failed products, it's like getting a $700 AI pin for $300 and a lot of weekend hacking fun
A bit off topic perhaps but what's difficult about making this a product? Please forgive my ignorance. Its just a microphone, speaker, could be a Bluetooth controller and a battery, and have it go through your phone. Maybe a small local neural net to monitor for keyword locally.
I guess it's a few more parts if you don't want it to go through your phone, but is that all that's happening here? What am I missing?
Is the hard part just the size? Or battery efficiency? Seems like all stuff i have in my drawer from messing around w raspberry pis over the last ten years
This is something you can accomplish very easily in a ESP32 form factor, streaming audio over wifi/bluetooth. However, it doesn't fully deliver the same experience; the goal was for it to replace your phone, so it needs to support a lot more functionality such as data persistence, offline support, notifications, cellular, maybe some form of visual IO (the laser projector), etc.
From my perspective I was just interested in the excellent industrial design, which is something that is virtually impossible for a DIY setup to attain.
> From my perspective I was just interested in the excellent industrial design
Debatable. The pin ran hot and had a short battery life, often less than a day even with the extended battery. The magnetic attachment was fiddly to use, and some users had trouble with it not staying put. The laser projector had serious usability problems - it wasn't very bright or clear, and interacting with the projected image (which was required to unlock the device, among other features) was extremely awkward.
One can argue that some of these are implementation issues, but working within the limitations of available technology is an inextricable part of industrial design. Dreaming up a perfect fantasy device is easy; designing one which can actually be implemented is much harder.
It's got a nifty laser projector, that's it. It could be a smartphone app.
They are cool but both Humane pin and the Rabbit R1 products were largely flops and failures. I do hope in the next 10-20 years this same tech will advance and actually work and be cool.
The actual idea itself seems flawed rather than just the implementation. Ordering an uber on your phone and seeing where it is on the map is always going to be easier than trying to do it through voice and a hand projector.
And the rabbit was just an android app bundled with a low end phone.
I agree. It looked like a solution in search of a problem.
Which is very common when everyone has big hires screens and oodles of compute power in their pocket. What can a new entrant offer which couldn't be an app?
Workstations put a computer on your desk.
Laptops put a computer in your backpack.
Smartphones put a computer in your pocket.
(I’m not sure what is next, but it’s coming, eventually.)
Some people think it is the eyeball (glasses), some people think it is the brain (NeuraLink). Some people think it is the wristwatch. The pins were an attempt at a pendant. I don't think anyone has tried the necklace, yet. A glove might also be interesting. If the peripheral keeps shrinking, it could be a ring, or set of rings, or an earring. Or a fairy that follows you around like in Ocarina of Time. We could write a theorem about convenience of use and capabilities at different scales for peripherals. It is worth noting that some sizes never really go obsolete, but rather enhance in power and capability.
Smartphones exploded when devs were given a bunch of cool new I/O followed by rapid cost reduction. Shame that the startups doing the cool hardware don’t do that… can’t say it’s the funding. They sure had enough.
Smartphones exploded because they introduced a new, better form of input to the general market. Most use cases do NOT require fine precision of input, so buttons were unnecessary, and the market had already tried both few and many buttons. Smart on-screen keyboards and an UI entirely controllable with touch was a revolution people don't want to come back from until they DO need that precision, which is why gaming accessories like the bone exist, but are a niche.
A projector is none of that. A projector is a gimmick. The projector could cost $5 and it would still fail to capture an audience if it wasn't just a side-feature on a more conventional phone.
I guess I just don’t see the appeal over a smartphone. How often are your hands incapacitated where it warrants all the other advantages of that form factor? And the R1 form factor largely didn’t even have that advantage.
[dead]