Inspiration
Every 6 minutes, a car is stolen in Canada.
Most owners never see it coming... because the thief never touched a lock.
Relay attacks are silent, fast, and devastatingly effective. A criminal stands outside your house with a $30 device that amplifies your key fob signal through walls, tricks your car into thinking you're standing right there, and drives away in under 60 seconds. No broken glass. No alarm. No trace.
Traditional car alarms check one thing: was the door opened? But relay attacks bypass the lock entirely. The problem isn't your door. It's your key. And keys can be spoofed.
What can't be spoofed? You. Specifically, your phone's Bluetooth beacon.
That's why I built Senny.
What it does
Senny the Sentinel is a two-factor authentication system for your car, disguised as a teddy bear.
- Factor 1: An MC-38 magnetic reed switch detects when the car door opens
- Factor 2: An ESP32 microcontroller scans for the owner's phone BLE beacon ("SennyKey" broadcast via nRF Connect)
| State | Result |
|---|---|
| Door opens + phone present | Silence. Owner is here. |
| Door opens + phone absent | Senny activates. |
Three simultaneous responses on activation:
- Piezo buzzer triggers an immediate local alarm on the hardware
- WiFi HTTP POST fires to a live Node.js dashboard in real time
- ElevenLabs AI voice alert plays: "Warning. Unauthorized access detected."
The live dashboard features real-time threat analysis, color-coded event logging, BLE signal strength visualization, a live threats-blocked counter, emergency disarm, and one-tap reporting to local authorities. Secured with Auth0 Google/Apple/Email authentication.
How I built it
Hardware layer: ESP32-WROVER microcontroller running simultaneous BLE scanning and WiFi. MC-38 magnetic reed switch for door detection. Piezo buzzer for local alarm. All inside in a shoebox "car" with a teddy bear on top. because intimidation is overrated.
Firmware: Arduino C++ managing three concurrent tasks: BLE scanning for "SennyKey" beacon, door sensor interrupt handling, and WiFi HTTP POST events to the dashboard server. The key challenge was the ESP32's memory architecture. BLE and WiFi cannot coexist on the default partition scheme.
Backend:
Node.js + Express server receiving events, persisting them to events.json (survives restarts), and serving the dashboard at port 3000.
Frontend: HTML/CSS/JS dashboard with a claymorphic dark UI, real-time event polling every 2 seconds, dynamic threat scoring (0.02 normal → 0.94 on alert), animated shield that turns red on intrusion, and live BLE signal strength visualization.
AI + Auth stack:
- Auth0: Single Page Application with Google, Apple, and Email login via PKCE flow
- ElevenLabs: AI-generated voice alert using the Mathias voice model
- Gemini AI: Real-time threat analysis and scoring on the dashboard
Deployment: Vercel (public dashboard) + local Node server (live ESP32 demo pipeline)
Challenges I ran into
BLE + WiFi coexistence on ESP32 was the hardest technical challenge. The default Arduino partition scheme doesn't allocate enough flash memory for both BLE and WiFi stacks simultaneously — the firmware would crash on boot. Solved by switching to the "Huge APP (3MB No OTA)" partition scheme in Arduino IDE.
Anker power bank auto-shutoff: the ESP32 draws so little current that the Anker bank's low-power detection kept cutting power mid-demo. Switched to MacBook USB for reliable demo power.
Auth0 OAuth flow mismatch: the SPA SDK uses PKCE which is incompatible with the "Regular Web Application" type in Auth0. Switching to "Single Page Application" fixed login for all three providers.
Real-time event pipeline latency: getting sub-2-second latency from ESP32 → WiFi → Node.js → dashboard required careful HTTP keep-alive tuning and polling optimization.
Accomplishments
- Fully working end-to-end 2FA security system built solo in under 36 hours.
- Real hardware that physically responds to intrusion attempts with no false positives during testing
- Live ESP32 → WiFi → dashboard pipeline with sub-2-second latency
- Production-quality claymorphic dashboard UI with Auth0 authentication
- Working ElevenLabs voice alerts triggered by real hardware events
- Deployed to Vercel with a public demo URL
- The agentic ESP32 makes autonomous binary threat decisions at the edge. No cloud dependency required for the core security function
What I learned
ESP32 memory architecture and partition schemes. BLE + WiFi coexistence constraints on embedded systems. Auth0 PKCE OAuth flow and the difference between SPA and Regular Web Application types. How relay attacks work at a radio frequency level. Node.js event persistence patterns. And that a teddy bear makes hardware demos dramatically more memorable than a naked PCB.
What's next for Senny
- Physical steering wheel lock: ESP32-triggered servo lock preventing the wheel from turning without the owner's phone present (with safety and emergency precautions of course)
- Window break sensors: piezoelectric film detecting glass breakage frequencies
- OBDII port integration: working with airbag and crash safety systems, not against them
- Guest mode: temporary BLE keys for valets and family members
- Automatic police reporting: one-tap or automatic alert to local authorities with GPS location
- SennyKey mobile app: purpose-built replacement for nRF Connect
- GPS Tracker: Nothing is perfect. If the thieves find a way to steal the car (practically impossible bypassing Senny, however!), a tracker you can hide in your car can make sure that if the thieves figure it out, they still won't get far!
Senny the Sentinel. Because your car shouldn't talk to strangers.
Built With
- arduino
- auth0
- ble
- c++
- css3
- elevenlabs
- esp32
- express.js
- geminiai
- git
- html5
- javascript
- json
- node.js
- nrfconnect
- python
- remotion
- restapi
- tailscale
- vercel
Log in or sign up for Devpost to join the conversation.