TruffleHog Sniffs Github for Secret Keys

Secret keys are quite literally the key to security in software development. If a malicious actor gains access to the keys securing your data, you’re toast. The problem is, to use keys, you’ve got to write them down somewhere – oftentimes in the source code itself. TruffleHog has come along to sniff out those secret keys in your Github repository.

It’s an ingenious trick — a Python script goes through the commit history of a repository, looking at every string of text greater than 20 characters, and analyzing its Shannon entropy. This is a mathematical way of determining if it looks like a relatively random string of numbers and letters. If it has high entropy, it’s probably a key of some sort.

Sharing source code is always a double-edged sword for security. Any flaws are out for all to see, and there are both those who will exploit the flaws and those who will help fix them. It’s a matter of opinion if the benefits outweigh the gains, but it’s hard to argue with the labor benefits of getting more eyes on the code to hunt for bugs. It’s our guess though, that a lot of readers have accidentally committed secret keys in a git repository and had to revert before pushing. This tool can crawl any publicly posted git repo, but might be just as useful in security audits of your own codebase to ensure accidentally viewable keys are invalidated and replaced.

For a real world example of stolen secret keys, read up on this HDMI breakout that sniffs HDCP keys.

Swiss Army Keys


This isn’t a hack that shows you how to start a car without the keys. It’s a way to ditch the bulky keyring for a set of fold-out keys. [Colonel Crunch] removed the blades from the pocket knife and replaced them with the two keys for his car (one is ignition and door locks, the other opens the trunk). He didn’t take pictures of the process, but he did link to this unrelated guide on how it’s done.

About one minute into the video after the break we see each step in the build process. First the plastic trim is removed from either side of the knife. The blades are basically riveted on; there’s a pin which holds them in and either side of it has been pressed to that it can no longer move through the holes in the frame. To get around this one side is ground off with a rotary tool, and the pin is then tapped out with a hammer. The removed blade/scissors/tool is used as a template to cut the body of the key down to size and shape.  The pin is then hammered back into place before putting the plastic trim back on.

Continue reading “Swiss Army Keys”

HDMI breakout lets you sniff HDCP crypto keys

There’s two really useful parts to this hack which involves sniffing the HDMI protocol’s HDCP security keys. The first is just getting at the signals without disrupting communications between two HDCP capable devices. To do so [Adam Laurie] started by building an HDMI breakout cable that also serves as a pass-through. The board seen above is known as an HDMI screw terminal board. The image shows one cable connecting to itself during the fabrication process. What he did was cut one end off of an HDMI cable, then used a continuity tester to figure out which screw terminal connects with which bare wire. After all the wires are accounted for the end with the plug goes to his TV, with a second cable connecting between the board’s socket and his DVD player.

The rest of his post is dedicated to sniffing the security keys. His weapon of choice on this adventure turns out to be a Bus Pirate but it runs a little slow to capture all of the data. He switches to a tool of his own design, which runs on a 60MHz PIC32 demo board. With it he’s able to get the keys which make decrypting the protected data possible.

Finding your keys with Bluetooth

[doragasu]’s wife is always misplacing her keys. To solve this problem, [doragasu] created a small Bluetooth-enabled key fob that is able to remotely sound an alarm when commanded to by a cell phone.

The case and LiPo battery of [doragasu]’s project comes from a small photo frame key fob. The LCD display and PCB of the photo frame were tossed aside for a future project, and the design of the circuit started. The Bluetooth buzzer key fob is based around an MSP430 microcontroller because of their extremely low power requirements.

On the software side of things, [doragasu] built a J2ME app to connect to the key fob and turn the buzzer on. His app is portable to any Android phone, and versions can be ported to Windows, OS X and iOS devices.

How does it work? Well, [doragasu]’s wife sometimes forgets to charge her key fob, rendering the whole project useless. There are ideas for  updating the device to a Bluetooth 4.0 Low Energy device, but no actionable plans. Still, very good work. You can check out [doragasu]’s walkthrough and demo video after the break.

Continue reading “Finding your keys with Bluetooth”

QR code key fob helps your lost keys find their way home


Don’t you hate that feeling, the one you get when you have just realized that you have no clue where you may have left your keys? If you are unlucky enough to have lost them in a public place, odds are they are as good as gone. Pumping Station One member [celtwolf] thought it would be great if your keys could help someone contact you instantly upon finding them, so he created a key fob that did just that.

SMS can use a similar URI scheme as the “mailto” protocol we are all familiar with, so [celtwolf] generated a URI that would send a text to his mobile phone with the message “I found your keys!”. He generated a QR code from the URI, then etched it on a piece of acrylic using a laser cutter. He filled in the recessed portions with a dark polymer clay, baked it, then coated it with a layer of nail polish for added durability.

Now, if anyone finds his keys and takes a picture of the QR code with their smartphone, he will immediately receive a text letting him know they are safe and sound. What a great idea!

A keygen for the real world


[Nirav] found that he rarely printed anything useful with his RepRap, so to shake things up, he decided he needed to work on a project that didn’t involve printing yet more RepRap parts.

The goal of his project was to create working replicas of house keys by simply using the code imprinted at the factory. He purchased a handful of used lock sets from eBay, then carefully measured the keys with a ruler and calipers to get the blank dimensions just right. After that was done, he looked around online and was eventually able to create an OpenSCAD model using a chart of pin depth specifications he located. By changing the last line in the model’s code he can print any coded key. For keys lacking a code, he can manually measure the height of each bit and print replicas that way as well. Once printed, he says that they keys are strong enough to turn most locks he has come across, including deadbolts.

This is undoubtedly a neat project in its own right, though we would be interested to see if someone could get it paired with a program like SNEAKEY to generate bit measurements by sight alone.