You probably remember that for DEFCON I built a hat that was turned into a game. In addition to scrolling messages on an LED marquee there was a WiFi router hidden inside the hat. Get on the AP, load any webpage, and you would be confronted with a scoreboard, as well as a list of usernames and their accompanying password hashes. Crack a hash and you can put yourself on the scoreboard as well as push custom messages to the hat itself.
Choosing the complexity of these password hashes was quite a challenge. How do you make them hackable without being so simple that they would be immediately cracked? I suppose I did okay with this because one hacker (who prefers not to be named) caught me literally on my way out of the conference for the last time. He had snagged the hashes earlier in the weekend and worked feverishly to crack the code. More details on the process are available after the jump.
At Hackaday we believe that your encrypted vault containing your credentials shouldn’t be on a device running several (untrusted) applications at the same time. This is why many contributors and beta testers from all over the globe are currently working on an offline password keeper, aka the Mooltipass.
Today we’re more than happy to report that all of our 20 beta testers started actively testing our device as they received the v0.1 hex file from the development team. Some of them had actually already started a few days before, as they didn’t mind compiling our source files located on our github repository and using our graphics generation tools. We are therefore expecting (hopefully not) many bug reports and ways to improve our device. To automatize website compatibility testing, our beta tester [Erik] even developed a java based tool that will automatically report non-working pages found inside a user generated list. You may head here to watch a demonstration video.
For months our dear Hackaday readers have been following the Mooltipass password keeper’s adventures, today we’re finally publishing a first video of it in action. This is the fruit of many contributors’ labor, a prototype that only came to be because of our motivation for open hardware and our willingness to spend much (all!) of our spare time on an awesome project that might be just good enough to be purchased by others. We’ve come a long way since we started this project back in December.
In the video embedded above, we demonstrate some of our platform’s planned functionalities while others are just waiting to be implemented (our #1 priority: PIN code entering…). A quick look at our official GitHub repository shows what it took to get to where we are now. What’s next?
We need your input so we can figure out the best way to get the Mooltipass in the hands of our readers, as our goal is not to make money. The beta testers batch has just been launched into production and I’ll be traveling to Shenzhen in two weeks to meet our assembler. When materials and fabrication are taken into account we expect each device to cost approximately $80, so please take 3 seconds of your time to answer the poll embedded below :
The Hackaday community is currently working on an offline password keeper, aka Mooltipass. The concept behind this product is to minimize the number of ways your passwords can be compromised, while generating and storing long and complex random passwords for the different websites you use daily. The Mooltipass is a standalone device connected through USB and is compatible with all major operating systems on PCs, Macs and Smartphones. More details on the encryption and technical details can be found on our github repository readme or by having look at all the articles we previously published on Hackaday.
As you can see from our commit activity these last weeks have been extremely busy for us. We finally have a firmware that uses all the different libraries that our contributors made but also a chrome plugin and extension that can communicate with our Mooltipass. We’re very happy to say that our system is completely driverless. A video will be published on Hackaday next week showing our current prototype in action as some of the contributors are already using it to store their credentials.
We selected 20 beta testers that will be in charge of providing us with valuable feedback during the final stages of firmware / plugin development. Selection was made based on how many passwords they currently have, which OS they were using but also if they were willing to contribute to the prototype production cost. We expect them to receive their prototypes in less than 2 months as the production funds were wired today.
We think we’ve come a long way since the project was announced last december on Hackaday, thanks to you dear readers. You provided us with valuable feedback and in some cases important github push requests. You’ve been there to make sure that we were designing something that could please most of the (non) tech-savy people out there and we thank you for it. So stay tuned as in a week we will be publishing a video of our first prototype in action!
The last few weeks have been quite tense for the Mooltipass team as we were impatiently waiting for our smart cards, cases and front panels to come back from production. Today we received a package from China, so we knew it was the hour of truth. Follow us after the break if you have a good internet connection and want to see more pictures of the final product…
For the last few weeks we’ve mostly been improving our current PCBs and case design for the production process to go smoothly. The final top PCB shown above has been tweaked to improve his capacitive touch sensing capabilities, you may even see a video of the system in action in the Mooltipass project log on hackaday.io. We’ve also spent some time refining the two most popular card art designs so our manufacturers may print them correctly. We’ll soon integrate our updated USB code (allowing the Mooltipass to be detected as a composite HID keyboard / HID generic) into the main solution which will then allow us to work on the browser plugin.
It’s also interesting to note that we recently decided to stop using the GPL-licensed avrcryptolib. Our current project is CDDL licensed, allowing interested parties to use our code in their own project without forcing them to publish all the remaining code they created. The GPL license enforces the opposite, we therefore picked another AES encryption/decryption implementation. This migration was performed and checked by our dedicated contributor [Miguel] who therefore ran the AES NESSIE / CTR tests and checked their output, in less than a day.
We’re about to ship the first Mooltipass prototypes to our active contributors and advisers. A few weeks later we’ll send an official call for beta testers, just after we shown (here on Hackaday) what the final product looks like. Don’t hesitate to ask any question you may have in the comments section, you can also contact us on the dedicated Mooltipass Google group.
The Hackaday writers and readers are currently working hand-in-hand on an offline password keeper, the Mooltipass. A few days ago we presented Olivier’s design front PCB without even showing the rest of his creation (which was quite rude of us…). We also asked our readers for input on how we should design the front panel. In this new article we will therefore show you how the different pieces fit together in this very first (non-final) prototype… follow us after the break!