With every website these days demanding the creation of an account, it can become difficult to remember so many logins. Each password should ideally be unique, lest a leak from your fantasy football game cost you thousands in stolen bitcoins. To help, [vcch] developed a password vault, using an interesting off-the-shelf platform.
The platform in question is the M5stickC, which packs an ESP32, color LCD, and battery into an attractive orange enclosure. It’s even got USB-C, making it a tool with an eye on the future. It serves as a quick way to get a basic IOT project up and running, without having to fuss about designing your own enclosure or basic power supply hardware.
On this platform, [vcch] created a tool to make keeping track of passwords easy. The PassStrong, as it’s called, can store a huge number of passwords, and communicates with the host PC over Bluetooth. The interface makes good use of the LCD, displaying the current mode and function of each button on the device for the user. It’s capable of working in both QWERTY and AZERTY environments, which should appeal to European users.
The M5StickC is a perfect choice in this regard, packing enough buttons and the required Bluetooth hardware to get the job done. No need to spend any time integrating modules – simply open the box and get to coding. We expect to see more developments in this space in future, and look forward to the efficiency gains this will bring to all kinds of projects!
…which should appeal to SOME European users… https://en.m.wikipedia.org/wiki/AZERTY
The méthode used to convert to azerty can easily be adapted to other keyboard.
Wouldn’t bluetooth expose the passwords to the outside? Or is strong encryption used?
Hopefully Bluetooth isn’t used to communicate passwords.
> You will need to install M5StickC libraries, as well as BLEkeybaord library
Nope, I did not see any settings for encryption (password bonding) or mitm in code. But maybe they are there somewhere, didn’t have too much time for this.
No. The idea was to have something typing your password on your behalf, with no specific add-on on your PC
Unless i am wrong bleutooth is crypted, or not ?
It is, but when pass code is not exchanged, it’s easy to decrypt it.
Clarification: this project does use bluetooth to communicate passwords (it works as a bluetooth keyboard).
What do you mean with pass exchange ? Is there a changé to do in the blekeyboard library ?
[Writing this for a third time now, and not in Chrome for Android in the comment box…]
Hopefully they would be using a secure key-agreement protocol like ECDH considering how not very difficult it is to implement on very tiny computers; even smart cards can do it; so if this thing can do Bluetooth, much more complex, then one would hope so.
Yeah notwithstanding any previous comment that may or may not have been posted on my behalf I still can’t tell, doesn’t look like it, so i would not use it for any sensitive passwords which kind of defeats the point of a password manager doesn’t it
Cool project for keeping unimportant passwords, but security is rather limited. Flash memory can easily be read and pin bruteforced as it lacks self-destruct mechanisms like secure chips or smartcards for example. Also you have firmware in ESP32 that can’t be audited. I’d stick to Mooltipass or similar device that stays safe even when not in your possesion.
FWIW, ESP32 does have flash encryption and secure boot. So, if done correctly, you can’t read the firmware or the password from the flash. You could intercept bluetooth communication, but if it’s correctly ciphered, it’ll also be hard to decode. In the end, it might be good enough for the job.
Both have been broken, you can recover the keys by voltage glitching.
yup. it was even covered here.
https://hackaday.com/2019/11/17/the-esp32-laid-bare/
This is true. But 8 letters or less passwords post people use are cracked in even less time…
Except that new ESP32 (revision V3 IIRC) are fixed from this attack. See https://www.espressif.com/en/news/Security_Advisory_Concerning_Fault_Injection_and_eFuse_Protections
It’s good to know where the limitations are of the product. No device or scheme is perfect, in this case, referring to CryptoAG. When you know and understand the limitations you can decide if you want to use this tool, a close source or an open source tool. Multiple have been on HAD, either the development or the hacking of such a device.
Let’s get passed the technology X is secure and you should’ve used product Y! This will almost always result in a polar opposite internet argument you are all likely familiar with. It’s far more complicated in the real world. In my limited experience I’ll tell you that it’s almost impossible to make security/software/electronics withstand everything. Even more so if developed with limited time and funds like this hobby project.
Bluetooth or any communications protocol is just for moving bits. The security is up to you.
For research: BLE CTF, Pwn the ESP32 forever, Hardware wallet fail.
Pfft, my scheme is perfect, I translate to Navaho, transcribed into Minoan Linear A, then do 17 rounds of SHA256 then rot-13 it.
Thanks a lot for all your insights. Would really appreciate suggestions to strengthen the bluetooth. Agree pincode could be hashed and salted to protection this better.
As jwrm says it only does what it is supposed to do, and it is as strong as entering a complex password on a bluetooth keyboard (in my case : nobody sees you typing ans the keyboard is pincode protected).
Existing dongles look fine but most of the apps i am using are password protected. So a solutions that is not able to type the password for me is useless.
I really like the idea, as it seems to be a pretty good solution to convince those still using plain text passwords to convert to something more secure 👍
Indeed. With all the limitations of bluetooth, in 98% of cases (people using less than 9 chars passwords) it increases security…
Being new to Arduino I could use some more detail on “if you have the needed libraries (M5StickC, BLEKEyboard,…)”
What might you need to fill in “…”?
Basically you do not need much more than that.
Please note that a new version is out, with pincode protection for the bluetooth pairing : https://hackaday.io/project/171819-passstronger