When we hear about flash drives in the context of cybersecurity, we tend to think of them more as threats than as targets. When you’re using flash drives to store encryption keys, however, it makes sense to pay more attention to their security. [Juergen] designed the PECKUS (Presence Enforcing Crypto-Key USB-Storage) with this specifically in mind: a few-kilobyte storage device that only unlocks if the owner’s Bluetooth device is in the vicinity.
[Juergen] needed to store an infrequently-used keyfile on an air-gapped system, and commercial encrypted flash drives were rather expensive and left much to be desired in terms of usability. Instead, he designed a CircuitPython custom firmware for MakerDiary’s nRF52840 micro development kit, which provided a BLE-capable system in the form of a USB dongle.
After flashing the firmware to the board, the user sets it up with a particular Bluetooth device and a file to be stored; after writing the file during setup, it cannot be rewritten. Before reading from the device, the user must pair the previously-set device with the board and press a button on the board, and only then does the device appear to the computer.
The limited amount of storage space means that this device will probably only serve its intended purpose, but in those cases, it’ll be handy to have an open-source and inexpensive protected storage device. [Juergen] notes that attackers could theoretically defeat this system by desoldering the microcontroller from the board and extracting the memory contents from the its storage, but if you have enemies that resourceful, you probably won’t be relying on a $20 board anyways.
We’ve previously seen a few flashdrives cross these pages, including one meant to self-destruct, and one made from a rejected microSD card.
A Presence-sensing Drive For Securely Storing Secrets
Adding a VL53L0x or similar motion sensor could be some extra security. You wave your hand in in some gesture to unlock it. But if it only works when a paired bluetooth device is visible, then it could also use some data from that same bluetooth device to unlock encrypted data only stored in RAM. That already makes it a lot more difficult to read out the device if it’s stolen.
If a PC is airgapped for security reasons, I already find it strange that an USB port is accessible in the first place.
But just the mention that circuitpython is used makes the project a dud. It’s too easy to copy such code during a toilet break, analyze & modify, and during another toilet break load a compromised software version. In my opinion there is little room for gadgetry in a security environment. If I was his boss, he’d loose all access privileges to the security sensitive part of the company. And I don’t want disgruntled employees either, so maybe immidiate firing is in order.
If it’s a hobby / toy project. Then at least treat it more seriously. Security is only as good as it weakest link.
lose
immediate
If you have to have your bt device, could you not just have to have the USB dongle, and the key that unlocks the USB port so it can be used. I just saw USB C ones on Amazon today, so there’s locks for USB, or unplug it and most servers have case intrusion. The USB stick goes in a safe where nobody has access to the key file.
Not that I don’t see the usefulness of the BT proximity sensing for access. Set the Boss’s computer to glitch til you walk in front of it, then he thinks you’re a magician.
The only thing the extra stuff adds is a higher potential for flaws in the security model.
Bluetooth proximity was built into the Armorlock product from SanDisk, an ultrasecure storage platform where some of firmware lives on in Raspberry Pi Pico ROM. I do not recommend purchasing the Armorlock product because it is EOL and not supported anymore, which is a huge fail.
So, to unlock this device, “Activation based on user-presence (based on user’s Bluetooth and/or WIFI device being in range)”
And the MAC address is broadcast in the clear frequently from said device. And easily spoofed by any number of devices.
That doesn’t sound like a particularly secure system.