Hackaday Prize 2023: Sleek Macro Pad Makes 2FA A Little Easier

We all know the drill when it comes to online security — something you know, and something you have. But when the “something you have” is a two-factor token in a keyfob at the bottom of a backpack, or an app on your phone that’s buried several swipes and taps deep, inconvenience can stand in the way of adding that second level of security. Thankfully, this “2FA Sidecar” is the perfect way to lower the barrier to using two-factor authentication.

That’s especially true for a heavy 2FA user like [Matt Perkins], who typically needs to log in and out of multiple 2FA-protected networks during his workday. His Sidecar is similar in design to many of the macro pads we’ve seen, with a row of Cherry MX key switches, a tiny TFT display — part of an ESP32-S3 Reverse TFT Feather — and a USB HID interface. Pressing one of the five keys on the pad generates a new time-based one-time password (TOTP) and sends it over USB as typed keyboard characters; the TOTP is also displayed on the TFT if you prefer to type it in yourself.

As for security, [Matt] took pains to keep things as tight as possible. The ESP32 only connects to network services to keep the time synced up for proper TOTP generation, and to serve up a simple web configuration page so that you can type in the TOTP salts and service name to associate with each key. He also discusses the possibility of protecting the ESP32’s flash memory by burning the e-fuses, as well as the pros and cons of that maneuver. The video below shows the finished project in action.

This is definitely a “use at your own risk” proposition, but we tend to think that in the right physical environment, anything that makes 2FA more convenient is probably a security win. If you need to brush up on the risks and benefits of 2FA, you should probably start here.

Continue reading “Hackaday Prize 2023: Sleek Macro Pad Makes 2FA A Little Easier”

A Commodore SX-64 showing a six-digit code and a countdown timer

Generating Two-Factor Authentication Codes With A Commodore 64

If you’ve used a corporate VPN or an online-banking system in the past fifteen years or so, chances are you’ve got a few of those little authenticator key fobs lying around, still displaying a new code every 30 seconds. Today such one-time codes are typically sent to you by text message or generated by a dedicated smartphone app, which is convenient but a bit boring. If you miss having a dedicated piece of hardware for your login codes, then we’ve got good news for you: [Cameron Kaiser] has managed to turn a Commodore SX-64 into a two-factor authenticator. Unlike a key fob that’s one gadget you’re not likely to lose, and any thief would probably need to spend quite some time figuring out how to operate it. Continue reading “Generating Two-Factor Authentication Codes With A Commodore 64”

Build Your Own Two-Factor Authenticator With Good USB

Two-factor authentication is becoming the norm for many applications and services, and security concerns around phone porting hacks are leading to a phaseout of SMS-based systems. Amidst that backdrop, [Josh] developed his own authentication device by the name of Good USB.

The device can be built using a Arduino Leonardo, SS Micro, or even a BadUSB device. It’s the latter which [Josh] most liked, and since the nefarious device is being repurposed for good, it led to the name Good USB. Basically any Atmega32U4-based device will work, as the key functionality is the ability to emulate a USB keyboard to a host PC.

Using the device is just as simple. With the Good USB plugged in, one simply needs to click a button in the companion app to generate a code for the given account you’re logging in to. Pressing the button on the device then types in the code for you. Alternatively, if your device has no button, it can be set up to simply type the code two seconds after you select an account in the companion app.

The code is on Github for those wishing to make their own. Caveat for the cautious: it’s still a work in progress, and there may be security holes in the current implementation.

If you’re interested in the nuts and bolts of how 2FA works, we’ve looked into that in detail. Video after the break.

Continue reading “Build Your Own Two-Factor Authenticator With Good USB”

A light blue marker with a two-pin header replacing the tip, being pressed against the back of the keypad baord that's removed from the safe

Anyone Can Be The Master Of This Master Lock Safe

[Etienne Sellan] got one of these lovely $5 logic analyzers. As with any shiny new tool, he started looking for things to investigate with it, and his gaze fell on a Sentry Safe (produced by Master Lock). On the surface level, this keypad-equipped safe is designed decently when it comes to privilege separation. You can take the keypad board off and access its backside, but the keypad doesn’t make any decisions, it merely sends the digits to a different board embedded behind the safe’s door. The solenoid-connected board receives the PIN, verifies it, and then controls the solenoid that unlocks the safe.

[Etienne] hooked up a logic analyzer to the communication wire, which turned out to be a UART channel, and logged the keypad communication packets — both for password entry and for password change. Then, he wrote some Arduino code to send the same packets manually, which worked wonders. Bruteforcing wasn’t viable, however, due to rate limitation in the solenoid controller. Something drew his attention from there – if you want to change the password, the keypad requires you enter the factory code, unique to each safe and supplied in the instruction manual. That code entry is a separate kind of packet from the “change password” one.

More after the break…

Continue reading “Anyone Can Be The Master Of This Master Lock Safe”

Teardown: BlackBerry Smart Card Reader

Years before Steve Jobs showed off the first iPhone, the BlackBerry was already the must-have accessory for mobile professionals. Back then, nobody was worried about watching movies or playing the latest games on their mobile devices, they just wanted a secure and fast way to send and receive email on the go. For that, the BlackBerry was king.

Fast forward to today, and the company is just a shell of what it once was. They don’t even bother making their own hardware anymore. Over the last several years they’ve opted to partner with a series of increasingly obscure manufacturers to produce a handful of lackluster Android phones so they still have something to sell to their dwindling userbase. Anyone excited about the new 5G BlackBerry being built by Texas start-up OnwardMobility? Did you even know it was in the works before now?

A DoD Common Access Card

But this article isn’t about BlackBerry phones. It’s about something that’s even more irrelevant to consumers: the BlackBerry Smart Card Reader. Technically, this little device isn’t dependent on the phones of the same name, but it makes sense that Research In Motion (which eventually just renamed itself to BlackBerry Limited) would market the gadget under the brand of their most popular product. Though as you might expect, software was available to allow it to work with the BlackBerry phone that you almost certainly owned if you needed a dedicated smart card reader.

For those who might not be aware, a smart card in this context is a two-factor authentication token contained in an ID card. These are used extensively by organizations such as the Department of Defense, where they’re known as Common Access Cards, that require you to insert your ID card into a reader before you can log into a secure computer system. This sleek device was marketed as a portable reader that could connect to computers over USB or Bluetooth. Worn around your neck with the included lanyard, the battery-powered reader allowed the card itself to remain on the user’s body while still being readable by nearby devices.

Civilians will recognize the basic technology from modern “Chip and PIN” debit and credit cards, but we’ve never had to stick one of those into our laptop just to log in. To be sure, the BlackBerry Smart Card Reader was never intended for the average home computer user, it was sold to companies and organizations that had tight security requirements; which just so happened to be the same places that would likely already be using BlackBerry mobile devices.

Of course, times and technology change. These devices once cost $200 apiece and were purchased in vast quantities for distribution to trusted personnel, but are now all but worthless. Even in new and unopened condition, they can be had for as little as $10 USD on eBay. For that price, it’s certainly worth taking a peek inside. Perhaps the hacker community can even find new applications for these once cutting-edge devices.

Continue reading “Teardown: BlackBerry Smart Card Reader”

This Week In Security: AD Has Fallen, Two Factor Flaws, And Hacking Politicians

The big news this week is the huge flaw in Microsoft’s Active Directory, CVE-2020-1472 (whitepaper). Netlogon is a part of the Windows domain scheme, and is used to authenticate users without actually sending passwords over the network. Modern versions of Windows use AES-CFB8 as the cryptographic engine that powers Netlogon authentication. This peculiar mode of AES takes an initialization vector (IV) along with the key and plaintext. The weakness here is that the Microsoft implementation sets the IV to all zeros.

XKCD.com CC BY-NC 2.5

It’s worth taking a moment to cover why IVs exist, and why they are important. The basic AES encryption process has two inputs: a 128 bit (16 byte) plaintext, and a 128, 192, or 256 bit key. The same plaintext and key will result in the same ciphertext output every time. Encrypting more that 128 bits of data with this naive approach will quickly reveal a problem — It’s possible to find patterns in the output. Even worse, a clever examination of the patterns could build a decoding book. Those 16 byte patterns that occur most often would be guessed first. It would be like a giant crossword puzzle, trying to fill in the gaps.

This problem predates AES by many years, and thankfully a good solution has been around for a long time, too. Cipher Block Chaining (CBC) takes the ciphertext output of each block and mixes it (XOR) with the plaintext input of the next block before encrypting. This technique ensures the output blocks don’t correlate even when the plaintext is the same. The downside is that if one block is lost, the entire rest of the data cannot be decrypted Update: [dondarioyucatade] pointed out in the comments that it’s just the next block that is lost, not the entire stream. You may ask, what is mixed with the plaintext for the first block? There is no previous block to pull from, so what data is used to initialize the process? Yes, the name gives it away. This is an initialization vector: data used to build the initial state of a crypto scheme. Generally speaking, an IV is not secret, but it should be randomized. In the case of CBC, a non-random IV value like all zeros doesn’t entirely break the encryption scheme, but could lead to weaknesses. Continue reading “This Week In Security: AD Has Fallen, Two Factor Flaws, And Hacking Politicians”

Launch Console Delivers Enjoyment To Software Deployment

Sometimes it feels as though all the good physical interactions with machines have disappeared. Given our current germ warfare situation, that is probably a good thing. But if fewer than ten people ever will be touching something, it’s probably okay to have a little fun and make your own interfaces for things.

Fun definitely seems to be some of the inspiration behind [sethvoltz]’s retro-style launch console. This two-factor authorization token-based system is responsible for an important task that usually receives no fanfare — deploying code to production.

The console is centered around a Yubikey, which is type of hardware dongle for 2FA. Flipping the guarded toggle switch will initiate the launch sequence, and then it’s time to insert the Yubikey into the 3D-printed lock cylinder and wait for authorization. If the Raspberry Pi decides all systems are go, then the key can be turned ninety degrees and the mushroom button mashed. You have our permission to peek at the declassified demo after the break. Stick around for a CAD view inside the lock cylinder.

Console culture was great, but the old full-size cabinets sure took up a lot of space. If you’re more of a hardware person, check out this mini-console for testing multiple servos.

Continue reading “Launch Console Delivers Enjoyment To Software Deployment”