Hacker Has Robot Give Yubikey The Finger

[Bertrand Fan] is not a fan of the tiny, hard-to-actuate button on the average Yubikey. Before all that is 2020 occurred, [Bert] had the little 2FA nano-donglette plugged into a spare USB port on the side of their laptop so that it was always available wherever the laptop traveled. Now that working from home is the norm, [Bert] has the laptop off to the side, far out of reach.

A USB-C extension cable certainly made it more accessible, but did nothing for the actuation fail rate of the tiny button. Fed up by inconvenience and looking for a lockdown project, [Bert] decided to make a button-pressing robot finger that’s driven by a spare key on their groovy TKL keyboard.

It runs on a Wemos D1 mini and uses a small stepper motor to push a 3D-printed finger along a rack-and-pinion actuator. Since the Yubikey requires capacitive touch, [Bert] added a screw to the finger tip that’s wired to ground. Now all [Bert] has to do is press a decidedly cooler key to make the finger press the button for him. Check out a brief demo after the break.

If this security flaw makes you uncomfortable, perhaps this 2FA launch console is more to your liking. And as we saw recently, if you don’t like the cost of Yubikeys, you can roll your own 2FA device with a blue pill.

Continue reading “Hacker Has Robot Give Yubikey The Finger”

STM32 Blue Pill Turned GPG Security Token

Feeling the cost of commercial options like the YubiKey and Nitrokey were too high, [TheStaticTurtle] started researching DIY alternatives. He found an open source project allows the STM32F103 to act as a USB cryptographic token for GNU Privacy Guard, which was a start. All he had to do was build a suitable device to install it on.

Blue Pill proof of concept

The first step was to test the software out on the popular “Blue Pill” development board, which [TheStaticTurtle] documents in the write-up should anyone want to give it a try themselves. The ST-Link V2 was already a supported target, so it only took some relatively minor tweaks to get running and add support for a simple push button. The output of gpg --card-status showed the device was working as expected, so with the software sorted, it was time to take a closer look at the hardware.

To create his “TurtleAuth” dongle, [TheStaticTurtle] started with the basic layout of the Blue Pill and added in a TTP223E touch control IC. The original Micro USB port was also swapped for a male USB-A connector so the device could be plugged directly into a computer. An upper PCB, containing the status LEDs and touch pad, was then designed so it would fit over the main board as an enclosure of sorts. While the sides are still open, the device looks robust enough to handle life in a laptop bag at least.

While it’s not exactly a common project, this isn’t the first time we’ve seen somebody spin up their own hardware token. More evidence of what the dedicated individual can accomplish these days on a relatively limited budget.

Launch Console Delivers Enjoyment To Software Deployment

Sometimes it feels as though all the good physical interactions with machines have disappeared. Given our current germ warfare situation, that is probably a good thing. But if fewer than ten people ever will be touching something, it’s probably okay to have a little fun and make your own interfaces for things.

Fun definitely seems to be some of the inspiration behind [sethvoltz]’s retro-style launch console. This two-factor authorization token-based system is responsible for an important task that usually receives no fanfare — deploying code to production.

The console is centered around a Yubikey, which is type of hardware dongle for 2FA. Flipping the guarded toggle switch will initiate the launch sequence, and then it’s time to insert the Yubikey into the 3D-printed lock cylinder and wait for authorization. If the Raspberry Pi decides all systems are go, then the key can be turned ninety degrees and the mushroom button mashed. You have our permission to peek at the declassified demo after the break. Stick around for a CAD view inside the lock cylinder.

Console culture was great, but the old full-size cabinets sure took up a lot of space. If you’re more of a hardware person, check out this mini-console for testing multiple servos.

Continue reading “Launch Console Delivers Enjoyment To Software Deployment”

Tomu: A Microcontroller For Your USB Port

Looking for a ultra tiny development board? Tomu is an ARM Cortex M0+ device that fits inside your USB port. We’ve seen these in person, and they’re tiny.

There’s a few commercial devices in this form factor on the market. For example, the Yubikey Nano emulates a keyboard to provide codes for two-factor authentication. The Yubikey’s tiny hardware does this job well, but the closed-source device isn’t something you can modify.

Tomu is a new device for your USB port. It sports a Silicon Labs EFM32 microcontroller, two buttons, and two LEDs. This particular microcontroller is well suited to the task. It can talk USB without a crystal for timing, and has an internal regulator to generate the core voltage from a 5 V USB supply. Since it supports DFU firmware updates, it can be reprogrammed without any special tools.

Unfortunately, the EFM32 device lacks secure storage options, so the Tomu might not be the best device to keep your secrets on. That being said, it will be interesting to see what applications people come up with. The creators have suggested using the device for media buttons, sleeping and waking a computer, and as a U2F key.

The project is currently available on CrowdSupply, and all design files and source is available on their Github. If you like soldering tiny things, the twelve-part bill of materials should be fairly easy to assemble at home.

Turning A Teensy Into A U2F Key

Last month, GitHub users were able to buy a special edition Universal 2nd Factor (U2F) security key for just five bucks. [Yohanes] bought two, but wondered if he could bring U2F to other microcontrolled devices. he ended up building a U2F key with a Teensy LC, and in the process brought U2F to the unwashed masses.

Universal 2nd Factor is exactly what it says on the tin: it doesn’t replace your password, but it does provide a little bit of extra verification to prove that the person logging into an account is indeed the person that should. Currently, Google (through Gmail and Google Drive), Github, Dropbox, and even WordPress (through a plugin) support U2F devices, so a tiny USB key that’s able to provide U2F is a very useful device.

After digging into the U2F specification [Yohanes] found the Teensy LC would be a perfect platform for experimentation. A U2F device is just a USB HID device, which the Teensy handles in spades. A handy library takes on ECC for both AVR and ARM platforms and [Yohanes’] finished U2F implementation is able to turn the Teensy LC into something GitHub was selling for $5.

It should be noted that doing anything related to security by yourself, with your own code is dumb and should not be considered secure. Additionally, [Yohanes] didn’t want to solder a button to his Teensy LC, so he implemented everything without a button press, which is also insecure. The ‘key handle’ is just XOR encryption with a fixed key, which is also insecure. Despite this, it’s still an interesting project and we’re happy [Yohanes] shared it with us.