I am looking for an app or some ability to use the flipper as a challenge response that uses HMAC-SHA1 via USB and NFC. This would allow the flipper to simulate a Yubikey.
The private key would have to be known and placed onto the Flipper, and then used as a 2FA Challenge Response.
Not directly your request, but for reference:
I havenât seen an app that does that yet. Thatâs a feature I have thought was missing for a while however I canât recommend the Flipper for holding any secure login and here is the warning from Flipper Inc.
For security-sensitive websites, use certified U2F security keys
Flipper is not a âcertified U2F security keyâ and this version most likely never can be due to hardware limitations.
Yes, very true. BUT if my Flipper is stolen, or lost. Then my account is compromised as they could âget the keyâ. Yet if my Yubikey is stolen or lost then my account is also compromised as well. In ether event I, I would have to make a new key and store it to a new Yubikey or Flipper and re-associate my accounts to the new key. So I guess I donât get the difference.
The only concern I have is if I put an app on the flipper and that app would grab my key and somehow send it off to someone else (not sure how that would be possible) and they would clone it. Thatâs really the only concern I see. Unless I am mis understanding something.
I guess an app on the PC could grab files from it while itâs plugged in.
Point by point:
Thatâs why
Possible, if you run apps from untrusted sources. Some exfiltration vectors are:
A program on PC can
I use my Yubikey as a second factor for my KeePass password management.
âYoubiKeys have a PINâ Not that I know of. I never enter a set of digits to use my HMAC-SHA Challenge Response.
" If you can login with just the second factor, it is a bad design." Fully agree!
âif you run apps from untrusted sources. Some exfiltration vectors areâŚâ Agree
âA program on PC canâ Anything on my PC could steal my password to log into KeePass as I type it in. And could read the memory and password as sent to applications etc.
If your system is compromised then youâre screwed. So back to my point being a âcertified U2F security keyâ really needed? If itâs lost stolen or the system your using it on is compromised your screwed anyway.
When I am out on the road with just my cell phone and I need to log into say Google and I got my Google authenticator app with itâs new 6 digit number every 30 seconds on my phone along with a stored 15 character random password (as I canât remember it) is logging in on my phone really 2nd factor? When that device has both my password and the authenticator app both on the same device? I donât think so. So I moved my authenticator app off of my phone and used the authenticator app on my Flipper. Now I feel I am more secure. Because I must have both devices to gain access to my account.
Just because the Flipper is not fort knocks security, it can still provide increased security in some ways.
Anyway. Back to the original need, it would be nice if someone could make an app to perform HMAC-SHA Challenge Response on the flipper.
You are concerned about the Yubikey and you are using the Google authenticator at the same time?
Hey, the GA is in the cloud, one time set up, available on all my Google devices! Google Online Security Blog: Google Authenticator now supports Google Account synchronization
Not end-to-end encrypted: Google's New Authenticator Isn't End-to-End Encrypted: Test
A little more practical: Google Authenticator Sync security concerns, What IT should do- Specops Software
Iâve tested some OTP. I started with Microsoft authenticator, because my first project was an admin account in AzureAD. Nice, worked for all use cases.
Than I started with the Yubikey Authenticator. Much more secure, but not for all, because you need a Yubikey to open ⌠More secure, less comfortable.
And in the beginning of 2021 I started with the Google authenticator, until the point they moved it to the cloud. One thing I like about the OTP is, that it is not connected to the internet. For security.
I donât mention the various small solutions, like FortiToken, BlahPass+ ⌠and some bad designed OpenSource ones.
Iâm not concerned about anything. I would like to see the Yubikey HMAC-SHA1 Challenge Response implemented on the Flipper Zero. And I feel the reason not to âFlipper is not a certified U2F security keyâ is not a valid reason. As the Yubikey can be just as insecure as the flipper if not used correctly.
The reason I use Yubikey HMAC-SHA1 Challenge Response is because it works by plugging it into my PC to access KeePass and also as NFC on my phone to access KeePass. None of the other Authenticator options will work that way with KeePass that I know of.
This is the concern. The key can potentially be copied without your knowledge. That could be done a number of different ways. Someone could remove the SD card and copy the file. You could leave a digital backup somewhere and it could be compromised. Or in your example someone pulls a reverse shell on your computer and ssh into your Flipper.
Not a Yubikey feature but there actually is at least one U2F key that has a pin. I believe Yubikey has one coming out with a fingerprint reader though. ( YubiKey Bio Series)
There is the new passkey function. In that case a Yubikey could potentially be used as the primary authentication method. I donât think Flipper U2F supports passkey. A username is still needed. I would not use that function without at at least the fingerprint option.
Yubikey also has a password mode that allows it to enter passwords.
This one wouldnât just work. Files on SD are stored encrypted with SE key #2 (the device-unique one)
And I still consider it a BadIdeaâ˘.
Can you point me to that? I donât see it in documentation. Iâd like to learn more such as what stops someone from stealing that key and if there is a way to use it in our apps. I assume itâs not on the SD card which in my mind brings the question âWhy doesnât Flipper allow encryption of other files?â Even if it isnât perfect it would be nice to be able to encrypt certain captured files.
The authenticator app I think uses the built in encryption string stuff. I am not smart enough to understand but Flipper does not provide file level encryption but stuff can still be encrypted from my understanding using a key thatâs on the device. I think the ability for the key to be extracted is possible.
So in my use case, the private key would be stored on the flash card yet encrypted in some form with the internal key. But thatâs all I know. If you look into the Authenticator app more it may explain.
I also could be completely wrong.
That link is very helpful. So the Flipper is indeed needed to crack it. Of the attacks I mentioned I think the reverse shell attack is the most likely. As long as you arenât targeted it seems an unlikely attack. You could further reduce you risk by not charging Flipper with your PC, choosing a PIN, and not leaving it plugged in to the PC when not in use. Truthfully your pretty well doinked if someone has a reverse shell on you PC in the first place.
That said I think the PIN might be easily cracked in most cases.
IIRC main PIN lives in clear in some internal memory file and Authenticator PIN lives âalmost-in-clearâ (with the same key) in its config, without cryptographically protecting anything.
Thatâs not a great way to handle a pin. Should be hashed and salted.
What is IIRC?
IIRC = If I Remember Correct.
With 4^4=256 possible values?
Only if you manage to engage CPU2 to help you. And in Flipper, CPU2 runs STâs Bluetooth blobs.
Youâre saying Flipper canât even do that? Sadly everyone my approximate age used the exact same pin because⌠famous video game cheat code.