4-5 days in and it can scan through an otterbox!
5 Likes
Why wouldnāt it work? Itās just a TOTP code:
I have this working with my 1Password vault. Prompts me if I set up on a new device, presumably itās the same setup?
1 Like
good instruction which will help or try on
How did you get that set up? Are you Mac or pc? Assuming this would make a difference like the yubikey updates.
Iām a total hack here and way over my head but learning.
Got to learn somehow, not 100% sure if it works on all platforms so iāll have to do some testing.
1 Like
Appreciate this!
So the big question about confidentiality āHow to protect my passwords/safe/vault with the Apexā has come up by again. Thereās nothing wrong with that, but Iāve been following the VivokeyFlexOne/Apex topics for a while and I havenāt seen any questions or comments come up yet about the following (other) risks:
- Denial of Service: Irreversible bricking the Apex/Fidesmo card by a brute force attempt of the GlobalPlatform master key. Anyone close enough could brick your Apex implant basically
- Unauthorized manipulation: Anyone with the Fidesmo app installed is able to add or delete applets on the Apex card.
Have any security measures been taken into consideration when developing the Apex (cc: @amal) or is this mainly an inherent risk of using Fidesmo as a closed platform for the Apex?
And how do others with the Apex/FlexOne look at these risks?
I mention this now, as I havenāt used my NTAG216 implant for a while (3 years). And now I started using it again, I figured out that the maximum pin lockout was set somehow. Meaning it was write-locked and basically bricked. However, the NTAG series allow mitigation of this risk by allowing unlimited key attempts; basically avoiding the risks of a bricked implant by anyone performing a brute force attack.
So I recently got the NTAG implant replaced again, but the possibility of bricking then suddenly becomes a real risk that makes me more worry then other things 
1 Like
Thatās awesome! I havenāt installed my apex yet. I started out small (xsiid, xM1, and next, then titan). Once I feel adequately healed Iāll tackle the 4g as I donāt have an installer š„².
But I just wanted to mention that I recently got a pixel 7 Pro. And it scans all three of my x series from 1-2cm away ā¦ through an OtterBox. On my 6 pro I had to shove my hand into the battery with a super thing case.
I imagine the read range on the apex will be much much better!
1 Like
Its not fully healed so take this with a grain of salt but im getting worse range on the apex than my xNT. I have to mash my hand against the case but my glassie reads from 1-2mm away
1 Like
This is a hardware āfeatureā enforced by the chip manufacturer NXP, and cannot be disabled.
From a security perspective, a denial of service attack is very annoying, but not a catastophic event like e.g. extracting secret keys.
However, looking into this and poking NXP would still be worth it imho. The chips were originally designed for credit cards etc, where this kind of behaviour makes more sense.
Correct, but same reasoning applies. You should always keep proper backups of the secrets you store on your implant.
Also, stay tuned for potential alternatives to Fidesmo with more user control.
I know this sounds kind of like a lazy answer, but once you deal with hardware, where do you draw the line on (physical) attacks? The implants already require a bad actor to get (very) close to you, at which point a scalpel would do a similar job of bricking the implant.
1 Like
Already have done. To make these changes would require completely modifying the core ROM of the operating system and we donāt have the insane amount of volume in chip sales to justify that with NXP. The other problem here is that changing this also invalidates common criteria certification for the chip, which NXP is not interested in doing.
What I suggested to them was that they implement a pre-tar pit for key checking that would essentially drastically slow down the rate that you could check master keys while still allowing a maximum number of invalid key attempts before breaking. With a pre-tar pit check, you could essentially make it so you would have to keep the chip in the field or a number of seconds per key check if there were previous failures in the counter and this would dramatically change the likelihood of a successful denial of service attack. Iāve had extensive conversations with NXP about this but again the problem falls to making core changes to the root operating system in the chip and they just arenāt interested in doing that for little old us.
As for anyone with the Fidesmo app being able to remove applications from your Apex, they are well aware of this as well. Iāve raised it as a serious concern on several occasions. My suggestion to them was to create an application that can be deployed onto the chip as an optional element that simply validates a passphrase or at the very least a pin code. If the chip has this app on board then the Fidesmo app should do a pin check challenge with the chip directly before making any changes. This would enable them to maintain a system that does not collect any PII or require user accounts, while still creating some amount of protection for people like us who think about such things.
So far there has not been any progress here. Maybe itās time to ping them again about it.
9 Likes
physical access DoS? lost game with NFCKill so DoS bugs are kinda irrelevant IMO
1 Like
On one hand I agree, but on the other hand access to a phone and an app is far moreā¦ accessibleā¦ then buying a specialized piece of hardware. Just saying.
1 Like
Ofc but the typcal āgoing to defconā scenario is lost.
Also, this still requires time to brute force keys, I hope, and i.g. it takes longer than NFC Kill.
Ofc I see how a single APDU DoS that can be sent from a phone is bad, but to be fair even thenā¦ idk not in my threat model for now
Yeah sounds smart and could solve these problems, at least if this is enforced by fidesmos servers e.g. this applet generates a key for the API.
1 Like
How likely is it that the Apex gets iclass support?
It looks like seos support is possibleā¦ but not any other iClass version. Seos is new and rare in the field.
Common criteria is super duper import! I deal with that at my job too. They donāt budge.
Just used my Apex to U2F into githubā¦ soooo satisfying.
8 Likes
Iāve got U2F setup with bitwarden and my phone but am still using the vivokey authenticator app when doing something on the pc. Is there a U2F reader I can plug into the pc?
^ this could be a dumb questionā¦ guess what I mean is an Apex compatible reader? or a reader that can pickup the U2F applet on the chip? I think Iām confusing myself. please send help.