I’ve been experimenting with the KBR1 and wanted a way to use it to log into my computer without having to change my password to match the UID on my implants (I’m fairly mobile, so need something where I could either type in my password or tap my implant). A little bit of toying around and reading around made me realize that I wasn’t going to be changing my UID and thus my plan to basically set up a relay system was born.
Materials
- HF KBR1
- A Raspberry Pi (Arduino would work for this too, but I’m more familiar and comfortable with python and the Debian Linux command line. I’ve been using a Pi Zero W I had lying around, which is unfortunately a little slow. I may look into upgrading to a Zero 2)
- Adafruit CH9328 + JST 3-Pin to header socket
- USB OTG adapter for the Pi Zero’s USB plug
Right now, the Pi listens for data coming in off the KBR1, compares it to an expected value (the NExT UID), and if it matches, fires off the computer password into the the CH9328 via the GPIO pins. The CH9328 is connected to the computer, translates the serial output into HID format and fires it off to the computer like it was a normal keyboard.
I’m not sharing my code just yet, as I’ve hard coded my UID and computer password for testing purposes. Right now, I would consider this a big security vulnerability, only a bit better than having my password attached on a sticky note to my computer. My current improvement plan:
- Secure the stored credentials using the Pi’s CPU serial number as a device-binding key
- The UID and CPU serial are run through a key derivation function to produce an encryption key, which is then used to encrypt the stored password. The result is useless if the SD card is copied to another device.
- Create a lockout mechanism and cooldown between UID scans to prevent brute-force attempts.
- Once I am happy with functionality, make a case for the pi+CH9328 so that they’re not just rattling around my desk
Since the UID is in a NExT implant, an attacker would need physical possession of both the Pi and my hand, and would have to get the implant within range of the reader. This makes casual theft of credentials significantly harder than a traditional password.
This post is mostly for my accountability, if people have suggestions on improvements/tweaks, I’m happy to hear about it. I’ll post more and share my code once I’m more satisfied that it’s not a walking security hazard.