Privacy

33268 readers

921 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Posting a link to a website containing tracking isn't great, if contents of the website are behind a paywall maybe copy them into the post
Don't promote proprietary software
Try to keep things on topic
If you have a question, please try searching for previous discussions, maybe it has already been answered
Reposts are fine, but should have at least a couple of weeks in between so that the post can reach a new audience
Be nice :)

Related communities

much thanks to @gary_host_laptop for the logo design :)

founded 5 years ago

MODERATORS

Raspberry Pi Pico as a Security Key. Should i use it? (lemmy.ml)

submitted 1 week ago by prousername@lemmy.ml to c/privacy@lemmy.ml

4 comments fedilink hide all child comments

Greetings! Recently, i have found out that i had an unused Raspberry Pi Pico that i did not do anything with ever since i bought it.

A random idea struck in my mind, i wanted to turn it into a security key!(https://www.picokeys.com/pico-fido/) Security keys (like the yubikey) are so goddamn expensive in my country. While i got a Raspberry Pi Pico for cheap. However, this brings me to the question: How secure can it be? Can anyone crack/clone the security keys off of it?

Thanks in advance.

you are viewing a single comment's thread
view the rest of the comments

[–] j4k3@lemmy.world 5 points 1 week ago* (last edited 1 week ago)

You generally want to use a trusted protection module (TPM) chip like what is on most current computers and Pixel phones. The thing to understand about the TPM chips is that they have a set of unique internal keys that cannot be accessed at all. These keys are used to hash against and create other keys. The inaccessibility of this unique keyset is the critical factor. If you store keys in any regular memory, you are taking a chance.

Maybe check out Joe Grand's YT stuff. He has posted about hacking legit keys to recover large crypto amounts. Joe is behind the JTAGulator, if you have ever seen that one, and was a famous child hacker going by "Kingpin."

I recall reading somewhere about a software implementation of TPM for secure boot, but I didn't look into it very deeply and do not recall where I read about it. Probably on Gentoo, Arch, or maybe in the book Beyond Bios ^(terrible)^

Andrew Huang used to have stuff up on YT that would be relevant to real security of such a device, but you usually need to know where he wrote articles to find links because most of his stuff isn't publicly listed on YT. He has also removed a good bit over the years when certain exploits are unfixable like accessing the 8051 microcontroller built into most SD cards and running transparently. Andrew is the author of Hacking the Xbox which involved basically a man in the middle attack on a high speed PCIE (IIRC) connection.

It would be a ton of work to try to reverse engineer what you have created and implemented in such a device. Unless you're storing millions, it is probably not something anyone is going to mess with.