DEF CON Forum Site Header Art
DEF CON Forum Site Header Art


No announcement yet.

Mooltipass Demolab at DEF CON 29

  • Filter
  • Time
  • Show
Clear All
new posts

  • Mooltipass Demolab at DEF CON 29

    Tool or Project Name: Mooltipass

    Short Abstract: The Mooltipass project is a completely open-source ecosystem aimed at providing hardware-based authentication solutions. Its latest family member, the Mooltipass Mini BLE, features a dual microcontroller architecture aimed at separating the communications and security domains, together with an OLED screen and dedicated flash memories for credentials and graphics storage. The Mooltipass project is an ongoing 7-year adventure with contributors from around the globe. It has produced 3 hardware devices, multiple browser extensions, a cross-platform user interface and software daemon, an SSH agent and a python library.

    Short Developer Bio: Mathieu Stephan is an electronics engineer who is actively involved in the open source movement. He specializes in designing devices from the ground up and alternates between full-time positions in the security and communication industries and contracting jobs in other sectors – from quantum physics to Formula E cars. He has been a writer for Hackaday and has a personal website filled with electronics projects.

    URL to any additional information:

    Detailed Explanation of Tool: The Mooltipass project is an authentication ecosystem centered around several open source devices, the Mooltipass Standard, Mini and BLE.

    Among its many features, it offers:
    • Files, notes and credentials storage
    • FIDO2 (WebAuthn), TOTP and SSH support
    • Native credentials recall into browser login fields
    • On-device language and security parameter customization
    • Standalone credential typing using the device's standard USB or Bluetooth Keyboard HID channels
    • Cross-platform tools allowing device database management and synchronization
    Its latest family addition, the Mini BLE, includes the following hardware features:
    • A dual microcontroller architecture: the 'auxiliary' ATSAMD21E18 takes care of USB (HID, FIDO2, custom HID) and Bluetooth Low Energy (HID and custom HID) communications while the 'main' ATSAMD21G18 takes care of the rest.
    • A dedicate hardware line for the main MCU to hard-disable BLE communications
    • A 256x64x4bpp 2.08" OLED screen
    • A clickable scroll wheel for fast user interaction
    • A smartcard connector to interface with secure elements storing the encryption keys
    • A dedicated flash memory for graphics, strings and signed firmware updates
    • A dedicated flash memory for users' encrypted databases
    • Purpose-built charging electronics for the NiMH battery
    The firmware running on the ATSAMD21E18 and on ATSAMD21G18 was built from scratch, except the crypto routines which are from the open source BearSSL library, and the BLE features which are from the Atmel-proprietary library. The firmware provides the following features:
    • A fully-fledged graphical library that handles compressed bitmaps and font rendering, using an internal frame buffer as needed
    • A custom-made database model allowing storage of credentials, files, notes and WebAuthn secrets while still allowing ease-of-use features such as favorites
    • A read-only file system library allowing fetching of graphical data, user-selected language strings, firmware updates and keyboard HID lookup tables
    • A dedicated abstraction layer allowing the device to send unicode text using simulated key presses through BLE & USB HID, with support for dozens of keyboard layouts
    • Graphical and database storage support of the Unicode Basic Multilingual Plane
    • Time based One Time Password (TOTP) and FIDO2 (WebAuthn) support
    • On-device password generation and credential display
    To facilitate our development process and to allow device testing by everyone, we developed device emulators for Windows and Linux. These emulators also enable testing most of the Mooltipass ecosystem open-source software components:

    1) Moolticute, a Qt-based cross-platform software tool composed of a daemon & user interface allowing the user to:
    • customize device behavior (more than 30 settings, requested by our beta testers and users of previous generations of the Mooltipass)
    • manage, modify, import and export a user's database
    • directly view and edit notes stored on the device
    • upload and download files to and from the device
    • manage FIDO2 credentials
    2) mc-agent, an SSH agent running on the OS side allowing password-less SSH authentication, written in Go
    3) mooltipy, a python library to recall credentials stored on the Mooltipass
    4) mc-cli, a command line tool written in Go to interact with the device

    Supporting Files, Code, etc:

    Target Audience:
    Hardware, Defense

    How will you or your Demo Lab contribute a new perspective to the content at DEF CON? The Mooltipass project takes a fundamentally different approach from the commonly used software-based security solutions that require non-compromised systems to run on. We want to show that there are open source hardware solutions out there that do not sacrifice security for ease-of-use and while reducing the attack surface to a very strict minimum.
    PGP Key: