Good Carder
Professional
- Messages
- 938
- Reaction score
- 532
- Points
- 93
Stop hiding your YubiKey in a drawer. Tired of spending hundreds of dollars on hardware that keeps getting lost? It's time to build your own hardware token emulator.
Today, I'll show you how to build your own FIDO2 token. This isn't just a copy, but a software emulator that can replace a YubiKey, pass certification, and even emulate unique certificates. All you need is a $5 RP2350 microcontroller, open-source firmware, and a little free time. Let's dive into a world where hardware security is becoming not a myth, but a technological game.
Before hacking, you need to understand how the security works. The FIDO2 system isn't magic, but rather several layers of protection, each of which can be bypassed:
Importantly, all these layers are inextricably linked: CTAP emulation allows interaction with the system at the protocol level, while attestation spoofing allows bypassing server-side verification. Forging an identity document and intercepting the communication process itself are two key elements in creating an invisible token.
Industrial tokens are expensive and proprietary. We'll take a different approach. The pico-fido project by developer polhenarejos is your ticket to the world of DIY tokens. It turns a low-cost Raspberry Pi Pico (RP2040/RP2350) or ESP32 microcontroller into a fully-fledged FIDO2 authenticator. This firmware solves the following problems:
So, we have the weapons. It's time to learn how to set them up and use them.
Any board that supports UF2 booting will work. For starters, I recommend a regular Raspberry Pi Pico—it's the easiest way to get started.
A simple flashing is just the beginning. The real art is making your emulator look like an authentic YubiKey.
To solve this problem, you need to replace the self-signed certificate in the firmware with a copy of the real YubiKey's certificate. This process involves several steps:
After this procedure, the server will consider your emulator a legitimate device from a specific manufacturer during verification. However, there's an important caveat: if the server uses extended verification and requires the private key to match the certificate, simply replacing the document won't work. In this case, a more thorough firmware modification will be required to generate a custom key pair signed by a trusted authority.
Warning: This technique only works on older firmware or devices with disabled integrity checking. Discussing methods for bypassing this protection is beyond the scope of this article and represents a separate, complex task.
Understanding security mechanisms is essential not only for bypassing them, but also for creating them. To detect emulators or counterfeits, systems use several methods:
Industrial hardware tokens are no longer a novelty. Today, you can pick up a $5-7 microcontroller and easily build your own FIDO2 token, which is in no way inferior to the expensive YubiKey. Use emulators for pentesting and reconnaissance, protect your own and test accounts. This is a powerful tool for researching networks and security systems. Remember that true security isn't blind faith in "impenetrable" hardware technology, but understanding its vulnerabilities.
A quick one-line reminder:
"CTAP = communication protocol, Attestation = token passport. pico-fido is open-source firmware for Pico that turns a microcontroller into FIDO2. PIN — via YKMAN, OTP — via keyboard emulation. Self-signed certificate for your toy; fake YubiKey certificate — for the illusion of legitimacy. Enable Secure Boot to prevent keys from being stolen if the chip is removed."
Today, I'll show you how to build your own FIDO2 token. This isn't just a copy, but a software emulator that can replace a YubiKey, pass certification, and even emulate unique certificates. All you need is a $5 RP2350 microcontroller, open-source firmware, and a little free time. Let's dive into a world where hardware security is becoming not a myth, but a technological game.
Part 1. Debriefing: FIDO2 Architecture. What Protects Your YubiKey
Before hacking, you need to understand how the security works. The FIDO2 system isn't magic, but rather several layers of protection, each of which can be bypassed:- WebAuthn (Web Authentication API) is an interface for browsers and applications. It generates a cryptographic challenge and sends it to your token for signing. All authentication logic resides at this level.
- CTAP (Client to Authenticator Protocol) is the "language" the operating system and browser use to communicate with your hardware key. The protocol works via USB HID, NFC, or Bluetooth, and for external tokens, this is the only communication method. If you can emulate this protocol, your device will appear to the system as a genuine token.
- Attestation. This is your device's "passport." When keys are generated, the token presents a certificate signed with the manufacturer's private key. The server verifies this certificate and, if valid, trusts your token. If you can tamper with this certificate, the server will believe your emulator is a legitimate YubiKey.
Importantly, all these layers are inextricably linked: CTAP emulation allows interaction with the system at the protocol level, while attestation spoofing allows bypassing server-side verification. Forging an identity document and intercepting the communication process itself are two key elements in creating an invisible token.
Part 2. Weapons of the Proletariat: Open Source Pico-Fido Firmware
Industrial tokens are expensive and proprietary. We'll take a different approach. The pico-fido project by developer polhenarejos is your ticket to the world of DIY tokens. It turns a low-cost Raspberry Pi Pico (RP2040/RP2350) or ESP32 microcontroller into a fully-fledged FIDO2 authenticator. This firmware solves the following problems:- Full CTAP stack. The firmware supports CTAP 2.1 and CTAP 1, allowing your emulator to work with any modern services (Google, Microsoft, GitHub, etc.).
- Advanced functionality. You get support for WebAuthn, U2F, OATH (TOTP/HOTP), secure storage of cryptographic keys, and even keyboard emulation for OTP entry. This feature set makes Pico comparable in capabilities even to commercial alternatives.
- Hardware-level security. New chips (RP2350, ESP32-S3) can be configured with hardware protection (Secure Boot), which encrypts the master key in non-volatile memory and prevents your private keys from being read, even if the device is seized.
So, we have the weapons. It's time to learn how to set them up and use them.
Part 3. Step-by-step instructions for building your emulator
Step 1. Selecting Equipment (Startup Capital: $5)
For assembly you will need the most accessible hardware:- Raspberry Pi Pico (RP2040). The cheapest option (around $4). However, keep in mind that this model lacks hardware protection, and keys can be extracted from memory using a special programmer, which, under certain conditions, makes the token vulnerable.
- Raspberry Pi Pico 2 (RP2350) – The best value option (around $5–6). It has built-in security and allows you to enable hardware key encryption, making it much more secure.
- ESP32-S3. A more powerful and complex chip to flash, but it also supports hardware protection.
Any board that supports UF2 booting will work. For starters, I recommend a regular Raspberry Pi Pico—it's the easiest way to get started.
Step 2. Flashing (5 minutes)
- Press and hold the BOOTSEL button on the Pico and connect it to your computer via USB.
- The RPI-RP2 removable disk will open in Explorer.
- Download the latest pico-fido.uf2 firmware from the Releases section on GitHub. For the RP2040, select files with the rp2040 suffix.
- Copy the .uf2 file to the RPI-RP2 drive. The board will automatically reboot and become a FIDO2 token.
- Set up a PIN code using the YKMAN (Yubico Key Manager) utility. This is a mandatory step to activate all features.
Step 3: Setup and First Steps
After flashing the firmware, your Pico should be recognized in the system as a USB token. You can use it to sign in to services like GitHub or Google. The firmware also supports advanced features, such as credential management and even customization of the status LED.
Part 4. Advanced Emulation Techniques
A simple flashing is just the beginning. The real art is making your emulator look like an authentic YubiKey.4.1. Cloning an Attestation Certificate. How to Pretend to Be Legitimate
The key to successful emulation is the attestation certificate. By default, pico-fido uses its own self-signed certificate. This is good protection for the average user, but for our purposes, it requires device legitimacy verification.To solve this problem, you need to replace the self-signed certificate in the firmware with a copy of the real YubiKey's certificate. This process involves several steps:
- Extracting a certificate from a real YubiKey. Using tools like YKMAN or libfido2, you can connect your real YubiKey and export its PIV slot 9c certificate, which is used for authentication.
- Certificate conversion. The received certificate must be converted into a format understandable by the pico-fido firmware. To do this, you will need OpenSSL utilities and scripts to generate a byte array that is embedded into the firmware code.
- Reflashing. After installing the fake certificate, you recompile the firmware (or generate a custom image) and upload it to the Pico.
After this procedure, the server will consider your emulator a legitimate device from a specific manufacturer during verification. However, there's an important caveat: if the server uses extended verification and requires the private key to match the certificate, simply replacing the document won't work. In this case, a more thorough firmware modification will be required to generate a custom key pair signed by a trusted authority.
Warning: This technique only works on older firmware or devices with disabled integrity checking. Discussing methods for bypassing this protection is beyond the scope of this article and represents a separate, complex task.
4.2. Attacks on CTAP: Interception and Substitution on the Fly
The most powerful and flexible technique is to write your own CTAP emulator. Instead of using ready-made firmware, you write a program in Python (or any other language) that implements the CTAP protocol over HIDRAW. This allows you to intercept, modify, and replace data on the fly. For this, you can use specialized libraries such as python-fido2, which are designed for communicating with FIDO devices and verifying their signatures. This approach gives you complete control over the process and the ability to emulate the behavior of any token, including spoofing its responses to bypass verification. This is a level of hacking technique that requires in-depth knowledge.
Part 5. Emulation Protection (Blue Team)
Understanding security mechanisms is essential not only for bypassing them, but also for creating them. To detect emulators or counterfeits, systems use several methods:- Certificate and traffic analysis. The server checks not only the certificate itself but also the correctness of the token responses. Any anomalies in the structure or response time can be detected by the emulator.
- Interaction data analysis. Examining CTAP traffic for inconsistencies and specific patterns characteristic of emulation can aid in detection.
- Cryptographic strength check. A signature request using non-standard parameters may reveal that the device is not a genuine hardware token with secure storage.
- Protection against downgrade attacks. The system must not allow the use of outdated or less secure authentication methods.
Summary
Industrial hardware tokens are no longer a novelty. Today, you can pick up a $5-7 microcontroller and easily build your own FIDO2 token, which is in no way inferior to the expensive YubiKey. Use emulators for pentesting and reconnaissance, protect your own and test accounts. This is a powerful tool for researching networks and security systems. Remember that true security isn't blind faith in "impenetrable" hardware technology, but understanding its vulnerabilities.A quick one-line reminder:
"CTAP = communication protocol, Attestation = token passport. pico-fido is open-source firmware for Pico that turns a microcontroller into FIDO2. PIN — via YKMAN, OTP — via keyboard emulation. Self-signed certificate for your toy; fake YubiKey certificate — for the illusion of legitimacy. Enable Secure Boot to prevent keys from being stolen if the chip is removed."
