Episode: 2986
Title: HPR2986: Onlykey Updated
Source: https://hub.hackerpublicradio.org/ccdn.php?filename=/eps/hpr2986/hpr2986.mp3
Transcribed: 2025-10-24 14:20:55

---

This is Hacker Public Radio Episode 2986 for Monday 13 January 2020.
Today's show is entitled Only Key Updated
and is part of the series' Privacy and Security,
it is the 40th anniversary show of operator
and is about 23 minutes long
and carries an explicit flag. The summer is
only key more like you better have two keys.
Quote-
This episode of HPR is brought to you by
An Honesthost.com
Get 15% discount on all shared hosting
with the offer code HPR15
that's HPR15
Better web hosting that's honest and fair
at An Honesthost.com
Music
Hello everyone, welcome to another episode of Hacker Public Radio
and your host, Operator.
I spent the past 40 minutes or so
fussing around with the only key.
So this is about a hardware-based key
or password manager or authentication device.
So I'm going to go over it. I've gone over it before
I think I did a video along with audio
about how to set them up
kind of properly and some caveats there.
But I just wanted to add some more caveats
because they just had an update
and some tooling and whatever.
So it's always been a little bit struggling
to use this device.
It's very user friendly
but at the same time it can be complex
to understand the layers and how it works.
So it's easy to use
but kind of hard to understand
that that makes any sense.
So what they added with the new features
so some of the features basically are
it has a little key fob you wear
and I don't know if you've heard of UB key
or any of those like that.
It's the same type of thing.
It's a teensy sort of device
and it has six buttons on it
that you can program up to I think 12
and then I think can add an additional double that
because you can have a second profile
that's a fake profile I guess or whatever.
So it has plausible
that I ability features in it.
And it also has support
for like a bunch of two FAs like Google
and OTA and something else.
The only key or UB key stuff.
You can put keys in there
and then those keys can sync up to accounts.
So for example if you're doing something
like Microsoft they don't natively support Microsoft's
to FAA but Microsoft supports Google
so you can pipe Google's to FAA into Microsoft
and then when you authenticate to FAA
to Microsoft it essentially
it syndicates with Google
which essentially talks to your UB key
which essentially is your single
sort of single factor basically.
So that's how crazy you can get with it.
So any two FAA device has like usually
either a Google write or a duo
or whatever or more of a OTP provider.
So anyways that's the features.
There's a bunch of other features in there
you can store keys in it.
You can store all kinds of crazy stuff.
You can do a bunch of other things
like it's like a single authentication device
is the idea they're trying to pair up
with other applications and whatever.
So the outside of the defaults
what you get is not only people have like a URL
a username and a password.
You can also set up
what I have to do is I set up different things
for when I change my password.
So if I had to repeat my password
and an old and new I can have a copy
sort of essentially of my old and new password.
So when I'm changing my password
I have those keys set up.
And what I would say is if you do get it by one,
if you don't like it, give it away.
If you do like it,
you're going to want to purchase another one
because basically it's your two-factor authentication.
So if you lose it, forget it.
Forget it at the house
and you proceed to try to log in.
You're not going to be able to log in
because you don't know when you have your passwords.
So it's something you have
and if you don't have it, obviously you can't log in.
So what I would suggest is what I've had to do is
when I got it,
I thought it was cool to use it for a few days
and then I realized,
hey, if I forget this,
if I leave it in my, you know,
one computer and put it in an uploader,
especially if you're taking it
from one computer to the other,
you're going to want to make sure
that you keep it on you, whatever.
It does have,
they give you the option to buy,
it's fairly expensive actually,
to buy the little trinket that hooks to like a badge.
I would suggest finding one of those on cheap online.
They charge like $5 or something ridiculous.
It's really expensive,
but it's nice, hasn't come apart.
It's not cheap.
It's sturdy.
So chances are,
I actually,
my child or somebody was preparing,
pulling on the UBH,
and the lane you're broke
before any of the UBH stuff broke.
So I've had it for two or three years now.
I like it,
but I have,
you know,
I selfishly have cornered twice now.
So I'll kind of go over what I did and how I did it.
If you have one of the original ones
with the older firmware,
it's like beta six,
I think,
you have to do a teensy method to patch it.
So you get this patch,
you have to figure out
which one you have.
So there's different versions.
So there's,
at least two different versions,
you figure out which one you want,
and then there's also like an international,
which has the 2FA,
or has the,
I think it has the plausible deniability stuff in it.
I'm not really sure what the two differences are,
but I think it's,
I think it's an additional plausible deniability
or an additional profile,
or maybe they'd combine those two,
I don't know.
But anyways,
you just have to be very cautious
of what firmware,
obviously you push these things,
or you might end up kind of
breaking it,
and get the,
kind of start over.
And that's why it's good to have two,
if you do any firmware updates,
just have a backup of your password,
super early.
Somewhere, just in case you break the thing,
and you can't log in to anything anymore,
because you've,
break to your own link,
up the location device.
So the first time I did it,
you,
you have ten outs on there,
and you short out two pins,
and,
or you press a button on two corners of the thing,
and then you flash the firmware,
with the teensy,
if you've ever done any teensy stuff,
firmware flashing.
It's quick,
fast.
I didn't have any issues with that,
but I did try to make,
you know, make sure that I did it the right way,
and it did take me a while to read the documentation
and make sure I was doing it the right way,
because I didn't want to break it,
or anything like that.
And I don't think there is a,
I don't think there's possibility
that I could happen.
You can always flash
an old firmware to it,
I feel like.
I don't know if you can actually
break the things,
but in my experience,
it's always better to take extra time
when you're doing firmware stuff,
and not have to go back
and read you the old thing,
which I've had to do.
So that's the legacy updates.
Now, with the newer updates,
it used to be key-based,
so you had to have a key,
an RSA key,
it's just a certificate, basically.
But now,
you can have a passphrase.
And that passphrase is set up
to, I think, just be built
into the backup itself.
So the backup itself,
I think, actually,
has the passphrase
that goes with it in it.
So instead of having to have a key
with the passphrase,
this standard, you know,
whatever,
it's built into the device,
so all you have to do
is remember your master password.
You don't have to have a key file.
Now, you can do that.
I think you can do one or the other.
I don't think you can do both.
But again, the idea is that,
if you don't want to worry about the key thing,
and I have a key file,
and I haven't uploaded that or whatever,
you can just remember a master password
that's long and complex.
It's a minimum of like 25 characters.
So I had to reach to get to that point,
because I have several key passphrases
that are in my head,
and I had to come up with a long one for this one.
But anyways, now there's the password,
passphrase option to keep your,
to do your backups and stuff.
What I will say is that all the other backups I have
are now worthless,
and I don't think you can restore anything.
So what happened is that,
there's a beta 8 out now,
and I'll put links in the show notes
to the videos and stuff in the builds.
But there's a beta 8 now that's not,
I guess, not pushed out,
or whatever it came out in October.
And they posted some more videos too.
So I just happen,
stands to be like,
hey, let me check and see if there's an update
for my firmware.
One of the features I'll say,
I'm going to go back to my notes here,
is, yeah, I talked about the caveats
and divots between the firmwares.
I think by default,
it puts you on 7 now,
and then, I guess,
eventually they're going to push out 8 to people
as a whatever,
or maybe my UBK plug-in
for Chrome is old or something,
because there's a soft client,
there's a thick client you can put on there
to actually install it.
And then there's a,
you can just use a Chrome.
So if you don't have local admin,
you don't have to worry about installing anything,
you can use a Chrome plug-in,
because it's just,
if I'm not mistaken,
it's just Java.
So what I did once today is,
I downloaded the international firmware,
I think,
and I updated with that,
and I think it was okay,
but then I tried to push a restore,
I tried to back up and push that back up
to the old one,
and it got a good fuse,
or some vice versa.
So I ended up,
there was stuff in my thing,
so when I pressed the button,
it would type stuff,
but it wasn't the password that I was expecting.
So it was either there,
because of the wrong firmware,
or the wrong international,
or the wrong firmware got pushed on there,
or I have a wrong backup or restore,
I don't know what happened,
but essentially,
if you have one working,
you can always just backup,
replace all your backups and whatever.
Where you have a problem,
is if you don't know what version,
firmware,
or whatever your key goes with,
then you need to figure it out,
and then reverse engineer it.
So what I would say is that,
in the future,
is bundle your firmware
with your backups,
just in case,
maybe even keep the old,
all the firmwares that you've used,
or patch to it.
So just in case,
you have to restore an old password,
from an old firmware,
that's no longer available,
or whatever,
there won't be any confusion,
as to what firmware you use,
when you packed it up.
So, you know,
I would go as far as to say,
is to keep your backups
with your firmware,
that it's currently on there,
and the right version,
and say,
I'm going to have to worry about it.
Obviously,
it'll figure it to your passphrase,
is what I ended up doing,
but luckily,
I had the old new password,
for Active Directory,
and the different,
are assigned to a different key,
and I hadn't ruined that one yet,
and I accidentally wiped the wrong,
the wrong thing.
So obviously, be careful,
there's no prompts with this stuff.
So if you hit the white key,
and you wipe out your,
you know, Active Directory password,
or whatever,
it's gone,
you're done,
and once you can restore it,
which I couldn't do,
and luckily, I remembered that,
one of the keys,
I had bounded and bind it to,
to the new password,
which would have been the new password for AD.
I kind of looked out.
So,
so I have everything set on the two devices now,
they're all set up.
You can change the LED brightness.
It's very bright,
I think, eight by default.
It's extremely bright by default.
I might even just leave it on one for now
and see how that works.
In some instances,
you know, you are outside,
and I've actually had problems,
being able to tell whether or not,
you know,
it's a key I'm pressing,
because it's under the device.
So, you basically have to cup your hand,
under the device,
to see if the LED is on or not.
So, I would actually,
you know,
give it a try with a lower,
with a lower brightness,
because if you're walking around with it at night,
it's really bright,
like, freaking bright,
and you're walking past somebody,
and you'll be able to kind of have blinded.
So, it's a really bright LED in there.
The other feature I'll say that a data added
is a quick setup guide,
which basically,
um,
dumps out all the information you need.
Okay, here's your password.
Here's your key.
Here's your pin.
Here's your alternate pin.
Here's your passphrase to back it up.
Um,
pair it up this document
and keep it somewhere physically safe,
and you don't have to do anything.
It just works.
Um,
so that way,
all your backups
have the same issue.
You don't have to worry about any of that.
It's setting it up,
or setting up in keys,
or being complicated,
because that's,
that's kind of the feature I,
that's kind of the thing,
but say we're kind of missing,
because,
um, you know,
doing the keys,
and figuring out what firmware we had,
or whatever it was kind of confusing.
Um, so I think this quick setup
might help people that just want to,
want to make it go.
Um, so that way,
they could just print out this document,
have their pins in there,
and they have the alternate method,
where you can enter the pin,
and it won't actually save it to the screen.
I think it just puts it in there,
and you have to remember your pin, obviously.
Um,
so that's in those videos.
Um,
let's what else I'll say.
Um,
you'll also want to get,
because if you're in a corporate environment,
or wherever else,
if you're doing something with your phone,
guess what?
You're going to want to authenticate
through your phone, too.
And,
you don't necessarily want
your core passwords,
or master passwords,
to be in something like a password safe,
like, last pass.
So,
what you don't want to do is
put your 2FA,
or your,
your only key passwords
in your,
in any of your,
um,
password managers,
or whatever.
So, the idea that,
is if your password manager gets popped,
then,
and you have your only key,
or your, you know,
2FA token thing keys stuck in there,
then, um,
as somebody pops that,
and they can get to your passwords for it,
or, um,
only key,
physical device type of thing.
So, I'm keeping,
I keep in the last pass,
stuff separate,
then, um, my only key.
So, that way,
you know,
my bank password
is only on my brain,
and only on the key,
and it's only on the other key in the world.
Um, so, that way,
uh,
there's no confusion as to, like,
getting prompts,
and password prompts,
and stuff for,
for, um,
for hosts,
and domains,
and things that I don't want to save,
anywhere,
except for a physical device.
Um,
and if you're using, like, Android,
um,
every once in a while,
you're going to have to re-authenticate,
and guess what?
If you don't know your 52 character password,
I think it's 56 characters max or something.
Um,
if you don't know your 52 character password,
then you're going to have to
copy and paste it somewhere,
out of somewhere,
and then send it to yourself,
and then paste it in,
which is, obviously,
the pizza purpose of the whole thing.
So, um,
what you can get is a little fog
that, uh,
starts to come with newer phones now,
that transfer the USB-C
to USB standard USB standard USB,
so if you want to charge your phone
through standard USB,
you can do that.
I think it's also designed
for this specific case,
so if you have a 2FA device,
you can plug your little USB-C
to, um,
mail,
or to female USB,
plug it into the,
the bottom there,
and then you plug in the USB key,
or the only key,
sorry,
and, um,
putting your password,
the problem,
or at least on this phone,
and the phone previous,
is that the LED
doesn't work,
and I guess it's because the voltage
or whatever,
I read something on my,
I assumed it wasn't,
excuse me,
I assumed it wasn't working,
but it's actually working,
but the voltage,
or something about the voltage,
or whatever.
Um,
so you just have to,
keep in mind that, you know,
type in your,
pin,
wait a few seconds,
and then press your thing,
and it'll pop right up.
Um,
I've also had issues with,
um,
oh, I mentioned the,
I know if I mentioned a lot of lock features,
so you can assign one of the keys,
it has to be the primary,
so I had to move some things around.
But, um,
I assigned, like,
the number 6 key,
to lock,
the workstation,
uh, window key L,
and then,
basically set the only key to, um,
like,
to pv key.
So,
I don't know how you're supposed to do it before,
but basically,
it has to take it with me.
So, I would walk off,
unplug the key,
and take it with me.
Now, you can just hit the lock key,
it'll lock your workstation,
and it will lock the,
uh, only key 2.
So, if you don't want to physically bring it with you,
you can just use that.
Um,
let's see,
what else?
Um,
the Android issues I talked about,
um,
I was talking about the features,
and there was one other thing I was going to bring up,
outside of the, uh,
locking feature,
there was another new feature,
um, oh, the keyboard speed.
So, it's always been around,
but the, you can,
you can set the speed of the keyboard,
a default,
like 8, or something like that,
8 or 4.
Um, which is pretty slow.
Now, what,
well, everything's first things there to do,
is put it all in,
all the way to 10,
which is almost instantaneous.
Um, seems to work everywhere,
except for I had Symantec,
um,
Symantec, uh,
drive encryption,
on a system,
and if it was
not booted
into the right thing,
or whatever,
um, the keyboard speed would be too fast.
So, I will, like,
when I disabled,
I think I disabled,
um, UEFI,
or disabled something in the BIOS,
like legacy support for USB,
or something like that.
Um, and it was able to pick it up after that,
but I had issues with speed.
So,
obviously keep that in mind,
if you've got things like RDP client,
or if you're doing remote desktop over,
remote desktop,
there's things like Sync Key Delays,
and, um,
if you ever end to Auto-Hot Key,
and Auto-IT scripts,
there's things like Sync Key Delays
and whole,
whole time values,
meaning,
if you just type out the password extremely fast,
that's not long enough sometimes,
for certain applications,
to pick up that you've actually registered,
and clicked,
that thing,
or,
typed that key.
So,
I don't even know if they have like a Sync Key Delay,
setting for the thing that tells you how long to hold the key down.
How many milliseconds hold the key down before it actually lifts up that key?
That's a key up value.
Um,
there's a DLL stuff you can do, like,
Sync Key event stuff for, um,
throughout Auto-Hot Key,
and you can do it straight up in Windows.
Um, anyways.
But, you'll find issues,
where you're already peed into a box,
you hit the thing,
and it goes,
and either the keys
are messed up somehow,
because the case gets screwed.
Um, I don't understand how or why it happens.
The only thing I can assume
is that the,
um,
is that it's typing it so quickly,
it changes the case.
So, meaning that,
if my password has an uppercase in it,
or a special character,
it's going to hit the special character,
and then stay in the lower case,
the uppercase for a while,
the caps lock basically,
the shift button,
for too long.
So, it hasn't sent
the key up
from the shift before it,
so if you're,
it's hard to explain,
but basically,
it's keeping the caps lock
or the shift key down too long,
and your password
is being a bunch of garble to you,
and it's not right.
So, um,
keep in mind that there are, you know,
some things that are limited,
uh, and you'll find,
that when you're working with this stuff,
the more time,
the more you use it,
the more weird things you'll find out about it,
um,
are some kind of limitations,
not to,
excuse me,
you be keys,
uh,
fail design,
it's just the way,
you know, people and applications
interpret,
um, keys,
and we start going faster than human,
um,
humans can type,
things get weird,
so,
I've had issues with RDP,
um,
and I've had to do silly stuff,
like, um,
have a auto-hot key script
that would pick up the odd,
pick up what I typed
in the box,
and then,
what I typed in the box
would be actually sent
through auto-key,
auto-hot key,
and then sent out
to, you know,
the screen buffer,
or the,
the send key buffer
through auto-hot key,
so that it would type
the right password.
Um,
um,
that's pretty much it,
as far as payloads,
I thought initially,
I could make it a teensy,
or a,
a USB,
but you could only put,
basically,
up to,
um,
it's like,
52 bytes,
or more,
52 characters,
and another 52,
and another 52,
so I think you could get,
that's about all you get,
which is roughly,
here,
like, 150 characters.
Um,
that's not enough for,
really any kind of payload,
um,
especially, like,
I'm not a piece of gated payload,
um,
the power shell,
or something.
Um,
that's pretty much it.
I like it,
I use it, um,
you know,
there are weird use cases,
like, for example,
if someone wants you to type
in your password into
something that doesn't,
oh, I need to easily type
in your password,
it's very painful,
um,
and that's where that,
that,
um,
that need,
or want,
is to take it,
and just throw it up into
last pass,
and that kind of beats the purpose,
so don't try not to do that,
um,
so,
for example,
uh,
you can always make sure you,
uh,
some kind of wireless device
for the touchscreen,
and I'm like,
I'm not going to put in
a 52-character password,
with, like, a tiny little LCD,
I'm, like,
some dumb printer,
or something,
like, I'm not going to,
first,
I don't trust that device,
the whole password,
safely,
anyways,
or the authentication
for that password,
anyways,
uh, probably class centered
over plain text,
somewhere,
anyways,
um,
secondly,
it's, you know,
just somebody out,
um, I've gotten
a UB keys before,
and given them away,
uh, only keys,
they're run about
40 bucks, I think,
and then, when it's all said
and done,
they're, like,
45 or something,
and then you buy two of them,
so you're,
spending 100 bucks on,
uh,
key fobs,
but, you know,
having a nice long password,
that no one can hack,
um,
and,
and funny,
I say that,
um,
that you actually used
a previous employer,
and the coworker was actually
able to crack it,
so, um,
keep in mind,
the password is,
uh, pseudo-random password,
it's not something that's a quote,
or, uh,
a string of,
known, uh,
character,
so you don't want to use,
obviously,
you don't want to use things
from a book,
but, you know,
you think that it's random enough,
but obviously,
it's not random enough,
if it's something
that's already been
written and printed,
and it's not,
you know,
random battery horse staple,
anyways,
I hope that helps you guys out.
Um, if you have any questions about
setup and stuff like that,
um,
I'll have the videos posted,
um, but,
if you have any problems with it,
or whatever need help,
set it up,
just let me know, um,
and, uh,
I can help you guys out,
but,
I like it,
I bought it one from my dad,
I don't know if he's,
used it,
but, uh, we'll see.
Appreciate it,
take it easy.
Music
You've been listening
to Hecker Public Radio
at Hecker Public Radio.org.
We are a community podcast network
that releases shows every weekday
Monday through Friday.
Today's show,
like all our shows,
was contributed
by an HBR listener
like yourself.
If you ever thought
of recording a podcast,
then click on our contributing,
to find out how easy it really is.
Hecker Public Radio was founded
by the Digital Dove Pound
and the Infonomicon Computer Club,
and is part of the binary revolution
at binwreff.com.
If you have comments on today's show,
please email the host directly,
leave a comment on the website
or record a follow-up episode yourself,
unless otherwise status,
today's show is released
on the Creative Commons,
App Tribution,
ShareLife,
3.0 license.
Thank you very much.