The ToothPaste Dongle Lets You Paste Your Passwords From a Trusted to an Untrusted Machine
Espressif ESP32-based device acts as a USB HID keyboard and mouse, turning anything entered into a web app into BLE-transmitted keystrokes.
Pseudonymous developer "Brisk4t" has released a gadget, powered by an Espressif ESP32-S3, which is designed to securely transmit passwords and other secrets to any USB Human Interface Device (HID) compatible machine β by pretending to be a keyboard and mouse.
"As a maker and tinkerer, I often find myself needing to quickly paste passwords, commands, or text snippets into devices that aren't connected to the internet," explains. "And sometimes I just don't want to login to my password manager on some sketchy makerspace computer. Or⦠I'm just lazy. This might be the real reason. And I just needed a reason to solder stuff and write some code. And then I went a bit overboard."
The result: ToothPaste, an Espressif ESP32-S3-based dongle designed to pair with a trusted machine over Bluetooth Low Energy. Connect the dongle to a target device's USB port β anything that supports USB keyboards and mice via the USB HID protoocol works without installing a driver β and open the web app in a supported browser to connect via WebBLE, then simply type your passwords into the trusted system for secure transmission.
"[ToothPaste] encryptes keystrokes using ECDSA and sends them as custom ProtoBuf packets," Brisk4t explains of the web app side of the project. "[It also] encrypts local data using the Argon2 key derivation function (the same algorithm used by password manages and never stores keystrokes. [And] looks cool while doing it. The ToothPaste receiver acts as a USB keyboard (and mouse) without needing any drivers [and] decrypts packets sent from the WebApp and types them out as keystrokes."
"The core idea was to eliminate the need for complicated and lengthy login flows for one-off cases where a keyboard would normally be required or is the only device that is supported (BIOS, air-gapped systems, shady back-alley computers where you don't want to install your password manager etc.)," Brisk4t says. "This means existing solutions like KDE Connect are non-starters since, at the very least, they require both devices to run a compatible operating system and allow installing third-party software."
More details are available on the project's GitHub repository, where the source files are published under the GNU Affero General Public License Version 3 with PCB design files to follow. "In the interest of keeping the concept simple, a ToothPaste Receiver (I'm thinking of a more fun name) is just an ESP32-S3. The custom PCB only reduces the form-factor to a more dongle-y shape for convenience," Brisk4t explains. "If you don't care about the aesthetics and want to be some kind of modern caveman, an [Espressif] ESP32-S3 DevKit C or Seeed Studio XIAO [ESP32]S3 will also do just fine."