Security Experts:

Bluetooth-Enabled 'Mooltipass' Hardware Password Manager Unveiled

Mooltipass Mini BLE

The creators of the Mooltipass hardware password manager have unveiled the Mooltipass Mini BLE, a Bluetooth-enabled version of the device that includes many new and useful features.

Back in 2016, SecurityWeek reviewed the second generation of the Mooltipass open source hardware password manager, the Mooltipass Mini. That version of the product can be connected to a computer using a USB cable.

The Mooltipass Mini BLE can also be connected via a USB cable, but it can also be connected wirelessly using Bluetooth Low Energy technology. Similar to older versions, the device’s OLED screen and clickable scroll wheel allow users to control and configure the device.

When connected to a computer, the Mooltipass Mini BLE can automatically log users into the device’s operating system or their online services via the Chrome, Firefox and Opera browser extensions. It can be used to enter credentials on any device, including phones and tablets, by behaving like a keyboard that simply types in the passwords stored in its memory into the active window.

Mooltipass Mini BLE also supports the WebAuthn passwordless authentication standard developed by the FIDO Alliance and W3C.

Users can store their passwords on the device, along with small files and notes, and all of this data is protected by an AES-256 encryption key that is stored on a smartcard. In enterprise environments, multiple users can utilize the same Mooltipass device, with each user plugging in their individual smartcard to access their own passwords and data.

A 4-digit PIN is used for authentication and the card is designed to self-destruct if the PIN is incorrectly entered four times. However, users can create backups of their smartcard to prevent the permanent loss of their data in case something happens to one of the cards.

Stephan Electronics, the Switzerland-based company behind the Mooltipass, has pointed out that the newest password manager uses a dual-microcontroller architecture, with one processor in charge of communications and one handling security features.

The Mooltipass Mini BLE has two modes: easy and advanced. The advanced mode allows users to customize security preferences and it includes some more advanced features, such as storing credentials under different categories.

For managing the device from a computer, the developers of the Mooltipass provide Moolticute, a piece of software that can be used for web browser integrations; importing, exporting and synchronizing credentials; customizing the device; saving and retrieving files from the device; adding, deleting and modifying credentials; and updating the device firmware.

In terms of physical security, the Mooltipass Mini BLE has an aluminum case that is designed to prevent stealthy physical tampering — Stephan Electronics says it’s not possible to open the case without deforming it.

Stephan Electronics has launched a Kickstarter campaign to help fund the Mooltipass Mini BLE. With 26 days to go, the project has already raised over $80,000 of the $108,000 goal. Most of the money will be used to manufacture the devices, while the rest is needed for taxes and fees, and for shipping orders.

Mathieu Stephan, founder of Stephan Electronics, told SecurityWeek that they sold roughly 10,000 units of the previous Mooltipass devices. Stephan says they have not actively sought investment for the project outside of Kickstarter, as this method, in addition to helping raise funds, also helps “raise awareness.” He estimates that the device will cost $109.

In the future, the company plans on adding a one-time password (OTP) feature, along with password wallet service integration with Android and iOS to allow direct credential input on mobile devices.

It’s worth noting that since it’s open source, anyone can contribute to the project.

Related: Apple Releases Open Source Password Manager Resources

Related: Vulnerability Patched in Firefox Password Manager

Related: Flaw in Password Managers Allowed Apps to Steal Credentials

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.