OnlyKey Not Registering Failed Pin Attempts?

I would like to understand how the OnlyKey determines if a password is incorrect, and as a result wipes data if this occurs 10 times in a row.

I have read on the Wiki that

PINs must be 7 - 10 digits long, this means with a 7 digit PIN there are 279,936 possible PIN codes and with a 10 digit PIN there are 60,466,176 possible PIN codes. After 10 failed PIN attempts the device wipes all data which makes brute forcing of the PIN impossible.

When I type an incorrect pin code that is 10 digits I see a red flashing lights from the LED. However, if the pin code is less than 10 digits (7,8,9 or 10 digits) then I do not see any activity.

How does the OnlyKey wipe itself after 10 failed attempts if the pin code is less than 10 digits?

When you press a first character to start entering a PIN that increments a counter. If you enter an incorrect PIN or remove device once a first character is entered for a PIN attempt that is logged as a failed attempt.

In the Wiki I have read the following:

You will notice that after entering 3 incorrect PINs your OnlyKey is steadily blinking red.

I performed the following tests with in correct pins in order to get this

Test #1
What I expect to see in this tests: Steadily blinking red after failed third attempt.
Results of test: Steadily blinking red after failed third attempt.

  1. Plug in OnlyKey and
  2. Type incorrect 10 digit pin code. Result is brief blinking red.
  3. Type incorrect 10 digit pin code. Result is brief blinking red.
  4. Type incorrect 10 digit pin code. Result is steadily blinking red.

Test #2
What I expect to see in this tests: Steadily blinking red after failed third attempt.
Result of test: No red flashing lights at all.

  1. Plug in OnlyKey
  2. Type incorrect 7 digit pin code.
  3. Plug out OnlyKey
  4. Plug in OnlyKey
  5. Type incorrect 7 digit pin code.
  6. Plug out OnlyKey
  7. Plug in OnlyKey
  8. Type incorrect 7 digit pin code.

Test #3
What I expect to see in this tests: Steadily blinking red after failed third attempt.
Result of test: Brief blinking red after third failed attempt with 10 digits.

  1. Plug in OnlyKey
  2. Type incorrect 7 digit pin code.
  3. Plug out OnlyKey
  4. Plug in OnlyKey
  5. Type incorrect 7 digit pin code.
  6. Plug out OnlyKey
  7. Plug in OnlyKey
  8. Type incorrect 10 digit pin code. Result is brief blinking red.

From my point of view it appears that incorrect pin inputs between 7-9 digits are not registered as failed pin attempts.

Can you please elaborate on how the OnlyKey detects failed pin attempts for pincodes between 7-9 digits if my understanding is incorrect?

As mentioned in your description above you entered 9 incorrect PINs. One more incorrect PIN and your device would be wiped.

You will notice that after entering 3 incorrect PINs your OnlyKey is steadily blinking red.

This is to keep your device from being inadvertantly wiped, i.e. a child keeps pressing buttons

The tests are all independent and were done with a correctly inputted pin between each attempt. My goal to trigger that anti-inadvertent wipe feature so I could visually see that the device was registering incorrect pins.

In this case, I find it odd that this anti-inadvertent wipe feature does not work when using a pin of less than 10 digits.

if you are entering an incorrect PIN and then a correctly inputted pin you would reset the failed login counter. It’s 10 failed PIN attempts in a row to trigger wipe.

In this case, I find it odd that this anti-inadvertent wipe feature does not work when using a pin of less than 10 digits.

If it did then an attacker would know that your PIN is not 10 digits, the current implementation does not give an attacker any indication of the PIN length.

2 Likes

Yes, that is a good point. I did not think about the side channel aspect of the anti-inadvertent wipe feature.