“Where’s Andrea?” That was the question on the lips of attendees at this week’s No Such Con security conference.
They were looking for Andrea Barisani, Chief Security Engineer of Italian security consultancy Inverse Path, and more precisely the prototype USB security device he was carrying.
“http://inversepath.com/usbarmory.html”>USB Armory” looks like a fat USB memory stick, but it contains security features enabling it to act as a self-encrypting data store, a Tor router, a password locker and many other things.
Barisani arrived in Paris with five of the thumb-sized circuit boards but said he expects to go home to Trieste empty-handed, as interest in the USB Armory has been so high here. Each board contains a socket for a microSD card, an i.MX53 processor from Freescale Semiconductor, half a gigabyte of memory, and a row of gold-plated contacts in the form of a USB connector.
The miniature computer is about as powerful as the now-ubiquitous Raspberry Pi, he said. However, it has no connections for a screen, keyboard or power supply: just the bare minimum of processor, memory and storage. It relies on a host PC to provide power and communications through the USB connector, and loads its operating system from a microSD card. “We use Debian or Ubuntu by default,” Barisani said.
The key to the device’s power—and what sets it apart from the many other USB stick computers out there—is the choice of processor: the i.MX53 includes ARM’s TrustZone trusted execution environment.
“It has a number of security properties, including secure boot,” Barisani said.
The processor also has a trusted store for encryption keys, making it possible to turn USB Armory into a self-encrypting USB stick that can wipe the encryption keys if plugged into an unauthorized computer. The encrypted memory needn’t appear as a local disk drive: “We can emulate a network device over the USB connection so we can communicate with it like any network drive,” he said.
That network emulation has other security applications too, including providing secure access to remote computers over SSH or a VPN—even from untrusted machines—or allowing anonymous browsing over Tor without the need to install a Tor client on the PC.
“If I’m using an Internet kiosk I don’t trust, I can’t SSH into my system at home because I don’t trust it with my password, and I don’t have any keys on it. But I can plug this in and connect to it with a one-time password, and then SSH home from it using the stored key,” explained Barisani.
Using the USB Armory as a Tor or VPN client involves routing traffic to the device. “It’s pretty easy on Linux or Windows,” he said.
Two such devices could be paired by exchanging encryption keys between them. Then their two owners would be able to encrypt and exchange files. “We could be communicating securely in a drag-and-drop way,” he said.
“The idea is to provide a secure platform for personal security applications,” he said. “Hopefully people will want to build apps on this in the same way they do for Arduino, Raspberry Pi and so on,” he said.
While five lucky attendees of No Such Con will be heading home with a prototype USB Armory to play with, the rest of us will have to wait. Barisani expects to receive samples of the release candidate in two to three weeks, and Inverse Path will soon be taking pre-orders for the initial production run of a thousand or more, with delivery planned around the end of this year.
The notion of a secure USB device seems somehow incongruous in the light of the revelations at the BlackHat 2014 conference in July. There, Karsten Nohl of SR Labs demonstrated ”BadUSB,” a technique for reprogramming certain USB controller chips so they could infect PCs with malware. In early October other researchers released code that can replicate the BadUSB attack. Since then many USB devices have become suspect, as traditional security software running on host PCs cannot detect the attack, and there is no simple way to identify which devices may be vulnerable or untrustworthy.
Yet although USB Armory can be programmed to emulate all sorts of USB peripherals in software, it’s invulnerable to the BadUSB attack, Barisani said. That’s because once its OS and applications have been cryptographically signed, the processor’s secure boot function can reject modified or unsigned code. With great power comes great responsibility, however: USB Armory’s flexibility means it could be programmed to perform BadUSB attacks itself, or any number of other nefarious functions useful to white-hat pen testers and black-hat hackers alike.
Another key way in which USB Armory differs from vulnerable USB devices is in the supply chain bringing it to end users. What makes BadUSB such a threat is that its hard to tell what controller chip a USB device contains, or where the components came from, so you never know whether to trust a given USB device. Barisani, though, intends to be transparent about USB Armory’s components: Inverse Path is offering the design as “open hardware,” so if you don’t trust the company’s manufacturer, you can build a one for yourself using components from sources you do trust. The prototype USB Armory design files are on Github, and Inverse Path plans to post files for the production version as soon as it’s ready for manufacturing.