Crowdfunding a USB-stick-sized, GNU/Linux-ready computer

A reader writes, "The USB Armory is full-blown computer (800MHz ARM® processor, 512MB RAM) in a tiny form factor (65mm x 19mm x 6mm USB stick) designed from the ground up with information security applications in mind."

"Not only does the USB Armory have native support for many Linux distributions, it also has a completely open hardware design and a breakout prototyping header, making it a great platform on which to build other hardware."

The project wants $130 per stick, and makes some very exciting claims about security and openness; I asked Bruce Schneier whether he thought this passed the giggle-test and he said, "I don't know if it's any good, but more transparency is definitely good."

Which is a good way of thinking about stuff like this: it may not be secure, but if it isn't, you can find out by auditing it yourself, or taking the word of someone you trust who's done an audit, rather than having to take the project founders' word for it.

The following example security application ideas illustrate the flexibility of the USB Armory concept:

* mass storage device with advanced features such as automatic encryption, virus scanning, host authentication and data self-destruct
* OpenSSH client and agent for untrusted hosts (e.g Internet kiosks)
* router for end-to-end VPN tunnelling
* Tor bridge [see this, for example]
* password manager with integrated web server
* electronic wallet [the Electrum Bitcoin wallet works out of the box on the USB Armory. It has been tested with X11 forwarding from Linux as well as Windows hosts.]
* authentication token
* portable penetration testing platform
* low level USB security testing

USB Armory: Open Source USB Stick Computer

Notable Replies

  1. How am I supposed to watch porn on that thing?

  2. Stream to another device? Connect via X11 or VNC (and sacrifice the resolution/framerate)? Many possibilities within the bandwidth limit of the USB 2.0 interface. Easier with static pictures and text, though.

    Maybe USB display.

    The number of GPIOs is atrociously low. Otherwise it looks rather good.

    The i.MX53 has one USB OTG port and three USB hosts. It would be good if at least one or two was available on some sort of header.

    It also has a choice of video outputs and a camera input. A display port could allow using it as a secure module. With e.g. a touchscreen it would allow e.g. PIN unlock. It has a keypad port, too.

    It has I2S ports (if available, the unit could be used as a secure phone, but the same can be done with a USB headset, but that needs a port).

    The built-in security accelerators are interesting. With two USB ports it could act as a nice e.g. internet connection proxy.

    That said, it's a pretty good beginning and the chip's features are promising new features in further versions. Also, to look at the unused potential from the other side, kudos for resisting the temptation of feature creep.

    ...but at least two more USBs would be nice...

    ...also, for a security platform, a roadmap towards some tamper-resistant or at least tamper-evident design would be nice too...

  3. Feature creep is definitely to be avoided; but the one thing that gives me a case of skepticism-eyebrow strain about some of the potential features foregone is that this is supposed to be a 'security' device.

    Yes, with a dash of the right software, you can do all sorts of crazy things across just the USB connection between the host system and this module; but a great many of them require trusting the host system if they are to be of actual use.

    USB2 is more than fast enough to treat the host system as little more than a thin client; but it's still a thin client running more than enough untrusted software to sniff and report absolutely everything coming in or out of the USB device, which might be a problem.

    It just seems rather overpowered and vaguely focused if you want a smartcard/SIM style device for securely generating and storing cryptographic materials and performing a few low-bandwidth operations for signing, challenge/response, and the like; but too dependent on the host system to implement much more than that without putting some (quite possibly misplaced) trust in a variety of interfaces provided by host software(that may or may not end up existing in usable shape).

    I certainly admit that I may be succumbing to pessimism for want of creativity; but it just seems to fall into a slightly confused gap between several categories of device, jack of all trades, master of none.

    It's too punchy and expensive(in cash and power) to fulfill the basic secure token job, it's too dependent and I/O constrained to do a fair number of potentially useful things without trusting the host it is connected to to some degree, and for low-level-doing-really-mean-things-to-USB purposes, you want something like a facedancer, which allows you to use a full computer to load and control the malice for power and convenience, or (once the malice is finalized) something disposably cheap and not at all suspicious looking, probably based on a reflashed commercial USB device.

    I guess I'm just not certain where this one is supposed to fit.

  4. Hello,

    The device is not primarily meant to be used for its GPIOs, we broken them out because we could painlessly do it without affecting its form factor and to provide UART, SPI, I2C and possibility of interfacing. But its security purpose, rather than DIY maker culture, meant that we intentionally didn't over do it in this area (there are far more powerful and cheaper options for such specific applications anyway).

    Breaking out a USB host would have meant to risk shutting down the whole port if the USB device would drain more power, also it didn't fit one of our primary usage goals. Maybe future versions might expand on this, but certainly not the first one.

    The device can act as an internet connection proxy without a separate USB host port or connection, we already use it as a Tor/OpenVPN router and anyway you can securely run your clients on the device itself (using the USB host just for I/O) as it is powerful enough. Its lack of other interfaces is intentional.

    The trust that you need to put on the USB host can be severely minimized depending on the application. Of course at the end of the day in most cases the USB host will be used for I/O but at least private key material (VPN certs, SSH keys, BitCoin private keys, etc) can be safely stored (and used) on the USB armory without compromising it to the USB host.

    For instance when using it as encrypted storage you assume that the unencrypted file is coming from an external source anyway, so by transferring the file from the host to USB armory for encryption the security of the whole process remains the same.

    Same thing goes with VPN/Tor etc.

    The pin header would also allow trivial connection to an alphanumeric PIN pad, we might just build an open source one so that passwords/PINs can be input externally. This is quite feasible.

    We carefully considered not over-engineering the device, keeping it minimal, simple, open but flexible enough. To me (of course I am biased here since I am one of the designers wink ) the price of the device justifies Tor/OpenVPN, password manager, SSH proxy, BitCoin wallet functionalities on their own and these are perfectly accomplished by the device.

    You mentioned the Facedancer, we use it and we love it. It is a fantastic board. However it currently sells for 125 USD on int3.cc and if you want to assemble it on your own in very low quantities it would still cost 90 USD. For 130 USD the USB armory accomplishes the same tasks and so much more. So I think the price is actually fair.

  5. BGAs are annoying for hand soldering but a great form factor for mass production actually wink.

    Regarding my connection remark, you can route through the USB armory via VPN (host routes VPN server address, default gateway is USB armory) or Tor (host routes selectively as illustrated at https://github.com/inversepath/usbarmory/wiki/Applications). This means using the host as gateway for the USB armory.

    Your concern is that the Net connection of the host computer is compromised. This can happen in several ways.

    If you mean that someone intercepts the network connection from the host computer to the Internet this is not a concern if you route a VPN (or whatever encrypted tunnel) from the USB armory, as outgoing traffic from your host (which is routed through USB armory first) will be encrypted. Here USB armory is merely piggybacking on the host connection.

    If you mean that the host computer is internally compromised and the fear is that someone can bypass the routing rules that force connection through USB armory....well at that point it's game over anyway isn't it? Your laptop would 99.9% of the cases have a wifi adapter anyway, so a compromise can in any case (even if USB armory would have its own connection) do exfiltration.

    This is said just for the network part.

    Concerning the input you are right, if you are 100% paranoid and you care protecting everything (not only passphrases but also the text) then yes, means of external input to USB armory would help mitigating that.

    But as I said not only the pin header provides enough connectivity for that at this point (UART/GPIOs) but per your (and a few others) feedback we are also evaluating our options for either a self-sufficient docking station for USB armory, or a module that can bridge USB keyboard on the existing pin header. We shall see wink

    We also already have the idea of using mass storage emulation to boot the host PC with a thin client for the USB armory itself (that can later change roles on the USB emulation), this is also a good way of re-using the host hardware while not trusting its software.

Continue the discussion bbs.boingboing.net

12 more replies

Participants