Inverse Path USB armory: Secure computer on a stick

usb-armory-review.jpg
  • Editors' rating
    Not yet rated

Pros

  • Full computer on a USB stick
  • Provides a separate, portable operating system
  • Enterprise: Secure portable thin client environment
  • Most attacks to steal crypto keys / sensitive data won't work
  • Encrypted storage for general users
  • Open hardware/software; active community

Cons

  • Consumer level features aren't available yet
  • Requires technical acumen (currently in Alpha)
  • Extremely bright flashing LED
  • Attack surface is tight, but not airtight
  • Limited out-of-the-box uses
  • App development is mostly in 'idea' stage

The Inverse Path USB armory ($130) is a little USB stick with an entire computer onboard (800MHz ARM processor, 512MB RAM), designed to be a portable platform for personal security applications.

Crowdfunded in January 2015, it received double its fundraising goal from security professionals and enthusiasts hoping the device would live up to its pre-launch aspirations to be "the Swiss Army Knife of security devices." It released shortly afterward, and was quickly considered the 'real deal' in opposition to the market rush of crowdfunding campaigns for dubious and fraudulent security devices hurrying to cash in on consumer hunger for a security-in-a-box solution.

This week, Black Hat accepted Inverse Path's USB armory talk for the conference's 2015 briefings, raising the device's profile even higher.

Inverse Path's Andrea Barisani reached out to me in April, to say that the armory was almost ready for the first release of its INTERLOCK application, the first USB armory app, for file system encryption.

Barisani explained, "The application allows to use the USB armory for storing, encrypting/decrypting files with either OpenPGP or symmetric AES cipher executed directly on the USB device." He added,

Advanced capabilities such as disposable passwords further enhance the use of the USB armory for private and confidential open source encryption in a compact and portable device.

As far as we know this is the first and only device that enables such functionality with 100% open hardware and open source software in such a compact form factor.

Inverse Path then sent me one USB armory, with a pre-imaged microSD card with the INTERLOCK application, for review.

First Impressions

Top ZDNET Reviews

In truth, I wasn't the first in my house to engage with the USB armory. The first one to try out the device was my 5-month-old kitten, who stole the device off my desk in the night and tested it as a cat toy.

I found the armory with little chew marks and scratches from being batted around on hardwood floors. Stealing my armory became a fascination for the kitten, a worry with its exposed board.

usb-armory-kitten.jpg

Later, I was pleased to discover that despite it not having an enclosure, the device showed no adverse affects of Max's untoward, though no doubt well-intentioned, affections. The enclosures are now available.

For future enterprise users, once the right web apps are written, the USB armory can be a portable thin client environment.

My very first impression of the USB armory, after wrangling it for longer than I'll ever admit just to get it open, is that it's not yet ready for "normal" people -- and this is disappointing for consumers who need plug-and-play security solutions (such as those listed here under "example security application ideas").

If and when these things do happen with the USB armory (and for me, this can't happen fast enough), this device will change the security landscape as we know it, forever, and in ways that could rock the current manipulations of corporations and governments alike to their very foundations. And I mean that in the best way possible for the empowered netizen, one who wants to personally protect and control their personal digital privacy and security -- carrying their data and apps around with them on a secure stick.

In its current state, it's pretty dreamy for most hackers and infosec pros (it's especially sexy for pentesters), but right now it's too deep for non-technical people. It's not "Tor in a box" -- though it's set to absolutely be way, way more than that.

Its new INTERLOCK app makes it great for easy file encryption and general encrypted file storage, and I found out that it'll be out of Beta soon.

At Black Hat USA 2015 (August 1-6), Barisani told me that when he gives his talk, "Forging The USB Armory," Inverse Path will publish the first official INTERLOCK release.

Barisani added that their next project set includes, "Textsecure/Signal protocol integration, so that the device can also be used for encrypted communication as well."

USB Armory Documentation

Specifications

USB armory hardware design uses the Freescale i.MX53 processor, supporting secure boot and ARM TrustZone.

The USB armory hardware is supported by standard software environments; it runs vanilla Linux kernels and standard distributions.

  • Freescale i.MX53 ARM Cortex-A8 800Mhz, 512MB DDR3 RAM
  • USB host powered (<500 mA) device with compact form factor (65 x 19 x 6 mm)
  • ARM® TrustZone, secure boot + storage + RAM
  • microSD card slot5-pin breakout header with GPIOs and UART
  • customizable LED, including secure mode detection
  • excellent native support (Android, Debian, Ubuntu, Arch Linux)
  • USB device emulation (CDC Ethernet, mass storage, HID, etc.)
  • Open Hardware and Software

Digging In

As I mentioned, the USB armory is a full computer on a wee tiny USB stick. This means that when you plug the armory into a powered USB port running any operating system, the chip on the armory will boot and run the operating system written to the SD card plugged into the SD card slot.

It provides a separate operating system (and can be a different OS) from the one on your desktop, laptop, or server.

Special Feature

Why business leaders must be security leaders

Why do many boards leave IT security primarily to security technicians, and why can’t techies convince their boards to spend scarce cash on protecting stakeholder information? We offer guidance on how to close the IT security governance gap.

Read More

This is useful if you want to segregate duties and provide separate (more secure) environments for development, or in many cases, services of different security levels.

Built-in proxies can be run separate from the main operating system to make sure when connecting to the internet you can limit what information is shared about you (though this requires technical setup at this time).

The USB armory I received had an early version of INTERLOCK on board, an encrypted storage and app system viewed by web browser over an SSL connection with a locally encrypted (SSL) certificate.

This limits many (but not all) types of attacks between the user's computer and the armory.

All you need is a standard browser to use INTERLOCK; users don't have to worry if it's a Mac, Linux or Windows OS -- the USB protocol is standard.

A regular user (one who's not technically competent) can plug the armory into a USB port on their computer, and navigate to this web address: https://10.0.0.1:4430 to the log-in page. After logging in, users see a dashboard reminiscent of Google Drive in its very early days.

On the INTERLOCK page, users can upload files (up to the size max on their SD card), and these files are encrypted upon upload. Users can also zip or unzip files, or encrypt or decrypt files further.

Because of the segregation of hardware and operating system (to a specific degree), many types of attacks to steal crypto keys and sensitive data will not work. An attacker could, if designed right, have a very limited attack surface here.

Keylogging on whatever current keyboard you're plugged into could still happen: Your password can be captured, but the separate (very long) keys stored on the armory won't be copied; an attacker still has to get them from the device, meaning that even with keylogging, Armory communications are still secure.

Although the software is in Beta state, the USB armory is relatively easy to use and shows great promise -- especially when web app development gets going within the armory's already enthusiastic communities.

Because it's a complete operating system under the hood, anyone can write a web-based application and run it directly on the USB armory -- and not connect to the internet, or only do so to gain access to services you use.

For instance, easily within reach would be an out-of-the-box PGP email experience that would allow users to manage encrypted messages over email with simple to follow dialogue boxes (for, say, our wonderfully paranoid friends who don't want to store their encryption keys on a laptop, and keep it on a separate piece of hardware).

For future enterprise users, once the right web apps are written, the USB armory can be a portable thin client environment. So if something happens to an employee's laptop on a trip, they'd just plug the armory stick into a new laptop or kiosk. and they'd have their entire work environment right there, secure and ready to go.

As it's a full computer, users can install a LAMP stack and WordPress on the device, and do all your web testing without ever having to run your server on the internet.

The armory could also double as a cold storage Bitcoin wallet. The possibilities here are really remarkable.

Top ZDNET Reviews

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Newsletters

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
See All
See All