USB Armory is the Swiss army knife of security devices

A USB-stick computer built around a processor with strong security capabilities

Inverse Path's USB armory is a secure computer squeezed onto a USB device

Inverse Path's USB armory is a secure computer squeezed onto a USB device

"Where's Andrea?" That was the question on the lips of attendees at this week's No Such Con security conference.

They were looking for Andrea Barisani, Chief Security Engineer of Italian security consultancy Inverse Path, and more precisely the prototype USB security device he was carrying.

USB Armory looks like a fat USB memory stick, but it contains security features enabling it to act as a self-encrypting data store, a Tor router, a password locker and many other things.

Barisani arrived in Paris with five of the thumb-sized circuit boards but said he expects to go home to Trieste empty-handed, as interest in the USB Armory has been so high here. Each board contains a socket for a microSD card, an i.MX53 processor from Freescale Semiconductor, half a gigabyte of memory, and a row of gold-plated contacts in the form of a USB connector.

The miniature computer is about as powerful as the now-ubiquitous Raspberry Pi, he said. However, it has no connections for a screen, keyboard or power supply: just the bare minimum of processor, memory and storage. It relies on a host PC to provide power and communications through the USB connector, and loads its operating system from a microSD card. "We use Debian or Ubuntu by default," Barisani said.

The key to the device's power -- and what sets it apart from the many other USB stick computers out there -- is the choice of processor: the i.MX53 includes ARM's TrustZone trusted execution environment.

"It has a number of security properties, including secure boot," Barisani said.

The processor also has a trusted store for encryption keys, making it possible to turn USB Armory into a self-encrypting USB stick that can wipe the encryption keys if plugged into an unauthorized computer. The encrypted memory needn't appear as a local disk drive: "We can emulate a network device over the USB connection so we can communicate with it like any network drive," he said.

That network emulation has other security applications too, including providing secure access to remote computers over SSH or a VPN -- even from untrusted machines -- or allowing anonymous browsing over Tor without the need to install a Tor client on the PC.

"If I'm using an Internet kiosk I don't trust, I can't SSH into my system at home because I don't trust it with my password, and I don't have any keys on it. But I can plug this in and connect to it with a one-time password, and then SSH home from it using the stored key," explained Barisani.

Using the USB Armory as a Tor or VPN client involves routing traffic to the device. "It's pretty easy on Linux or Windows," he said.

Two such devices could be paired by exchanging encryption keys between them. Then their two owners would be able to encrypt and exchange files. "We could be communicating securely in a drag-and-drop way," he said.

"The idea is to provide a secure platform for personal security applications," he said. "Hopefully people will want to build apps on this in the same way they do for Arduino, Raspberry Pi and so on," he said.

While five lucky attendees of No Such Con will be heading home with a prototype USB Armory to play with, the rest of us will have to wait. Barisani expects to receive samples of the release candidate in two to three weeks, and Inverse Path will soon be taking pre-orders for the initial production run of a thousand or more, with delivery planned around the end of this year.

The notion of a secure USB device seems somehow incongruous in the light of the revelations at the BlackHat 2014 conference in July. There, Karsten Nohl of SR Labs demonstrated "BadUSB," a technique for reprogramming certain USB controller chips so they could infect PCs with malware. In early October other researchers released code that can replicate the BadUSB attack. Since then many USB devices have become suspect, as traditional security software running on host PCs cannot detect the attack, and there is no simple way to identify which devices may be vulnerable or untrustworthy.

Yet although USB Armory can be programmed to emulate all sorts of USB peripherals in software, it's invulnerable to the BadUSB attack, Barisani said. That's because once its OS and applications have been cryptographically signed, the processor's secure boot function can reject modified or unsigned code. With great power comes great responsibility, however: USB Armory's flexibility means it could be programmed to perform BadUSB attacks itself, or any number of other nefarious functions useful to white-hat pen testers and black-hat hackers alike.

Another key way in which USB Armory differs from vulnerable USB devices is in the supply chain bringing it to end users. What makes BadUSB such a threat is that its hard to tell what controller chip a USB device contains, or where the components came from, so you never know whether to trust a given USB device. Barisani, though, intends to be transparent about USB Armory's components: Inverse Path is offering the design as "open hardware," so if you don't trust the company's manufacturer, you can build a one for yourself using components from sources you do trust. The prototype USB Armory design files are on Github, and Inverse Path plans to post files for the production version as soon as it's ready for manufacturing.

Peter Sayer covers general technology breaking news for IDG News Service, with a special interest in open source software and related European intellectual property legislation. Send comments and news tips to Peter at

Join the CSO newsletter!

Error: Please check your email address.

Tags Andrea Barisanisecurityhardware systemsAccess control and authenticationDesktop securityInverse Pathencryptionlaptops

More about ARMDebianIDGLinuxNewsSSHUbuntu

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Peter Sayer

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place