Google levels up security at I/O with secure comms tool, better authentication

Project Vault secure MicroSD card, Project Abacus password replacement and other tech to improve users' security

Project Vault hardware

Project Vault hardware

Google targeted people's growing digital insecurity at its I/O developer conference this week with a number of new products that aim to protect communications and improve authentication.

Project Vault is a new hardware device created by Google's Advanced Technology and Products (ATAP) lab for people who need the absolute highest security for their communications. The device, which is packed in the form factor of a MicroSD card, is designed to provide encryption for sensitive data at rest, and allow end-to-end protection of streaming data (including streaming video) as well. The Vault card contains its own antenna, processor and operating system, which means that the device can authenticate directly with the Project Vault servers without requiring the use of other potentially insecure hardware.

The Vault hardware runs a special operating system called ARTOS that's focused on security. The chip comes with a bunch of cryptographic goodies built in, including support for signing, hashing and a hardware random number generator. Peiter ".mudge" Zatko, the leader of Project Vault, showed off an encrypted chat session between two Vault users on Friday.

Both users were able to see what the other was saying in plain text, but the server running the chat session between the two wasn't able to decode their conversation. Project Vault handled all the setup, and not even the users were able to see the private keys used to generate the encrypted session.

Like the rest of ATAP's projects, it's not clear if or when Vault will be making its appearance as a consumer product. Right now, the device is being used in a small 500-unit pilot program inside Google for security purposes, and ATAP is building a product for enterprise users. At a time when more people are concerned about security of their information and communications, the need for something like Vault is readily apparent.

Starting with the launch of Android M in the third quarter of this year, developers and manufacturers will be able to take advantage of system-level support for fingerprint sensors for things like unlocking phones, securing applications and making payments with the new Android Pay technology. It's a move that should make it easier for Android devices to sport the same sort of technology that powers Apple's Touch ID on the iPhone. Some Android device makers like Samsung have already begun using fingerprint sensors, but the new features in M will make it easier for developers to work with that hardware.

The company's ATAP lab has also been working on a pair of initiatives aimed at improving security in the long term. The first, called Project Abacus, is designed to do away with a reliance on passwords by using a variety of factors to determine whether a user is who they say they are.

A login screen using Abacus demonstrated in a video shown at I/O measured and scored a variety of factors, including a user's location, face, voice, typing pattern, connected Bluetooth devices and password. If those scores met an acceptable threshold, the phone could be programmed to unlock for the right person, but when someone else tried to log in, they would be rejected.

Abacus is a step above fingerprint detection and other biometric security measures, since it doesn't just rely on one method of authentication that could be spoofed. According to ATAP head Regina Dugan, Abacus is 10 times as secure as a fingerprint.

Google also unveiled a new Identity Platform on Thursday that will allow developers to automatically retrieve passwords stored with Google's Smart Lock password locker on Android and Chrome to instantly authenticate with websites and apps. It's a move that should make it easier for people to use complex passwords, since they won't have to worry about typing them out or having to find, copy and paste them when it comes time to log into a service.

Google's security plans may be complicated by the current political climate. Law enforcement agencies around the world have been pushing for laws that require tech companies build back doors to give them access to encrypted communication products. David Cameron, who recently won re-election as the prime minister of Great Britain, has said that his government would push for such laws.

Join the CSO newsletter!

Error: Please check your email address.

Tags online safetyGooglesecuritymobile securityhardware systemsencryption

More about AbacusAdvancedAppleGoogleSamsungSmartTechnology

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Blair Hanley Frank

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place