Giving the USB armory a spin
Earlier this week I received my USB armory device, a small SBC made by the people from Inverse Path.
The device is not much bigger than a regular USB drive, and contains a Freescale i.MX534 SoC (containing a ARM Cortex A8), 512 MB of memory, a SD card holder and nothing more. Oh yeah, there are a couple of GPIOs exposed for your interfacing extra peripherals two of which are by default in use for the serial console. It is intended mostly to security device, but can be used as a standalone device as well.
I ordered one with a SD card preloaded with Debian Wheezy, which meant that I could simply plug it in, wait until the (really bright!) white led starts pulsating, and start using it right away. By default, it is configured to act as an USB ethernet gadget, which allows you to share your host’s network connection to reach the outside world. The default Debian installation is only a bare minimum installation with only a couple of extra packages, such as Shell in a box: a web-based terminal. The device is clearly intended for people willing to invest time and effort into building their own products based on the USB armory. On the official wiki a couple of ideas are listed, from Tor-router to password manager to pentest device. I’ve not decided yet what exactly I’d like to do with my version, but a couple of things I’d like to investigate/play with are:
- the i.MX534 contains an integrated crypto-processor (SAHARA v4) which could be used to create a small HSM-like device, like the Yubikey;
- using the USB armory to securely unlock user accounts on my other machines;
- explore the secure boot functionalities to get a hardened/“tamper proof” device, for example for an encrypted thumbdrive;
- …
Before doing all that, I start simple by making my own mini Debian-based distribution with
a home-grown kernel. Based on the original description on the USB armory wiki, I’ve
created a couple of scripts that allow me to create a filesystem image quickly. One of
the first things was upgrading to the upcoming and nearly finalised Debian Jessie
distribution. Jessie will be the first version in which SysV init-style scripts are
completely replaced by systemd, which meant I needed to do a couple of trail-and-error
rounds before getting everything up and running: basically, I needed to install dbus,
attr and libnss-myhostname and compile a Linux kernel with sufficient support for
systemd. Another gotcha was that systemd no longer supports the old and deprecated way
of module loading in Linux, by adding the module and its options in /etc/modules:
you need to define the module options in /etc/modprobe.d/module.conf. In these
situations, it was really helpful to have my trustworthy BusPirate acting as serial
bridge!