It doesn’t matter how many bits your password has, how proven your encryption is, or how many TrueCrypt volumes are on your computer. If someone wants data off your device, they can get it if they have physical access to your device. This is the ‘evil maid’ security scenario, named after hotel maids on the payroll of a three-letter agency. If someone has physical access to a laptop – even for an hour or two – the data on that laptop can be considered compromised. Until now, there has been no counter to this Evil Maid scenario, and for good reason. Preventing access to data even when it is in the possession of an Evil Maid is a very, very hard problem.
Today, Design Shift has released ORWL (as in George Orwell), the first computer designed with physical security in mind. This tiny disc of a computer is designed to defeat an Evil Maid through some very clever engineering on top of encryption tools we already use.
At its heart, ORWL is a relatively basic PC. The CPU is an Intel Skylake, graphics are integrated Intel 515 with 4K support over a micro HDMI connection, RAM is either 4 or 8GB, storage is a 120 or 480GB SSD with AES 256-bit encryption, and wireless is Bluetooth 4.1 and 802.11 a/b/g/n/AC. Power is delivered through one of the two USB 3.0 Type C connectors. The specs are sufficient, but are in no way the major selling point of this computer.
The reason ORWL exists is to be a physically secure computer, and this is where the fun happens. ORWL’s entire motherboard is surrounded by an ‘active secure mesh’ – an enclosure wrapped with electronic traces monitored by the MAX32550 DeepCover Secure Cortex-M3 microcontroller. If this microcontroller detects a break in this mesh, the SSD auto-encrypts, the CPU shuts down, and all data is lost. Even turning on the computer requires a secure key with NFC and Bluetooth LE. If ORWL is moved, or inertial sensors are tripped when the key is away, the secure MCU locks down the system. Of course, this microcontroller is powered by a small internal battery. If nothing else, the (eventual, but hopefully not soon) exploit that will open ORWL’s data up without the security key will be very, very cool.
We first heard of ORWL a few months ago from Black Hat Europe. Now this secure computer is up on Crowdsupply, with an ORWL available for $700, delivered later this year. The comments for our first post on this computer were unusually entertaining, beginning with the obvious question of why this was designed for Windows 10, and continuing to YAG lasers and cat’s whisker JTAG debuggers.
It’s irresponsible to claim ORWL will never be compromised. There are ways around every type of security, even if that method is a rubber hose and a pipe wrench. The question ORWL presents is if a computer designed with physical security in mind can be a success in both the market place and against an Evil Maid. That’s a question we can’t wait to see answered.