Two such devices could be paired by exchanging encryption keys between them. Then their two owners would be able to encrypt and exchange files. "We could be communicating securely in a drag-and-drop way," he said.
"The idea is to provide a secure platform for personal security applications," he said. "Hopefully people will want to build apps on this in the same way they do for Arduino, Raspberry Pi and so on," he said.
While five lucky attendees of No Such Con will be heading home with a prototype USB Armory to play with, the rest of us will have to wait. Barisani expects to receive samples of the release candidate in two to three weeks, and Inverse Path will soon be taking pre-orders for the initial production run of a thousand or more, with delivery planned around the end of this year.
The notion of a secure USB device seems somehow incongruous in the light of the revelations at the BlackHat 2014 conference in July. There, Karsten Nohl of SR Labs demonstrated "BadUSB," a technique for reprogramming certain USB controller chips so they could infect PCs with malware. In early October other researchers released code that can replicate the BadUSB attack. Since then many USB devices have become suspect, as traditional security software running on host PCs cannot detect the attack, and there is no simple way to identify which devices may be vulnerable or untrustworthy.
Yet although USB Armory can be programmed to emulate all sorts of USB peripherals in software, it's invulnerable to the BadUSB attack, Barisani said. That's because once its OS and applications have been cryptographically signed, the processor's secure boot function can reject modified or unsigned code. With great power comes great responsibility, however: USB Armory's flexibility means it could be programmed to perform BadUSB attacks itself, or any number of other nefarious functions useful to white-hat pen testers and black-hat hackers alike.
Another key way in which USB Armory differs from vulnerable USB devices is in the supply chain bringing it to end users. What makes BadUSB such a threat is that its hard to tell what controller chip a USB device contains, or where the components came from, so you never know whether to trust a given USB device. Barisani, though, intends to be transparent about USB Armory's components: Inverse Path is offering the design as "open hardware," so if you don't trust the company's manufacturer, you can build a one for yourself using components from sources you do trust. The prototype USB Armory design files are on Github, and Inverse Path plans to post files for the production version as soon as it's ready for manufacturing.
Sign up for Computerworld eNewsletters.