F-Secure’s security-focused, open-spec “USB armory Mk II” USB stick SBC runs Linux on an NXP i.MX6 ULZ with dual crypto chips, 16GB eMMC, dual USB Type-C ports, and Bluetooth 5.0.

Since Inverse Path launched its security-oriented USB Armory USB-stick back in 2014, we have not seen anything quite like it until this week when a second generation version successful launched on Crowd Supply. The $149 USB armory Mk II SBC is now offered by security company F-Secure Foundry, which acquired Inverse Path in 2017.

USB armory Mk II, front and back
(click images to enlarge)

The USB armory Mk II is available with a free enclosure until Nov. 1 with shipments due by Dec. 30. There’s also a $30 microSD card with pre-loaded Debian and a $35 debug daughter board that breaks out the UART, SPI, I2C, and GPIO.

As before, the device can be operated as a standalone SBC or as a security peripheral to a connected computer. Applications include encrypted storage, firewall, VPN, OpenSSH, Bitcoin wallet, pen-testing, and more (see chart farther below).

USB armory Mk II in enclosure (left) and connected to lanyard and USB dongle
(click images to enlarge)

The USB armory Mk II advances from an 800MHz, Cortex-A8 based NXP i.MX53, which was already considered a legacy SoC back in 2014, to NXP’s 900MHz, Cortex-A7 i.MX6 ULZ. This cheaper new version of the i.MX6 UL removes the touch-enabled, 24-bit parallel RGB, dual CAN, and parallel camera interfaces, as well as the dual 10/100 Ethernet controllers.

As before, the SBC provides 512MB RAM and a microSD slot. The F-Secure product page mentions a 1GB DDR3 option, but this does not appear to be available on Crowd Supply.

The 66 x 19 x 8mm SBC is almost the same size the original, but manages to squeeze in 16GB of eMMC, which can be made bootable instead of microSD via a hardware switch. It also adds Bluetooth 5.0 with BLE and BT Mesh and a second USB port. One of the USB Type-C ports is a UFP (Upstream Facing Port) that plugs into a computer to draw power and exchange data. The second is a receptacle port that can act as a host or device.

With this design, the SBC can “act as a USB firewall without the need for additional hardware, and it can be natively expanded with USB peripherals,” says F-Secure. In addition, the receptacle USB’s device mode “simplifies scenarios such as controlled USB fuzzing from one side and interactive console/control on the other.”

USB armory Mk II Debug Board (left) and potential applications
(click images to enlarge)

Connectivity features include USB device emulation on both ports and TCP/IP links via CDC Ethernet emulation. The board also supports serial communications via USB or UART, as well as flash drive emulation via “mass storage gadget,” says F-Secure.

Previously, the security features were primarily limited to what was available on the NXP SoC, but there are now two new cryptography and authentication co-processors. The Microchip ATECC608A and NXP AT71CH secure elements both provide hardware acceleration for elliptic-curve cryptography, as well as hardware-based key storage. Both chips communicate via I2C and provide high-endurance monotonic counters for external verification of firmware downgrade and rollback attacks. The ATECC608A chip features symmetric AES-128-GCM encryption.

The USB armory Mk II also provides security features derived from the i.MX6 ULZ SoC, including Arm TrustZone and a Data Co-Processor (DCP) driver for encryption and hashing via the Crypto API interface. The SoC also integrates the v4 version of High Assurance Boot (HABv4), as well as Secure Non-Volatile Storage (SNVS), based on a device-specific random 256-bit OTPMK key.

Other security features include a True Random Number Generator (TRNG) enabled via the Linux kernel. In addition, the new eMMC flash is enhanced with the Replay Protected Memory Blocks (RPMB) function, thereby enabling replay-protected authenticated access to flash memory partition areas using a shared secret.

The new Bluetooth radio — a u-blox ANNA-B112 module – can also boost security by “enhancing its security applications in terms of authentication, isolation, and limiting trust of the host,” says F-Secure. You can replace the default firmware loaded onto the ANNA-B112 module’s Cortex-M4-based Nordic nRF52832 MCU via an “OpenCPU” option to provision it with the Nordic SDK, Wirepas mesh, ARM Mbed, or “arbitrary user firmware.”

The optional Debug Board plugs into the USB Type-C receptacle port via debug accessory mode. The 57 x 22 x 12mm add-on breaks out the UART, SPI, I2C, and GPIO for debugging without the need for a probe. UART and GPIO are exposed via USB while the SPI and I2C are available via breakout through-holes.

The USB armory Mk II ships with a standard injection-molded enclosure that provides access to the USB ports, microSD slot, and boot-select switch. There’s also a notch that lets you attach a lanyard.

F-Secure provides pre-compiled images for Debian 9 Stretch and Arch Linux, with more on the way, and there’s native support for Android, Ubuntu, and FreeBSD. Schematics and other open hardware files are posted on the F-Secure website.

 
Further information

The USB armory Mk II is available on Crowd Supply through Nov. 1 starting at $149, with shipments due by Dec. 30. More information may be found on F-Secure Foundry’s Crowd Supply and product pages.