Olivier Boireau, CEO of Design SHIFT, stopped by InformationWeek's San Francisco office last week to demonstrate ORWL (pronounced Orwell), a small, tamper-resistant computer scheduled to ship around May 2016. He visited in advance of a presentation at Black Hat Europe and a Kickstarter funding campaign planned for today.
Although desktop computers have been eclipsed by mobile devices, ORWL is highly mobile. It's about the size of large doughnut. The device's portability, not to mention its visual appeal, might make it tempting for thieves, but stealing it would be pointless for all but the most sophisticated adversaries.
ORWL is designed for security, specifically hardware security. Boireau said that in many organizations today, little thought is given to preventing hardware-based attacks. An adversary could insert a USB drive in an unattended PC, or add a compromised component, and it's unlikely the device's user or IT personnel would be aware.
Even if such scenarios seem unlikely, there's something to be said for hardware that isn't the weak link in the security chain.
[Check out how technology has derailed C-Level careers. Read 14 Security Fails That Cost Executives Their Jobs.]
Boireau said ORWL is roughly comparable to a Lenovo Yoga in terms of processing power. It's not intended for processor-intensive applications like Autodesk's Maya, but it's well-suited for business applications, accessing databases, and browsing.
ORWL can run Linux or Windows. It supports open source software, and the plan is to be as open as possible with the hardware. It's based on Intel's sixth-generation Core M processor family, with Intel HD graphics. The device's planned memory capacity ranges from 2GB to 8GB DDR3 1600MHz, with SSD storage ranging from 64GB to 512GB. It will come with two USB Type-C ports and a mini-HDMI port. Pricing should range from around $600 to $1,300, with a disassembled version planned for about $400.
The device is designed as if it were a payment terminal. Boireau, who said he began his career developing electronic warfare technology for the French military, said that ORWL incorporates what his company learned by designing PCI 4.0 compliant devices for Clover, which sells point-of-sale hardware. He said he expects the device will be FIPS140-2 compliant, level 3 or level 4, at least in terms of hardware.
Part of such compliance has to do with how personnel manage keys, said Boireau. "I don't think I want to do that part, but I will do all the hardware certification," he said.
Boireau emphasized that ORWL is not intended to be impervious to all vulnerabilities. A TEMPEST attack -- to read data through electronic emanations -- might be feasible, for example. "If you are at home, I would argue a Bluetooth keyboard is okay," he said. "If you have the NSA behind you [reading your keyboard transmissions], you have bigger problems."
Accessing the device requires an NFC hardware key as well as a password. If the user walks more than 10 meters away with the key, ORWL will lock and disable the data ports. And if ORWL itself is moved while locked, it will shut down, leaving data on the SSD protected by AES256 encryption. Boireau said organizations could affix a hardware key in a data center to allow ORWL to operate unattended as a server in that specific location.
The device is protected by an active mesh in its casing. Any attempt to breach the case, made of a type of brittle plastic that's prone to shatter if punctured, triggers the MAXIM controller to delete the encryption key that grants access to the user's protected data.
Boireau said he believes the device will appeal to companies and to consumers interested in privacy and data security. "In the corporate space, once you do two-factor authentication, which is what we do here, you can create secure endpoints to a shared database," he said. "So in medical, I think it's essential, and for government and the military. Lawyers and accountants also share this need. You don't want your database to just walk away."
If it does, ORWL has your back.
"We think it enables free communication, once you trust the hardware," said Boireau. "I think it should be everywhere."