Hacker Newsnew | past | comments | ask | show | jobs | submitlogin
Betrusted: A Security Enclave for Humans (betrusted.io)
277 points by DyslexicAtheist on Dec 28, 2019 | hide | past | favorite | 29 comments


I almost missed that this project is supported by Andrew "Bunnie" Huang.

That alone has me very interested.

As most ycnews readers already know Andrew has made it his mission to direct his considerable talents on projects that push up against oppression - instead of focusing his energy on helping unicorns. I'm a huge fan/supporter of his work (e.g. Novena, NeTV, Safecast) and will likely pick one of these up when it goes GA.


And funded by NLnet. At the bottom of the linked page:

The Betrusted team is funded in part by the NLnet Foundation via Privacy & Trust Enhancing Technologies grants.


A TPM is not a "secure enclave." It is a smart card bonded to the motherboard, used for platform attestation, and some basic encryption. It provides no enclave to speak of. (Maybe they meant SGX or TrustZone?)


I think the word enclave is just being used in more then on way. I have seen that "secure core" many ARM devices have being referred to as secure enclave and secure coprocessor which both isn't quite right but people go with it anyway.

(I mean that additional Cortex-M0/3? core which run in a super previleged mode and often implements the EFI, DRM bs, and sometimes a TPM module)

So I guess we just have to live with it ;)

Edit: through yes secure enclave, secure element and TPM are not the same but they have in common that the represent mistrust in the rest of the hardware.


I think JavaCard applets could be considered to be secure enclaves within a smartcard because JCOP is supposed to completely isolate them except for their exported interfaces.


it’s not an enclave but it’s also not a smart card. you probably think “close enough”, but guess what ... enclave is also close enough. we don’t need to split hairs here.


Phones are such incredibly personal devices. This should be what your phone is but economics has made phones untrustworthy because of their complexity.

So I've always wondered why we haven't seen more projects like this.

In my opinion, they should drop the hardware keyboard in favor of a d-pad or a few Yes/No type buttons and an onscreen keyboard. If the hardware is to be trusted this shouldn't matter to the trust calculus. And the market has proved the blackberry segment is niche.


I've been avoiding phones for over a decade.

Whatever you do with data security, messaging and so on, you're using a device that knows where you are at all times. With perhaps centimeter accuracy, using GPS and triangulation from WiFi access points. And all that prevents that from being shared is some software settings. On a device where you're not even root.

Would any of the Linux-capable phones run VirtualBox, with a few VMs?

Is anyone working on a phone that might run Qubes?


My guess is that there isn’t a very big addressable market for privacy, and hardware requires a lot of up-front investment. It has to be someone who believes that the world will be better if it exists, not simply the highest $/hour ROI on building it.

There is more money in surveillance, as we’ve seen, than privacy.


Oh, but people care about privacy. Just not enough, to pay significantly more money for it and suffer performance loss.

But this is also because a mobile is a black box for them, and it would give them a big headache to try and understand that site about that phone. In the end, for them, they still have to trust the developers, so they stick with the ones they know by the corporations.


I really like the idea of using something like as a U2F authenticator that allows me to define a additional local PIN. There are whole number of application this would be useful for.

I strongly recommend this talk by Andrew "Bunnie" Huang it gives a lot of background on his thinking about Open Hardware/Software:

https://www.youtube.com/watch?v=zXwy65d_tu8


fwiw in fido2, successor of u2f, you can opt in for an additional pin on your security key.


Yes, that was what i was referring to. Sorry if that was not clear.



36C3 - Open Source is Insufficient to Solve Trust Problems in Hardware

https://www.youtube.com/watch?v=Hzb37RyagCQ


Bunnie's blog post has really good description of it as well http://bunniestudios.com/blog/?p=5706

The FPGA is the weak link as he says. Everything else is cool (like the physical keyboard and LCD you can inspect with a light) but you can't validate the FPGA. I'd assume it'd be harder for a threat actor to compromise (make a compromised FPGA would take more resources than compromising the keyboard, etc)


This feels like the future to me. Today's smartphone platforms have given a canonical ID to the user, and often their location. Location tracking is starting to become a really hot issue for the general public. I think its a gateway drug to digital security. The model of a dedicated secure device that uses external communications accomplishes a lot technically, but also 'fits' comfortably in the habits of millions of people. Such a device could fit right in with phone, wallet, and keys, and it could be an ideal tool for storing your on-the-go crypto. People trust things they can touch and can audit.

The first team that can ship a universal, secure hardware wallet that 'just works' for $50-$150 could sell 5 million units in a year. In 7 years there could be billions of them, selling for $10+ a unit; a consumable like a traditional wallet.

I would keep one on my person at nearly all times, and have it replicate state to another at home, and a third in some vault service (like a connected safety deposit box). They devices would establish a physical pairing by creating an irreversible key-pair on the hardware itself. The replication could be a sequential log (like mysql binlog or git), and the integrity of that log could be additionally verified by bringing the devices within close proximity. All that is to say, there needs to be a secure, peer-based way to mitigate inevitable loss, damage or theft of the physical device- without centralizing the data or losing state. It would do well to be dummy-proof and make fun sounds when performing the above pairing and verifying operations. Megacorps shouldn't get to be in charge of syncing everything for us.

Let's take back the autonomy that has been stolen from us during these awkward teenage years of a digitally-driven society, and this time let's keep it in our own hands.


Interesting to see a mobile hardware keyboard with a Dvorak layout.


Interesting. But it seems like it would add a lot of attack surface if all these things are within the secure enclave.


I am confused by the threat model here. It seems that we want to assure (among others) confidentiality of the data the user is inputting. However, I don't think any of the planned data input channels would be hard to eavesdrop on from the POV of the user's phone:

a) input via hardware keyboard, if the betrusted is a part of the phone case, should be simple to eavesdrop on based on microphone and/or accelerometer readings in the phone: different keys on the keyboard will likely be different enough. b) input via voice can be eavesdropped on by the phone' microphone.

Do I misunderstand the guarantees betrusted intends to provide or something else?


https://www.youtube.com/watch?v=Hzb37RyagCQ

He starts talking about betrusted at 30:00


Guarantees are, if in a controlled environment, user won't be eavesdropped by means of software intervention. That is what I got from the project


Impressed by the practical approach the author is taking to this problem.

Please add: - Hardware switches for RF modules as well as microphones - Separate RAM for baseband SOC


So as I read this, this is a device you have to carry next to your phone for your secure communications. Sounds interesting and for the security minded, it seems it could have some real added value. But for the average consumer it adds a layer of inconvenience that you don't want when contacting your grandmother. Are high powered individuals with strict security requirements the target market for this device?


Any device (or software for that matter) which makes a security one of its selling points, is not aiming at the mass market.


Could this use a software keyboard? If so, it could eventually be incorporated into phones; I'm thinking of a SOC that takes complete control of the screen, bus, etc...


Samsung already did this with some ARM core that could get complete control. How do you know you’re not looking at a software emulation of the secure elements display though?


There could be an LED controlled by the secure element that indicates it has control of the hardware.


It’s a matter of training the user to look for that though.




Consider applying for YC's Winter 2026 batch! Applications are open till Nov 10

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: