Google’s Advanced Technologies and Projects (ATAP) unveiled a bundle at the group’s I/O keynote this morning, but two of the most interesting presentations dealt with passwords, or “relics,” as division head Regina Dugan called them. “Passwords suck,” she explained, for a variety of reasons. According to ATAP’s data, 70 percent of users forget their passwords, and don’t often do a very good job creating hard-to-crack phrases besides — “Humans are a bad source of entropy,” Dugan said. In an effort to develop more reliable security, ATAP developed Project Abacus, an analytical system based on machine learning, and Project Vault, a cryptographic MicroSD card.
The scale of Project Abacus was so vast that ATAP sought outside help — Dugan said the department recruited 25 researchers from 16 institutions to participate in development. With the added brainpower and the help of hundreds of volunteers, they managed to create a new method of authentication that Dugan said is not only 10 times more secure than the best fingerprint sensor available, but also entirely based in software — it requires no special operating system or hardware.
Project Abacus works, she explained, by continually generating a “trust score” from data the hardware on which it’s running collects — the apps you most frequently use, for example, or your location. To demonstrate, two researchers on stage passed a smartphone running Abacus software back and forth. The front-facing camera collected facial data and algorithms calculated trustworthiness in real time. When the second researcher used an app at a time of day the first researcher typically didn’t, the “score,” represented on a line graph, decreased.
Dugan was coy about workings and prospects of Project Abacus, but stressed the code was simple enough to be packaged in a software update.
Project Vault, on the other hand, is physical. But that doesn’t make it any less impressive. It’s capable of creating a secure communications channel on any device with a MicroSD slot.
That may sound like magic, but Project Vault actually a “security-dedicated computer [in] a MicroSD card with a driver-free interface and encryption and secure communication,” explained development lead Peiter “Mudge” Zatko. He wasn’t kidding about the computer part — Project Vault packs an antenna, 4GB of storage, and an ARM processor on a thumb-sized card. Zatko says modern hardware informed the team’s choice of form factor. “You already have secure elements in your phones and computers, like SIM cards and Trusted Platform Modules for OEMs,” he said. “What about a secure element that protects the things important to you?”
In abstract, Project Vault accomplishes this all rather simply: plug it into a phone or computer and communications with nearby Vault users — video, audio, photos, and text — are encrypted. That’s accomplished with immutable logging, a record of all attempts by nefarious third parties to access the cars, and with a real-time operating system (RTOS) with a wealth of cryptographic tools, including a random number generator and hashing, at its disposal.
Communication worked seamlessly in the on-stage demo. Two smartphones with Project Vault cards were able to send and receive instant messages directly in real time.
ATAP’s producing Vault modules for enterprise right now, but it’s releasing the software under an open source license. “We’re doing this to be fully transparent because we want developers to be able to see how it works, understand it, and trust it,” Zatko explained. The team plans to deploy 500 prototypes internally and release development hardware at some point in the near future.
“It shouldn’t matter how many doors or windows your house has as long as it has a vault in it,” Zatko said.