After soaring in popularity, Mullvad VPN is ready to dip into hardware security. Mullvad just launched a new company called Tillitis AB, which is currently showing off an all-new USB security key at the Open Source Firmware Conference.
While we still don’t know exactly how Tillitis Key works, we know that it’s very unique when compared to FIDO2 solutions like the YubiKey.
The Tillitis Key is fully open-source, even down to its PCB design. It uses a “measured boot” system (or something similar) to derive a hash for applications as they load on the device. This hash is combined with a per-device secret to generate a unique security key.
According to Mullvad, this process should allow the Tillitis Key to verify an app’s integrity before it loads. It also prevents applications from “seeing” each others’ secrets, which may provide a strong defense against malware. (Note that Tillitis Key loads applications, but these applications aren’t persistently stored on the security key.)
Other interesting features include a programmable “user” or “host” secret, which will prevent a thief from using your security key even if they know an application’s hash. And notably, Tillitis Key will continue to work even when an application is updated, depending on how the app developer enables code-signing.
Mullvad is showing off the Tillitis Key at the 2022 Open Source Firmware Conference. Attendants will receive an engineering sample of the security key. For more detailed information, I suggest checking the Tillitis GitHub, which includes PCB schematics, source code, and more.