NitroPad: Secure Laptop With Unique Tamper Detection

Do you think your computer hardware is secure? Can you rule out that in your absence no one has manipulated your computer? In a world, where most users do not have any real control over their hardware and have to blindly trust the security promises of vendors, NitroPad unlocks a refreshingly new security experience. NitroPad X230 is significantly more secure than normal computers. With NitroPad, you'll have more control over your hardware than ever before while maintaining ease of use.

 

Features

Tamper Detection Through Measured Boot
Thanks to the combination of the open source solutions Coreboot, Heads and Nitrokey USB hardware, you can verify that your laptop hardware has not been tampered with in transit or in your absence (so-called evil maid attack). The integrity of the TPM, the firmware and the operating system is effectively checked by a separate Nitrokey USB key. Simply connect your Nitrokey to the NitroPad while booting and a green LED on the Nitrokey will show that your NitroPad has not been tampered with. If the LED should turn red one day, it indicates a manipulation.
 

Deactivated Intel Management Engine
Vulnerable and proprietary low-level hardware parts are disabled to make the hardware more robust against advanced attacks.
The Intel Management Engine (ME) is some kind of separate computer within all modern Intel processors (CPU). The ME acts as a master controller for your CPU and has broad access to your computer (system memory, screen, keyboard, network). Intel controls the code of the ME and severe vulnerabilities have been found in the ME enabling local and remote attacks. Therefore ME can be considered as a backdoor and has been deactivated in NitroPad.
 

Preinstalled Ubuntu Linux With Full-Disk Encryption
NitroPad ships with a preinstalled Ubuntu Linux 18.04 LTS with full-disk encryption. Ubuntu is one of the most popular, stable and easiest to use Linux distributions. Switching from Windows to Linux has never been easier.
 

Optional: Preinstalled Qubes OS For Highest Security Requirements
Instead of Ubuntu Linux, on request you can get your NitroPad with preinstalled Qubes OS 4.0 and full-disk encryption.
Qubes OS enables highly isolated working by means of virtual machines (VM). A separate VM is started for each application or workspace. This approach isolates applications and processes much more than conventional operating systems. Qubes OS keeps your system secure, even if a vulnerability has been exploited in one of the software applications used. Example: If your PDF viewer or web browser has been successfully attacked, the attacker cannot compromise the rest of the system and will be locked out once the VM is closed.
In addition, separate virtual workspaces can be used, such as an offline workspace for secret data and an online workspace for communication. NitroPad with Qubes OS is technically similar to SINA clients (for governments), but remains transparent thanks to open source. Qubes OS is for users who want maximum security.
 

Keys Under Your Control
All individual cryptographic keys are generated directly on the NitroPad exclusively during installation and are not stored by us. However, all individual keys can be replaced by you. Unlike "Secure Boot", the keys for securing the operating system remain under your control and do not depend on the consent of the vendor.
 

Nitrokey USB Key Included
NitroPad comes with a Nitrokey Pro 2 or a Nitrokey Storage 2. Their security features include for example email encryption (PGP, S/MIME), secure server administration (SSH) and two-factor authentication through one-time passwords (OTP). The Nitrokey Storage 2 additionally contains an encrypted mass storage with hidden volumes.
 

Professional ThinkPad Hardware
Based on Lenovo ThinkPad X230, the hardware finish and robustness meet professional quality standards. The famous ThinkPad keyboard with background lighting and TrackPoint allows comfortable working. The used laptops have been refurbished.
 

Out-of-the-Box User Experience
With NitroPad, you don't need to take care of opening the hardware casing to flash the BIOS chip, installing and configuring Linux, or pairing the Nitrokey Pro/Storage. We do this work for you. The Nitrokey is already configured with your NitroPad so that it can be used for tamper detection without any further configuration effort.
 

Security Conscious Shipping
To make it more difficult to intercept and manipulate your NitroPad, the NitroPad and the Nitrokey USB key can be shipped in two separate shipments if desired.

 

Use Cases

For Everyone
NitroPad enables you to detect hardware tampering. For example, if your laptop is being inspected while crossing the border or if you leave your device unattended in a hotel or during travelling, you can check the integrity of your NitroPad with the help of the Nitrokey.
 

For Enterprises
NitroPad can serve as a hardened workstation for certificate authorities and other use cases requiring high-security computers. On business trips, the NitroPad protects against evil maid attacks while the computer is unattended in a hotel or baggage.
 

For Governments
Governments can use NitroPad to protect themselves against advanced persistent threats (APT) without relying on foreign proprietary technology.
 

For Journalists
If you as an investigative journalist are serious about protecting your confidential sources, NitroPad helps you getting there.

 

NitroPad X230 is now available in our Online Shop.

 

More details are available in the product factsheet.

9.2.2021

Comments

Nice idea the of Nitropad. It would be also a good idea to make the same kind of device as "Tiny Hardware Firewall VPN Client" that is only available to USA buyers. They have several devices. Nitrokey can have at least a device with Wi-Fi (2.4GHz/ 5 GHz) (a/ b/ g/ n/ ac/ ax) to capture the signal and WAN port (10/ 100/ 1000 Mbps), and Wi-Fi to distribute the Secure Wi-Fi (2.4GHz/ 5 GHz) (a/ b/ g/ n/ ac/ ax) and also 4 or more LAN ports (10/ 100/ 1000 Mbps). WPA2 and WPA3 enable for the Secure Wi-Fi. No WPS or similar. Wi-Fi Passwords by default at least like these: 74102-nxbbg-63135-jcynk-69351, and to access the device also things like username: wjghog-495535 and password: jsdsjb-244644 just to make life a little harder by default to attackers. Of course OpenVPN that allows multiple profiles, and also to have multiple jumps between different OpenVPN providers to make it harder for any of them individually to spy on the user, and a nice visual interface to show if any of them is not working and why the device it is not working (not reach the server, local network block, wrong credentials, etc.). And of course technology to allow to bypass attempts to prevent OpenVPN connections (bridges, obfuscation, etc.). Onion ("Tor") network also available. Compatible with login portals (captive portal friendly). With some sort of internal battery that can be easily replaced (say "21700 battery" or something else) and allow external power for even extended periods like "Powerbanks" and/ or directly connected to the electricity network.
W Does it make sense to install the NitroPad distro on other machines? Is there a procedure available? Regrettably there are just few open bios machines out there. Does it also work with TPM enabled machines?
We don't have any own Linux distribution, but customized Qubes and Ubuntu images. https://github.com/Nitrokey/ubuntu-oem/ https://github.com/Nitrokey/qubes-oem We didn't publish instructions how to flash Heads, but you can follow the documentation of Coreboot and Heads instead. Heads works on TPM enabled computers.
Fantastic work guys. Insurgo looked too costly and I wanted to buy a secure hardware laptop. Thank you so much ! It's ridiculous to live in a world where each device has hardware backdoors and there are hacking laws.
What about the last Intel chip flaw and CSME ?
I think is similar to PURISM hardware -> no problem. See news on the website of pursim.
I wonder if Qubes OS does work fast with several virtual machines or if there are any problems because of the old CPU and the old RAM. Is there anyone who has got experience with another Qubes OS running laptop? | Ich frage mich, ob Qubes OS trotz der alten CPU und dem alten RAM flüssig mit einigen Virtuellen Maschinen läuft. Hat jemand Erfahrung und eventuell einen Vergleich zu einem anderen Laptop?
It does. On X230 go for i7 and 16GB RAM.
Your webstore is down as of 5/12/2020 0447
We updated the system which is why our shop went down for a few minutes. It's available now.
Can you get others OS installs for Nitropad than Ubuntu,Mint and Qubes? Can you get a tutorial for changing the OS of Nitropad with all the required steps?
The answer depends on the actual operating system. For instance, Debian can't be installed as of now: https://github.com/osresearch/heads/issues/699
Really should come with a WiFi card that uses Free drivers. Free Software Foundation recommended OSes won't accept the currently built-in proprietary WiFi card('s drivers), and for good reasons. This is a security concern in itself, built in NitroPad's hardware. ME switched off, Heads, Qubes OS et cetera - all very nice; but including a proprietary WiFi card is a serious security risk that should (have) be(en) eliminated by default, i.e. before purchase. Ubuntu is NOT A SECURE OS, too: It contains spyware (data leaking to Canonical and Amazon), nonfree software (and recommends more of it). It should be avoided at all costs, if one cares about her privacy. Vanilla Debian, Parabola, Trisquel (is it still actively developed?), Qubes OS, Tails would be acceptable alternatives - and they are as user friendly, besides Qubes OS perhaps. Otherwise, quite nicely done of course. Thank you for doing this.
Indeed, we are considering adding a better WIFI card. Our Ubuntu 18.04 installation is customized and we removed the Amazon integration. Ubuntu 20.04 doesn't come with Amazon anymore by default. Debian can't be used with Heads as of now, unfortunately.
Do you have free drivers for the wifi module in the meantime?
The ath9k option is as open-source-ish as possible, AR9462 designs have been reported to run without binary blobs. But we've not explicitly verified this in detail within the distributions.
I really love your products, I have bought quite a bunch of Nitrokeys over the years, and I was very close to buying a Qubes Nitropad a few days ago, but it felt a bit too painful to pay around 850$ for a near full specification X230... Could you consider offering a "Nitropad2" or something like that, based for example on a ThinkpadT490 or similar with Intel ME disabled, Qubes installed, and the same boot timing and GPG signing safety features? I would be ready to pay 1500-2500$ for such a machine with full specs without thinking twice, and I think that I am not alone there. Anything that may be drastically less secure than the X230, given ME has been de-activated?
We don't plan to offer any other ThinkPad model soon. This space of Intel Boot Guard and custom firmware is really difficult and it's not that we have many other hardware options. However, we are interested to add other models in the future, if this becomes possible...
Why do you use Lenovo ThinkPads? The Chinese government has been installing backdoors into them for several years now.
That's why we are replacing Lenovo's BIOS/firmware with our own (Heads + coreboot).
Can we install any OS in virtual box on a nitro pad with Ubuntu?
yes
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Are you working with the Qubes team on the future version 4.1? Can you guarantee us the compatibility of your X230 with 4.1 today? -----BEGIN PGP SIGNATURE----- iHUEARYIAB0WIQTugWZs8PdShPP6eVZiJvXjaaomZAUCX0tkcgAKCRBiJvXjaaom ZLnqAP9DjLqvjcdKAZNLwJCrNyH62SXAgnNYHTTN+cmUHCH3awEAgJEQsMllyJKK +RQYAdqYgpsN9ahfKlQ7CQ54R6LJ0Ag= =aSKW -----END PGP SIGNATURE-----
Yes, NitroPads are Qubes-certified and therefore tested well.
How do I reset a nitro pad and the nitrokey pro to original state out of your shop without knowing the pins.
Do you also plan 17,3 notebook with these security features?
No plan for such, as of now.
How can Intel be on your customers list? Don't they trust their own Management Engine?
Is it possible to have no blobs installed to use this, I wanted to use Hyperbola as my operating system. Its a very interesting distribution focused on simplicity, stability, security, and freedom. Not in that order I might add. :) Also, is Hyperbola usable with heads? Can you test?
Do you refer to firmware blobs? We neutralize Intel ME in the firmware already. We don't have time to test Hyperbola in particular but in general every Linux distribution should work and we are not aware of any which doesn't work.
Ah, okay, what about the ethernet blob?
We use the standard blob for the Ethernet driver. If you don't want to use the built-in Ethernet, you would need to connect an external Ethernet adapter.
Oh okay, that wouldn't be a problem whatsoever, I have a few of those. :) I am curious though, is the intel me really unable to do anything remote after its disabled?
According to the current publich knowledge, Intel ME is fully neutralized. What we do is we disable Intel ME by setting the HAP bit and we remove the parts of Intel ME blob which can be removed.
Ah okay, so the backdoor has been rendered both harmless and ineffective. Is it broken beyond repair also? That would be cool.
What do you mean?
Well, I meant when you say its fully neutralized, your saying it can't do anything whatsoever, especially remote damage, as in over the net. correct?
Yes, that's the whole point of neutralizing ME, to prevent any remote access or damaging.
By the way on an old related note, Is this option to not have the ethernet blob added possible? I have a usb to ethernet dongle available.
We don't offer this as of now. I will see if we can add it in the future...
What about this vulnerability? SA-00086 Apparently, intel me being disabled still has this issue... :/ I found out about this vulnerability on wikipedia. And there is a link to it...
One other question though, when the ethernet blob is enabled, is it a remote issue and if so how significant?
I thought of one other question, will there be an option to update the firmware via nitrokey in bios?
But I mean like, regardless of the operating system... Is there a place where I can compile it from source, or is all this not important because you attach the firmware into the usb directly and then maneuver from there in the bios, etc...
You can download binaries and sources from: https://github.com/Nitrokey/heads/releases/latest To update the firmware, you store the firmware file on a USB drive and open it from Heads/firmware menu and trigger the update.
Good to know, that solves my problem for now. :)
Can you guys please make a plan for a laptop that can have more than 16gb of ram please. Speed is very important nowadays as we move into a virtual life. 32, 64, and even 128 gb of ram are becoming ever more important, example for professional software. Please make a plan for that option.
Is there a laptop that can have its intel me deactivated/neutralized and be corebooted that can support 32GB or more? I would tend to doubt this, but it would be pretty cool if so. Although, desktops might be another matter... Just musing about this, sounds interesting.

Pages

Add new comment

Fill in the blank.