Google’s Project Vault Puts a Secure, Encrypted Computer Inside a microSD Card

One of the most interesting announcements made at Google I/O was Project Vault, a security-focused computer concealed within an ordinary microSD card. When plugged into a compatible PC, smartphone or other device, it can enable completely secure end-to-end communications. Google’s Advanced Technology and Projects (ATAP) group designed Project Vault to protect a user’s most sensitive data, under the assumption that if not everything can be safe, at least some of it can.The fingernail-sized device runs on a custom ARM processor and has 4GB of secure storage space. It runs its own security-centric real-time OS with built in cryptographic infrastructure including a suite of encryption services and a hardware random-number generator. It has its own NFC hardware including an antenna, which can be used to authenticate users based on a physical token in their possession. The microSD interface suffices for all data input and output.

Google claims the Vault is completely transparent to its host devices and shows up as any ordinary storage destination. It is completely device- and OS-agnostic and only needs to be plugged in to work. Compatible apps can interact with two dedicated files: one that must be written to and the other that can only be read from. The rest of its file system is fake, and any interaction with it will result in a standard “bad sector” error, preventing even the host device from seeing what goes in and out of the Vault. No special drivers or user intervention are required. This means that a user’s security is maintained even if he or she moves the Vault between multiple host devices, no matter how insecure they might be.

The device and its software support text messaging, voice, and video streaming, as long as parties on both ends have their own Vault cards. Immutable hardware logging features would help owners determine if anyone has tried tampering with their Vault. Google is using 500 prototype cards internally and hopes to have commercial products out soon, with enterprise customers targeted first and consumer applications rolling out later. An open-source kit including development hardware and source code is already available.