Intro

03

The Architecture

05

The Hardware

11

The Firmware

15

The Software

23

Server Solutions

28

Afterword

33

Intro

We got tired of typing in passwords and looking for the necessary RFID card in our bag. And when entrepreneurs are tired of something — they solve it, have fun and make money. That is how we started Hideez Technology.

The world is increasingly moving towards a one device fits all concept. So why start a company that develops a separate piece of personal hardware, instead of championing yet another desktop+mobile authentication and security ecosystem? We partially answered this question in our team blog, while writing on the topic of multi-factor authentication technology. To summarize: it is human nature to keep the key separate. No matter how sophisticated the personal devices of the future will be — there will still be ‘doors’ and ‘keys’. And while putting the key under the doormat might be handy, it eliminates the sense of having a door. This white paper should give its reader a general overview of the Hideez ecosystem and the basic ideas underlying it. We structured this document by the key components of our ecosystem as we see it. The Architecture section explains the big picture and gives a glimpse of our roadmap for 2017—2018. The Hardware section outlines the major features of our hardware and explains our reasoning behind picking vendors. The Firmware section explains our approach to low level programming of our devices and outlines our unique solutions. The Software section explains our features as the end customer sees them on various mobile and desktop platforms. The Server Solutions section describes My Hideez — a cloud-based solution for managing accounts of our private customers. It also provides a glimpse of Hideez Server — our major corporate product, that can be installed and managed inside the customer’s cybersecurity perimeter, allowing a wider range of networked solutions in combination with our devices. This document intentionally leaves out the security architecture of the Hideez ecosystem. We aimed for this white paper to be ready by the start of CES 2017. It is the end of December 2016, and we are still testing some security elements. Our reader should expect a separate white paper on the security aspects of Hideez ecosystem by Spring 2017.

04

The Architecture

Overview Underlying Principles

In the modern connected environment it is pointless to sell just a device. That is why behind Hideez Key there is an ecosystem of mobile and desktop applications, application protocols and server solutions. Please have a look at this visualization and let us explain each layer in detail.

Hideez Devices are currently Hideez Key 1 (HK1), which we

have been selling since August 2016 via our public beta, and Hideez Key 2 (HK2), our next device, whose working prototype we are presenting at CES 2017 and which should start selling in Spring—Summer 2017. The features of both devices are explained in detail in the Hardware section.

Bluetooth Stack is the major transport between Hideez

Devices and Paired Devices (see below). We implemented a Dual Peripheral Bluetooth feature in the firmware for both Hideez Devices (HK1 and HK2). Dual Peripheral Bluetooth significantly improves convenience and seamless handover between various Paired Devices.

Paired Devices are computer, mobile phone, tablet or

other customer or industrial devices running one of the established operating systems such as Android, iOS, Linux, MacOS or Windows. We call these devices ‘paired’, because after performing secure Bluetooth pairing a customer can authenticate herself on these devices or manage them using Hideez Devices.

Hideez Safe is client application that a customer should

install on her Paired Device to enable the complete set of features available from the Hideez ecosystem for the certain OS. Currently Hideez Safe is available for Android (4.4 and higher) and Windows (8.1 and higher). MacOS (10.10 Yosemite and higher) and iOS (9.0 and higher) versions are currently in R&D and testing. See also our ‘Work with Any Device’ principle below.

HID Mode is another way for Hideez Devices to communicate

with Paired Devices without involving Hideez Safe or any other software. The Human Interface Device concept was originally developed by the USB consortium and then implemented for Bluetooth as HID over GATT (Generic Attribute Profile). HID Mode gives limited functionality compared to Hideez Safe, but it is very effective in cases when Hideez Safe cannot be installed on the Paired Device.

07

Hideez Server Solutions are instruments enabling us to

communicate with the customer’s Hideez Device using her Paired Device as a transport. There is a mass market solution called My Hideez. Any Hideez Device connects to it by default, when the customer is trying to initiate her Hideez Device. Firmware Updates Server does what it is called for. Hideez Enterprise Server (HES) — a more sophisticated corporate solution, which we are now developing and beta testing. HES allows to perform more sophisticated tasks like SCIM, access logging, premises access control, and location-based security policies. There is also a Secure Transport Layer from the Paired Device to Hideez Server Solutions via encrypted Internet connection. We intentionally leave it out of the scope of this white paper, as it will be covered by a separate document on the security of the Hideez ecosystem, please see the Intro section of this document.

08

Underlying Principles We build our ecosystem based on the following underlying principles:

1. Never store customer passwords or other credentials on the server. ‘X credit cards/SSNs/passwords stolen from…’ is a headline that does not surprise anyone anymore. The obvious but difficult solution is to create service architectures that do not require storing a customer’s passwords. We achieve this with Hideez ecosystem that is custom-tailored for authentication/security only. The only two exceptions from this rule are:

a. we store the My Hideez ID of the customer to be able

to log her into the system for managing her My Hideez account.

b. we allow passwords to be stored and remotely managed by the administrator of Hideez Enterprise Server. This requires the enterprise architect to accept all the responsibility for securing her digital perimeter by installing our custom-set server solution inside it.

2. Follow the customer. Our devices should be compact and

convenient enough for a customer to carry around on a daily basis, like the way people currently carry their door keys. Because IoT wearables are currently reinventing wearable form factors, we released our new Hideez Key 2 in four different wearable cases: a key fob, a wristband, a pendant and a clip.

09

3. Work with any device. As mentioned, we have released

Android and Windows applications and are testing beta applications for iOS and Mac. Moreover, using a Human Interface Device protocol we can connect Hideez Devices to any Paired Device that has Bluetooth 4.0 and supports HID over GATT. We are also currently creating a customized lowcost Bluetooth 4.2 USB dongle, which will ensure smooth compatibility of Hideez Devices with legacy hardware and operating systems (like Windows XP and Windows 7) and will be available as an option when purchasing HK2.

10

The Hardware

It’s cool to experiment with hardware when you are a multibillion dollar corporation. Being a startup from Ukraine requires a neat strategy for navigating through inventory costs, channel owners’ requirements and product roadmaps. Making cybersecurity and authentication hardware means any misstep could be disastrous.

When we were bootstrapping Hideez Key 1 in 2015 it was clear that developing completely our own hardware would take too much time and effort. For this reason we chose nRF51822 system-on-chip by Nordic Semiconductor as our starting point. Nordic chips are proven and reliable, nRF51822 features 32-bit ARM® Cortex™ M0 CPU with 256kB flash and 32kB RAM. We added an 8-bit 90dB buzzer, Atmel T5577 RFID chip with antenna and started prototyping.

12

In Summer 2016 we started developing Hideez Key 2. It is based on the updated Nordic nRF52832 chip, featuring 32bit ARM® Cortex™ M4F CPU with 512kB flash and 64kB RAM. We added a capacitive sensor to control whether HK2 is positioned on the customer’s wrist when it is inserted in our wristband case. This adds an additional security layer akin to that of the Apple® Watch wrist detection feature.

13

In addition to Bluetooth 4.2 Low Energy HK2 features RFID and NFC, both modules being CPU-controlled with the corresponding API in our firmware. We again improved the Nordic architecture by adding an RFID hardware module and implementing firmware support for it. CPU-controlled RFID allows to emulate any RFID credential. This means the amount of RFID credentials which can be stored and used by HK2 is limited only by the flash memory available. The NFC module is also controlled by the CPU and this is the original Nordic featureset. We implemented Out-of-Band (OOB) pairing which makes the Bluetooth connection between HK2 and the customer’s Paired Device more secure. HK1 uses CR2032 batteries for power supply. HK2 features a rechargeable 70 mAh accumulator that will provide enough energy for no less than 14 days of continuous operation. Charging is done via a micro-USB cable, which also provides data connectivity via USB 2.0 Low Speed at 12 Mbit/s — more than enough given HK2 total memory available to the customer. Placing three antennas inside a 18 x 38 x 10 mm (0.7 x 1.5 x 0.4″) case where various modules are competing for space is quite a challenging radio engineering task. Our engineers managed to squeeze in Bluetooth (2.4 GHz), RFID (124—134 kHz) and NFC (12.56 MHz). Another engineering challenge was the multifunctional button. It is the only part of the HK2 case which customer can press. Therefore, the major task for our engineers was to prevent accidental presses without making the button inconvenient and using the materials available. They managed it with HK1 as they did it with HK2 as well. The submerged button can be conveniently pressed even by a customer with wide fingers. Finally, the HK2 case will be IP67 water and dust resistant. While the device is not intended for sports or extreme conditions, it is important that HK2 is resilient enough to function properly in case of an accident or an unexpected situation.

14

The Firmware

Dynamic Data Storage Built Into System on Chip Over the Air Updating Concurrent Dual Peripheral Bluetooth Connection Server-Based Authorization on Device Bluetooth Out-of-Band Pairing Using NFC RFID Module that is Programmable by CPU Human Interface Device Simulation

Our core differentiator and essential expertise is the way we instruct our hardware to perform its tasks. When bootstrapping HK1 we could not find an existing commercial or open source embedded OS which provided a sufficient featureset while being modest enough in terms of computational resources and RAM. That is why we created Hideez OS from scratch.

Hideez firmware is structured into modules performing specific tasks. Among our 29 current modules the key ones are: System Actions Manager controlling critical functions such as turning on/off, rebooting the system or initializing a firmware update; Bluetooth Connection Manager and Hideez Protocol Manager allowing secure data transmission over Bluetooth using it as a transport level; Dynamic Storage Manager and Indication Manager responsible for controlling LED indicators and buzzers.

Dynamic Data Storage Built Into System on Chip Dynamic data storage (DDS) is a simplified implementation of a file system. We developed our own DDS because we needed an ultralight counterpart of a file system for our firmware, which is tailored for authentication and password management. Unlike a conventional file system, our DDS does not allow file names, using record addresses instead. The minimum record size is 4 bytes, the maximum is 508 bytes. DDS operates with records of customer defined type and size. The record could be a password, a login, a URL, application name, an RFID or NFC credential, a Blockchain address, geographic location, etc. The overall storage currently available to a HK1 customer is limited to 74kB, for HK2 it should be more than 200kB.

16

Over the Air Updating Hideez Devices are equipped with an over the air updates mechanism. This allows us to push security and firmware updates to all client devices that are registered with My Hideez and connected to an Internet-enabled Paired Device. Firmware updates can download a new version of bootloader, the firmware itself and Nordic SoftDevice firmware add-on. For security reasons, the firmware update file is encrypted with the firmware update key on the server before pushing it to the end customer. The client application on the customer’s Paired Device is used for transit only, no decryption of firmware occurs on the Paired Device. The client application only checks the integrity of the update package when it is received from the Firmware Updates Server.

18

Concurrent Dual Peripheral Bluetooth Connection As we know, the Bluetooth communication protocol is based on the initiator—responder concept. A responding Bluetooth device can be connected to a single initiator at one moment of time. At the same time, the modern digital customer quite often uses several devices on a daily basis, like a laptop, a smartphone and a tablet. Hence, the ‘one initiator — one responder’ usage model offered by the Bluetooth protocol is not practically relevant to the usage model of HK. To overcome this limitation our team has developed a concurrent dual peripheral Bluetooth solution. It works with both HK1 and HK2 firmware. Concurrent Dual Peripheral Bluetooth Connection (which we will refer to simply as ‘Dual Peripheral Bluetooth’) is based on concurrent operation of two Bluetooth stacks: Nordic SoftDevice stack and our self-developed auxiliary Bluetooth stack. Hideez Key sequentially surveys both stacks with an interval that is imperceptible to a human being. The practical outcome of Dual Peripheral Bluetooth is that a customer can simultaneously protect two devices with a single proximity-based security key without switching between her devices. For example: a laptop and a phone can be simultaneously locked when a customer walks out of a room with her Hideez Key. Dual Peripheral Bluetooth also enables interesting multifactor authentication scenarios for the end customer, for example: the customer can unlock her laptop only if she has the key and it is connected to her smartphone.

19

Server-Based Authorization on Device To create an additional level of security we use server-based authorization of a new or existing customer on her HK. Initially My Hideez and HK exchange packages consecutively. The transport layer consists of HK > Bluetooth stack > Hideez Safe mobile or desktop application > encrypted Internet connection > My Hideez. Each transaction is validated using a unique device key. During initial owner setup a unique customer key is generated by the HK using a unique device key and a random sequence of symbols. The HK is thus linked to a customer account in My Hideez or HES. The outcome is that our server identifies the unique HK of the customer and this HK in turn verifies the authenticity of the server from which it will request updates and device status (i.e. whether this HK is active or ‘suspended’, see Server Solutions below).

20

Bluetooth Out-of-Band Pairing Using NFC HK2 is equipped with an NFC module that allows out-of-band pairing over an NFC channel while maintaining the ability for a legacy secure simple pairing procedure. We are using negotiated handover for the OOB procedure. OOB solves the basic vulnerability of Bluetooth initial handshake, namely: an intruder with sufficient intercepting equipment can compromise the initial key exchange between Hideez Device and Paired Device, thus compromising the encrypted Bluetooth communication channel between the two devices. Because NFC uses very limited radio range compared to Bluetooth, OOB via NFC complicates this type of attack to the level that is impracticable using the current technology. Note that even without OOB HK1 uses improvements to the Bluetooth pairing procedure that make this type of attack more difficult.

RFID Module that is Programmable by CPU In HK2 we added dynamic RFID functionality with electrically erasable programmable memory (EEPROM) based on the Atmel® T5577 RFID chip. Now it is possible to instantly change the RFID credential based on the customer’s preferences. We improved standard dynamic RFID by adding user-defined and geolocation-based RFID credential selections. User-defined RFID credential selection allows a customer to pick the right RFID credential manually, i.e. by pressing the multifunctional button of her HK or by selecting the relevant menu item in Hideez Safe.

21

Geolocation-based RFID credential selection allows the customer to preset the geographic location of her preferred places. When approaching the preset locations Hideez Safe app will pick the corresponding RFID credential from the EEPROM. The customer will simply have to place the HK close to the desired RFID reader to be authenticated. An important byproduct feature of dynamic RFID is that by default the RFID module can be ‘zeroed’, meaning there will be no credential at all in the device memory.

Human Interface Device Simulation HK can be configured to be used as a HID input device on the Paired Device. We have implemented HID-over-Gatt Bluetooth profile. HK is recognized as the HID device and can be used without installing any additional drivers or software with most Bluetooth 4.0 enabled devices running various OS (Android, Windows, macOS, iOS and some Linux distributions). Multifunctional button presses of HK can be programmed into HID scripts for automatic input of passwords, Blockchain credentials and other authentication information. This allows the basic functionality of the Hideez ecosystem to be implemented without installing any Hideez software on the client device. Importantly, our implementation of HID mode requires the customer to enable standard Bluetooth encryption, thus offering basic protection from signal interception and replay attacks.

22

The Software

Features Roadmap

Hideez Safe is our cross-platform client application, enabling most of the features of the Hideez ecosystem on Paired Devices. In addition to enabling features, Hideez Safe is also a transport intermediary for any tasks that require a Hideez Device to communicate with Hideez Server Solutions, like initial login, user authentication and firmware updates.

Features Smart Lock is a proximity-based automatic login utility. Hideez

Smart Lock stands out from the competition by offering an adjustable RSSI signal level. Most Bluetooth unlock utilities unlock your Paired Device simply when the unlocking token is detected. This leads to dangerous situations when the Paired Device is unlocked while its owner only approaches the room where it is located, thus giving time for the attacker.

A Hideez Safe customer can preset the desired RSSI level, for example to 90% (which is a rough equivalent of 1—2 meters distance). Note that Hideez Device will discover a Paired Device earlier and will proceed with reconnecting. This helps to avoid a situation when the customer arrives to her Paired Device but the Bluetooth connection is not yet restored and so the automatic unlocking fails.

Password Manager offers storing and automatically inputting

a customer’s passwords. Hideez Password Manager leverages the availability of a separate hardware device in our ecosystem. The most complicated issue and major vulnerability for any password manager is synchronization between various devices owned by the customer. With Hideez Key the customer does not need synchronization as all her passwords physically travel with her inside her HK.

Theft Alarm offers sound notifications on both devices (Hideez

Device and Paired Device) when the Bluetooth connection between them is lost. The Last Seen feature shows the last known location of the Hideez Device. The Search feature provides real time visualization of the RSSI. It helps when looking for something like a lost physical keychain which has a Hideez Key attached to it.

24

Figure 3.Hideez Safe client application interface. Screenshot of Search feature in Theft Alarm on Android 6.1

25

Media Vault is an encrypted photo gallery. Currently Media

Vault is protected with a random encryption key, generated by the My Hideez Server. We are working to make it possible to protect Media Vault with the unique device key of a Hideez Device.

Touch Guard takes a photo with frontal (if available), main or

both cameras of the Paired Device when two conditions are true: (1) there is no Bluetooth signal from Hideez Key to this Paired Device, (2) the position of the device changes according to the accelerometer. Practically this situation means: the owner left the room, left her Paired Device there and the intruder took the Paired Device from its place. The photos of an intrusion attempt are stored in the Media Vault. This prevents situations when the intruder succeeded with gaining access and then deleted the photos taken by Touch Guard from the ordinary media gallery of this device. Currently Touch Guard works only in Hideez Safe on Android.

Actions are the frontend interface of the multifunctional

button. Using up to eight consecutive short presses and one long press, customers can set up various scripts to be activated when the multifunctional button is pressed. For example: three consecutive presses might be configured to launch a sound recorder app and start recording sound on the Paired Device.

My Places are accessible via Settings. In the current setup

this feature allows adding or removing additional locationbased security layers. For example, if Hideez Safe detects that the customer is ‘Outdoors’, i.e. not within a preset location like ‘Home’ or ‘Office’, then the Bluetooth signal level required to unlock the Paired Device based on the customer’s presence might be increased to prevent accidental unlocking. After the release of HK2 My Places will also store the RFID locations of the customer to enable geolocation based selection of the relevant RFID credential of this customer.

26

Roadmap It is hard to develop a sophisticated hardware and software ecosystem with a small team of developers and very challenging deadlines set by the sales team. That is why we always have to prioritize. At this moment Android and Windows versions of Hideez Safe are publicly available and we are conducting alpha testing of the macOS version. The iOS application should be ready by March 2017 and we are now working on our open source strategy to make a Linux version of Hideez Safe available some time in 2017. Our Android team is currently redesigning the Android application to improve customer experience and make the device setup process easier. An updated Android application should be published on Google Play in the first quarter of 2017.

27

Server Solutions

My Hideez Firmware Updates Server Hideez Enterprise Server

Server Solutions enable our customers to perform a number of critical tasks: assign the owner of a Hideez Device, authenticate the customer to perform critical settings changes and securely update the firmware. 28

Server Solutions are also critical when the device is lost, as they allow to recall owner authentication or perform remote suspension of the device. HES provide a more sophisticated identity management framework to allow just-in-time provisioning, cross domain identity management, integration with directory services like Active Directory and premises access control using our dynamic RFID.

My Hideez Available to any Hideez customer My Hideez is the second interface after Hideez Safe which a customer encounters when setting up her Hideez Device. An account with My Hideez is required to launch Hideez Safe for the first time. My Hideez ID is a unique customer identifier within our ecosystem.

Assigning the Device Owner Possessing a HK without being authorized as its owner is useless. An intruder cannot read the passwords from the device because it won’t respond to an unauthorized Hideez Safe client application. An intruder also cannot use a stolen HK because it won’t operate unless the owner authorizes it. The authorization is performed using a unique device key generated by My Hideez when our factory requests device keys for the next batch of HK. Factory personnel is not involved in the process. When a new customer sets up her HK, My Hideez uses a cryptographic handshake to verify the device and generate a unique customer key and link it to the customer credentials in My Hideez.

29

Remote Device Management As explained above, there is no need for remote wiping of HK. The device is useless without owner authorization. However, there might be situations when Hideez Device is lost together with the Paired Device and the owner did not configure it safely. For this situation there is a Suspend My Device option in My Hideez. This option should not be confused with the Remove Hideez Key from My Account, which is a necessary step when transferring the device to a new owner. Suspend My Device sends a push notification to the customer’s My Hideez account. As soon as the push notification is received by the Paired Device and the compromised Hideez Device connects to it, — the compromised Hideez Device will be suspended until further notice.

Customer Certification and Limited Duration of Validity Remote device management via My Hideez requires a Paired Device to go online with HK being connected and functional in order for the suspension of the device to begin. While there is little sense in using HK without a Paired Device that is connected to the Internet, there might be situations when HK protects access to a local application. We are now working on enabling an additional layer of protection with personal SSL certificates. The idea of the certificate is that it might require renewals on a daily or even hourly basis. While the renewal is seamless if everything is ok, it will protect the customer in the situations described above.

30

Firmware Updates Server For security considerations, Hideez Firmware Updates Server is physically separated from the server running My Hideez. Updates are performed using an encrypted Internet connection and cryptographically signed update packages. Each firmware update is digitally signed with the firmware updates key that is used to verify the authenticity of each firmware update. Please scroll back to Over the Air Updating section for details on firmware updates.

Hideez Enterprise Server HES is an extended version of My Hideez that can be deployed within the customer’s digital perimeter in order to provide the customer with exclusive control over her operations.

Managed Credentials Vault We can modify our Password Manager to work one way. This means HES can push credentials to a HK owned by an employee, but an employee cannot extract these credentials and use them separately. This is particularly handy in cases of short-term contractors, interns and other non-permanent employees who are a high risk group in terms of cybersecurity.

Thin Identity Provisioning HES can be integrated with corporate SSO / LDAP / OAuth solutions to provide a single point of entry experience. Integration with an Active Directory or other directory services enables use cases like creating special user groups with varying privileges and limitations.

31

Paired with Managed Credentials Vault, HES makes HK a secure solution for onboarding of new hires. Employee certificates with short renewal periods help mitigating the risks of lost Hideez Devices.

Geofencing and Location Based Security Policies Proximity adds a new dimension to location based security. Primarily it is impressively effective against insider risks. Just imagine: previously You could protect Your employees only within Your digital and physical perimeter, in the best cases — within different floors or buildings. Now it is possible to understand a person’s position within a room and adjust security policies respectively. We are very excited about these new opportunities and are looking for partners in location based security solutions to jointly build great new products.

32

Afterword

Hideez team is ready for experiments. We built two sophisticated products in less than three years, gained experience, expertise and picked up a few bruises along the way. Cybersecurity and authentication are becoming household topics everywhere, and unfortunately Ukraine is not an exception.

33

Bluetooth as a wireless standard was underestimated by the cybersecurity community for a long time. It was natural for the security gurus of the early 2000s to distrust everything wireless. But it is the dawn of 2017 and the times have changed. Bluetooth 5 gives a lot of hope and solid ground in terms of energy consumption, reliability, smoothless handover, convergence with other wireless standards and, last but not least, encryption and security. As soon as Hideez will push past 100,000 units sold we will unlock totally different production, technology and marketing opportunities. We understand that. We also realize that most startups in our area met their slow death in this thin air of ‘below 100k’. Time will tell whether we will be the Edmund Hillary and Tenzing Norgay of wireless authentication.

34