
Tomu, a tiny ARM microprocessor which fits in your USB port - ris
https://tomu.im/
======
kybernetikos
I was amazed to discover a few years back that my wifi SD card also had full
ARM system on it that you could get access to, and if you powered it with
batteries it all worked stand alone.

------
squarefoot
The mcu used has a lot more ports available but size poses some limits,
however an IR LED+photodiode/transistor could be a nice viable addon, so that
it could be used as a bridge to any circuit implementing IR serial
communications, or allow communicating with it when it's plugged in a USB
supply only port.

------
pierd
Is there a USB-C version?

~~~
Willamin
It defeats part of the purpose of being an "always in your computer" device,
but you could always get a USBA female to USBC male adapter (similar to this
[https://images-eu.ssl-images-
amazon.com/images/I/41gXYyobsRL...](https://images-eu.ssl-images-
amazon.com/images/I/41gXYyobsRL._SL500_AC_SS350_.jpg))

------
sixothree
My eyes.

------
itomato
They can also run Commodore 64 BASIC. Sadly, the ARM part only has 8K RAM.

[https://www.pagetable.com/?p=956](https://www.pagetable.com/?p=956)

~~~
dtornabene
true, but the next generation has I believe 64k (or more) of RAM.

------
microtherion
Having bought a number of maker projects where the PCB is designed to plug
into the USB port, like this one, I find that the mechanics generally don't
work all that reliably. Not sure about the exact cause, maybe manufacturing
tolerances on PCBs are not tight enough.

~~~
sannee
This looks like it's supported by a 3D printed enclosure. Otherwise I agree -
you need >2.0mm thick PCB to prevent falling out and these are not offered by
the usual cheap low-volume PCB manufacturers.

~~~
mithro
If you buy the Tomus from CrowdSupply ([https://www.crowdsupply.com/sutajio-
kosagi/tomu](https://www.crowdsupply.com/sutajio-kosagi/tomu)) it comes
injection molded case designed by Sean 'xobs' Cross (who actually ran the
campaign).

Doing plastics is well outside my skill set, so it was awesome to see him do
that! xobs posted about the case here -> [https://www.crowdsupply.com/sutajio-
kosagi/tomu/updates/fina...](https://www.crowdsupply.com/sutajio-
kosagi/tomu/updates/final-week-of-the-campaign-plastics-and-bootloaders)

------
bArray
I can recommend the DigiSpark as a cheaper, slower, alternative that works
with the Arduino IDE [1]. Somebody could easily get it into a smaller form
factor.

I've bought some of the official versions in their KickStarter and whenever I
buy through some company/research funding - but can also recommend the cheaper
Chinese implementations to be just as good for projects.

[1] [http://digistump.com/products/1](http://digistump.com/products/1)

~~~
craftyguy
That doesn't fit entirely within the USB port like the Tomu, and it's out of
stock (with no eta).

~~~
bArray
>That doesn't fit entirely within the USB port like the Tomu,

No, but it would be possible to get something more low profile with some work.
For most projects I would imagine it's low profile "enough".

For a practical joke (because I'm cool/evil), I plugged one of these devices
into the back of somebodies desktop PC and it would occasionally output a
random character (either G, H, J or K). I thought the same would be amusing
for mouse control too.

You can get it to ultra-low power states too if you replace the power drop
down (which consumes about 10mA from memory) and build a low power monitoring
device.

>and it's out of stock (with no eta).

That's a shame. Erik is currently working on a 3D printer, it's likely this
takes up most of his time now [1].

The clones are readily available though [2].

[1] [https://www.kickstarter.com/projects/robotic-
industries/buil...](https://www.kickstarter.com/projects/robotic-
industries/buildone-99-3d-printer-w-wifi-and-auto-bed-levelin/description)

[2]
[https://www.banggood.com/search/digispark.html?sbc=1](https://www.banggood.com/search/digispark.html?sbc=1)

------
0xb100db1ade
would it be difficult/possible to use this as a smart card with the proper
code?

~~~
sowbug
GnuK ([http://www.fsij.org/doc-gnuk/](http://www.fsij.org/doc-gnuk/))
implements an OpenGPG Smart Card. Unfortunately, it targets STM32 chips with
128KB flash and 20KB DRAM, and the EFM32HG309 in the Tomu is only 64KB/8KB. I
don't know how much work it would be to squeeze the code into the Tomu.

~~~
opencl
You should be able to use other chips in the EFM32 family as a drop in
replacement, obviously requires soldering your own board. Seem to be available
with up to 128K flash and 16K RAM.

Of course the GnuK site lists some STM32 boards designed specifically to run
GnuK. Or if you don't care about open hardware you can buy a $2 STLink clone
on aliexpress and flash GnuK on it.

~~~
mithro
Sadly, I don't think there is a bigger EFM32 which has the same footprint but
maybe they have released new parts since I last looked.

IIRC GnuK uses the chopstx library which has already been ported (see
[https://github.com/im-tomu/chopstx](https://github.com/im-tomu/chopstx)). Not
sure what else would need to be done?

------
a-ve
Speaking of processors on a USB stick, is there any cheaper alternative to the
USB Armory? :
[https://inversepath.com/usbarmory](https://inversepath.com/usbarmory)

~~~
woodrowbarlow
you can get 10 tomu devices for less than the price of a single usb armory.

------
askvictor
Hold on - doesn't having this live permanently in the USB port reduce the
security possible with a 2FA device? If the user has to get the key from their
pocket and plug it in, it will at least prevent an attacker from accessing the
user's account in a remote-desktop scenario. Certainly the requirement to
press the button will mitigate this risk to a degree, but might there be
exploits that can trigger this button-press event using a carefully crafted
USB signal?

I understand the security vs usability thing, just beware of the risks of
something like this (perhaps bluetooth-type keys like this are more usable as
you don't need to bother plugging them in, assuming bluetooth decides to play
nicely)

~~~
qop
Don't you think they'd have thought that through?

I admire your diligent concern, but I thought the same thing for a split
second and dismissed it.

I can't imagine even a corporate churn machine with the most reckless abandon
designing a device like this and missing the most basic obvious attack vector.

Well, anyways....

~~~
gh02t
It might be possible if you find a hardware or software bug in the USB
interface on the chip, but the Yubikey uses a chip designed specifically for
security applications. Those sorts of chips are designed and tested explicitly
for security applications are tested for all sorts of attacks and and
exploits, both physical and in software. I doubt it's even physically possible
to craft a USB packet that is able to interfere with the ADC on the chip
enough to look like a touch event, but even if it was it'd be exceedingly
difficult due to the nature of how USB signaling works. You don't have much
direct control at the electrical level of what actually goes down the wire.

------
jacob019
also great for espionage

~~~
ggm
well.. I'd probably disable the flashing LEDs. But, that aside, I too thought
"oh cool... a complete ARM system in my USB.. what could _possibly_ go wrong
here" But, the other side of this is: this is precisely what every closed-box
USB device I plug into my USB potentially IS. This is just the overt "hi I'm
an awesome tiny computer" state we're actually living in, all the time

TL;DR _how do we know we aren 't exposed to these devices all the time?_

~~~
MrMorden
Every keyboard has an MCU. They used to be 8051s, but now ARM (or PIC or AVR)
is more likely.

~~~
ggm
Each time I do the OSX "need to reboot" thing and it sits at the equivalent of
BIOS blowing driver updates for things like this, I think "yea, i hate BIOS,
but at least I get told which devices are being re-coded" -with OSX, its a bit
more opaque.

"trust us"

~~~
TrainsParent
echo "Now we're going to upgrade your storage capacity, please wait."

rm -rf /

Don't trust the status messages; they could be manipulated to anything, in
practice. Counter-practice; I mean.

------
utopcell
Neat little device, looks like a Yubikey clone. One could get a similar device
by hacking a Logitech unifying receiver, which contains a ..16MHz 8051 clone
in it, and a radio to spare.

~~~
dtornabene
thats ultimately the intent, to build a Yubikey-like security key, with
everything open down through the firmare to the details of the soc

~~~
askvictor
One key (pardon the pun) requirement of a 2FA key is that it can't be cloned -
how would this be prevented? Can the microprocessor be locked to prevent
reading its flash memory?

~~~
sametmax
Genuine question: if you can't clone your 2FA, how do you make spares like a
house key ? If there is way to get a spare, what's the way to deal with key
loss or shared access ?

~~~
dspillett
Essentially you have a to configure the account/device you are authenticating
with to accept multiple keys permanently (so you can have spares) or
temporarily (replacing a key by registering a new one then revoking the old).

In the case of key loss on a properly secure service registering a new key
could be problematical if you don't have any other key that is still
appropriately registered - you might be permanently locked out unless there is
an admin function who has a key registered so can do it for you.

Look at multi-key options for encrypted filesystem for one way that this can
work. Often the filesystem or block device has a symmetric key that is in turn
encrypted by each of the keys that you wish to be able to open it. It is the
same symetric key every time, though you can't unlock my copy of it with your
key nor can I unlock your's. Once unlocked we could both add a third user by
encrypting the base key with their public key (PKI is not required, but is not
uncommon).

~~~
sametmax
Ok, so you if you want 9 keys (3 persons in your family has access, have one
local spare, and one off site), and 4 services, you need to do 36
registrations of keys ?

Is there a standard to automate that ?

~~~
dspillett
You don't need one key per service, so that is as little as 5 keys (3 for
active users plus the on-site and off-site spares).

You may choose to have more than one key per person, to reduce the amount of
re-registering needed if one key is lost, though remember that this is the
second factor so you also already have passwords that vary by service (and if
you give people multiple keys they will most likely carry them together to
lose them all at the same time rather than individually anyway).

