anelok: first prototype design

Werner Almesberger werner at almesberger.net
Wed Oct 2 07:31:08 EDT 2013


Felix wrote:
> My only doubt is about powering all through a resistante
> when you put the button in off state, what's the result? current limitation
> or lower voltage?

One purpose of the power switch (SW2) is to prevent a device with
compromised or defective firmware from doing anything without the
user knowing. 

Unwanted activities would mainly involve RF, with the assumption
that there is a "secure perimeter" where you're basically safe
(your home, office, underground bunker, the desert, etc.), and
the potentially hostile rest of the world.

Undesired activities would include:

- broadcasting secrets,
- alerting listeners of your presence,
- profiling (e.g., by recording RF signals ... think WLAN
  geolocation and such. The transceiver could also monitor the
  activity of your 2.4 GHz networks even though it could only
  decode their data if they're IEEE 802.15.4.)

A compromised device could do such things actively, but also a
mere bug could make the device do things that could be exploited.
All this is of course ineffective against someone modifying your
hardware. But that's a different class of attacks.

The idea behind R9 is that you can only draw a few uA or your
supply will collapse down to useless voltage levels. This limit
should be high enough to survive in a deep sleep mode but too low
to do anything but sleep.

Especially RF should be impossible to run if power only comes
through R9. This small standby supply is needed to allow the
device to run its real-time clock even when switched off.

It also has the silo capacitor C15 (inrush current-limited
through R5), but that is designed to keep it alive only for a few
seconds, e.g., when swapping batteries, not for what may be days
when switched off.

- Werner



More information about the discussion mailing list


interactive