Of trust and obfuscation


[image above from http://chloescheffe.github.io/trust.html%5D

Last Friday, 19th June 2020, I was part of a group of four from the local open source hacker community to tear down the proposed TraceTogether token. This was by invitation extended to us by Dr Vivian Balakrishnan earlier in the week. Here’s an email I shared with my Red Hat colleagues. I’ll be adding additional information – photos, videos of the tear down next.

Subject: Hardware tear down of proposed TraceTogether token

[warning, longish email]

I would like to share this link [0] (you can view it incognito/private browser mode so fb can’t track you) on a hardware tear down of the proposed TraceTogether token that was held yesterday, Friday 19 June, at the GovTech offices. Day 1 of Phase 2 opening up was a good day for me :-).

The invitation to participate was made by Dr Vivian Balakrishnan, minister in charge of Smart Nation and Foreign Minister, who reached out to myself and three others – Andrew “Bunnie” Huang [1], Sean Cross [2] and Roland Turner [3].

Also in attendance was Dr Janil Puthucheary, minister of state in the Smart Nation project, education and communications & information ministries, and Chan Cheow Hoe, GovTech’s CDTO.

The session was held in a large pantry/presentation area in GovTech’s offices at Mapletree Business Park.

The four of us were assigned a table each with some basic tools. We were separated by about 2m each, arranged in a square.

After the initial chats, we got down to the business of cracking open the prototypes of the token. Each of us were given one token to pull apart. What fun! The prototypes comply with some very stringent design rules as part of the specs that GovTech had stated in the public tender. Some constraints: cost to be below $20 each, long lasting (9-12 months with one removable battery), lightweight. Those were what I could discern from the prototype that I was presented with. No, I did not see the actual tender specs.

The tender is still on-going and closes end of June. I am told that there are probably 20+ companies looking to bid.

Bunnie is a world class hardware hacker. Bunnie, being Bunnie, brought along a microscope and an oscilloscope. He and Sean are behind the 100% open source Novena laptop, hacking the Xbox etc. He is currently working on an entirely secure and open source mobile phone built ground up from the CPU on [4]. He is collaborating with Edward Snowden on that :-).

Back to the token. We were not allowed to desolder the device or even scrape obfuscation paint that was put on some the chips. These chips were on a 2 layer 1.5cm square printed circuit board with a battery backed real time clock and a large 3V external button battery to power the token.

The obfucation of some of the chips was deliberate because the tender has not closed.

In an earlier blog post [5], I wrote that whatever gets made for the TT token, it must be safe, secure, privacy respecting and, also that it be recyclable. We don’t want yet another doodad that then gets chucked into the garbage.

I also wrote that the hardware and software of the token should be open sourced so that we can collectively increase the trust level for all.

Vivian requested all of us not to publish anything about the tear down until he mentions it first. Now that he has been done so, I am planning on writing things up as needed. This email is a start.

Just to be clear, no one signed any NDA and none of us are tied under the Official Secrets Act. There is trust on both sides and I do intend to honour it. Things can go 100% public after the close of the tender as per their request.

Issues we discussed at the tear down:
a) Publishing the firmware on an open source license – Vivian wants to, but the GovTech team is resisting citing “national security” as a reason. The four of us called it BS, and we said it with more polish during the tear down. This is the same GovTech that I helped open source TraceTogether as OpenTrace back in April. So, duh!!
b) Publishing the hardware design on a CERN Open Hardware License – did not conclude, still a possibility.
c) E-waste: mentioned briefly, but not with any depth.
d) Running a hackathon – GovTech is keen to run one in a month or so, where participants can replace what is running in the token with anything else the participants want to and still achieve the objectives of the token’s use case. And if the teams do that successfully and publish the code as open source code, GovTech might consider adopting it. There are some “challenges” the team at GovTech feels (IMHO, shortsightedly) about open sourcing the code, but since we have a strong advocate in Vivian, it might be something that could be overcome. Looking foward to a hackathon to prove the obvious advantages of being open source.

I am very pleased that Red Hat was part of this tear down, although Vivian did not mention it in his post – at least the photo of me that he included says Red Hat :-). There were lots of photos and videos that GovTech took of the tear down and I have requested them to share it.

The entire session was originally planned for 1 hr, but went on for about 2 hrs.

Thanks for reading this far and I should answer the two burning questions you have:
1) Would it be made mandatory for us to use this token. The answer is still NO. You are encouraged to use it, but there is, currently, no intention to mandate it.
2) Is it privacy preserving? My tentative answer is YES. I need to see more. It does not seem to be any more that what TraceTogether captures.

Harish

[0] https://www.facebook.com/Vivian.Balakrishnan.Sg/posts/10156902734466207
[1] https://en.wikipedia.org/wiki/Andrew_Huang_(hacker)
[2] https://xobs.io/
[3] https://rolandturner.com/
[4] https://www.bunniestudios.com/blog/?cat=67
[5] https://harishpillay.wordpress.com/2020/06/06/looking-forward-to-an-open-sourced-wearable-contact-tracing-device/

I will share out photos/videos taken during the tear down once I get the go ahead from GovTech.

I am glad to see Sean post his analysis.

22 June 2020: Added Roland’s post.

23 June 2020: Added Bunnie’s post.