To offer proper security it is about making sure that the user (or IT team of a company or agency) has complete control of every aspect of the hardware, software, and services. This means being able to verify schematics, control the boot security and encryption, be able to verify source code, and also control the encryption and software for any services that run on the device. Purism knew this before building our products and therefore started with this security need in mind to build out all the hardware designs, software, and services.
Manufacturing the Liberty Phone in the United States of America showcases a best in hardware supply chain manufacturing. It is on US soil at the Purism facility, under Purism management and oversight, using known western distributors, and inventoried, manufactured, and assembled all by Purism staff. Purism shares the schematics, releases all the source code, and establishes that the owner of the end device is able to run their own encryption by default. Controlling the keys of the end device fully. This is the gold standard Purism strives for in each product offering and as we grow more and more products will adhere to this hardware supply chain best practice.
Additionally our From Fab to Table: Liberty Phone Supply Chain Security, goes into greater depth about hardware supply chain security that goes beyond the country of origin.
Purism also has the first and only USB Security Token to be Made in the USA.
Purism has a number of strategies it uses to protect the firmware supply chain. The first strategy is to limit the overall threat by reducing the amount of proprietary firmware on our hardware as much as possible. We select the hardware components in our devices so that we can run them with free software drivers that anyone can audit. Like a dairy that only packages milk from antibiotic-free cows, we can avoid a lot of other audit worries by starting with a clean source. With Purism’s PureBoot, you can control your own keys and take advantage of our high security boot process (more below).
“Put all your eggs in one basket and then watch that basket.” — Andrew Carnegie
Many people take Carnegie’s advice to heart when it comes to security. They anchor almost all of their security with a single vendor, and the vendor is more than happy to oblige. Most infosec vendors seem incapable of designing security architectures that don’t put their products at the root of all trust. “Just give us your keys,” they say, “and we’ll take care of the rest.” Purism’s Security Self-Sufficiency article goes into greater depth on why Purism makes sure you control your keys.
At Purism we are solving for threats associated with supply chain security by developing a secure OS, PureOS which is a 100% free operating system (OS) running on smartphones, PCs, and servers manufactured by Purism. The advantages PureOS offers includes the ability for anyone to audit the firmware and software to identify backdoors, malicious code, and security bugs.
One of the largest stories in recent history was the supply chain compromise of SolarWinds Orion which allowed attackers to ship malicious updates with backdoors to customers with perfectly valid signatures. Once these updates were applied and attackers were in these networks, this access allowed a large-scale attack of government agencies and tech and security companies, perhaps one of the single largest attacks of US networks in history. These stories keep coming up.
If the source code is not available to verify from OS and App Developers, it is malicious by limiting your rights to freedom. It controls you. The Department of Homeland Security Science and Technology published a Study on Mobile Device Security that describes intrusive apps as “Malicious” apps enabling the developer to conduct audio, video, and physical surveillance on Android and iOS end users by way of hardware such as the camera and microphone, plus sensors such as GPS, NFC Tags, Bluetooth, and the accelerometer.
Purism has a great advantage over proprietary software vendors when it comes to protecting the software supply chain because we can offer a 100% free software operating system, PureOS, on our devices.
PureBoot is our high-security boot firmware we offer on our Librem devices. In combination with a Librem Key, PureBoot allows you to detect tampering in the boot firmware itself, and in your OS’s kernel and other boot files with your own encryption keys (not Purism nor any other vendor control).
Our most famous hardware security feature is our hardware kill switches (HKS), a set of physical switches that disables the webcam and microphone, or WiFi, in hardware; and on our phones we added cellular as well as lockdown mode. Placing a sticker over a webcam is a nice start, but with HKS you can be sure that your computer isn’t spying on you and can conveniently enable the camera and microphone only when you need it.
Purism established the best-in-class anti-interdiction service, an add-on service that we custom-tailor for each customer to add multiple levels of tamper detection to an order. With anti-interdiction in place, a customer can detect any attempt to tamper with the package, the computer hardware, or the firmware during shipping. This service is a remarkably popular add-on request for customers highlighting the importance of our efforts around security and user control over their security.
The more doors you have the more doors can be opened, at Purism we remove the BIOS/UEFI and either install coreboot or PureBoot, which oftentimes allows us and our customers the pleasurable experience of avoiding critical security exploits that oftentimes occurs with the large (aka bloated) BIOS/UEFI found on other companies’ devices. One such example from 2017 still resonates today why our approach improves user security.
Purism addresses security by putting the user (or IT team of a company, organization, or agency) in control of the device and the keys. Whomever controls the keys controls the device, and we want that control to be squarely in your hands and not in ours. This security policy is written and enforced by our articles of incorporation where we specifically state “The Corporation will prioritize privacy, security, and freedom for its customers.” and “The Corporation will release encryption tools and services and will design these tools such that The Corporation will have no means to access users’ encrypted data.”
Model | Status | Lead Time | ||
---|---|---|---|---|
Librem Key (Made in USA) | In Stock ($59+) | 10 business days | ||
Librem 5 | In Stock ($699+) 3GB/32GB | 10 business days | ||
Librem 5 COMSEC Bundle | In Stock ($1299+) Qty 2; 3GB/32GB | 10 business days | ||
Liberty Phone (Made in USA Electronics) | Backorder ($1,999+) 4GB/128GB | Estimated fulfillment February | ||
Librem 5 + SIMple (3 GB Data) | In Stock ($99/mo) | 10 business days | ||
Librem 5 + SIMple Plus (5 GB Data) | In Stock ($129/mo) | 10 business days | ||
Librem 5 + AweSIM (Unlimited Data) | In Stock ($169/mo) | 10 business days | ||
Librem 11 | In Stock ($999+) 8GB/1TB | 10 business days | ||
Librem 14 | Backorder ($1,370+) | Estimated fulfillment December | ||
Librem Mini | Backorder ($799+) | 10 business days | ||
Librem Server | In Stock ($2,999+) | 45 business days |