Purism Differentiator Series, Part 6: Security

• About
• Latest Posts

Todd Weaver

Founder and CEO
PGP Fingerprint: B8CA ACEA D949 30F1 23C4 642C 23CF 2E3D 2545 14F7

Latest posts by Todd Weaver (see all)

• Hardware Encrypted COMSEC Bundle by Purism - April 29, 2024
• Purism Differentiator Series, Part 14: Surveillance Capitalism - April 23, 2024
• Purism Differentiator Series, Part 13: Modularity & Right to Repair - April 23, 2024

Welcome to Purism, a different type of technology company.

We believe you should have technology that does not spy on you.
We believe you should have complete control over your digital life.
We advocate for personal privacy, cyber security, and individual freedoms.
We sell hardware, develop software, and provide services according to these beliefs.
To do all that, we think differently across all areas of business and technology.

Purism Differentiator Series, Part 6: Security

To offer proper security it is about making sure that the user (or IT team of a company or agency) has complete control of every aspect of the hardware, software, and services. This means being able to verify schematics, control the boot security and encryption, be able to verify source code, and also control the encryption and software for any services that run on the device. Purism knew this before building our products and therefore started with this security need in mind to build out all the hardware designs, software, and services.

Hardware Supply Chain Security

Manufacturing the Liberty Phone in the United States of America showcases a best in hardware supply chain manufacturing. It is on US soil at the Purism facility, under Purism management and oversight, using known western distributors, and inventoried, manufactured, and assembled all by Purism staff. Purism shares the schematics, releases all the source code, and establishes that the owner of the end device is able to run their own encryption by default. Controlling the keys of the end device fully. This is the gold standard Purism strives for in each product offering and as we grow more and more products will adhere to this hardware supply chain best practice.

Additionally our From Fab to Table: Liberty Phone Supply Chain Security, goes into greater depth about hardware supply chain security that goes beyond the country of origin.

Purism also has the first and only USB Security Token to be Made in the USA.

Firmware Supply Chain Security

Purism has a number of strategies it uses to protect the firmware supply chain. The first strategy is to limit the overall threat by reducing the amount of proprietary firmware on our hardware as much as possible. We select the hardware components in our devices so that we can run them with free software drivers that anyone can audit. Like a dairy that only packages milk from antibiotic-free cows, we can avoid a lot of other audit worries by starting with a clean source. With Purism’s PureBoot, you can control your own keys and take advantage of our high security boot process (more below).

Whomever Controls the Keys Controls the Device

“Put all your eggs in one basket and then watch that basket.” — Andrew Carnegie

Many people take Carnegie’s advice to heart when it comes to security. They anchor almost all of their security with a single vendor, and the vendor is more than happy to oblige. Most infosec vendors seem incapable of designing security architectures that don’t put their products at the root of all trust. “Just give us your keys,” they say, “and we’ll take care of the rest.” Purism’s Security Self-Sufficiency article goes into greater depth on why Purism makes sure you control your keys.

Software Supply Chain Security

At Purism we are solving for threats associated with supply chain security by developing a secure OS, PureOS which is a 100% free operating system (OS) running on smartphones, PCs, and servers manufactured by Purism. The advantages PureOS offers includes the ability for anyone to audit the firmware and software to identify backdoors, malicious code, and security bugs.

One of the largest stories in recent history was the supply chain compromise of SolarWinds Orion which allowed attackers to ship malicious updates with backdoors to customers with perfectly valid signatures. Once these updates were applied and attackers were in these networks, this access allowed a large-scale attack of government agencies and tech and security companies, perhaps one of the single largest attacks of US networks in history. These stories keep coming up.

Code is Malware if You Cannot Verify The Source

If the source code is not available to verify from OS and App Developers, it is malicious by limiting your rights to freedom. It controls you. The Department of Homeland Security Science and Technology published a Study on Mobile Device Security that describes intrusive apps as “Malicious” apps enabling the developer to conduct audio, video, and physical surveillance on Android and iOS end users by way of hardware such as the camera and microphone, plus sensors such as GPS, NFC Tags, Bluetooth, and the accelerometer.

Purism has a great advantage over proprietary software vendors when it comes to protecting the software supply chain because we can offer a 100% free software operating system, PureOS, on our devices.

Security Boot Firmware with PureBoot

PureBoot is our high-security boot firmware we offer on our Librem devices. In combination with a Librem Key, PureBoot allows you to detect tampering in the boot firmware itself, and in your OS’s kernel and other boot files with your own encryption keys (not Purism nor any other vendor control).

Hardware Kill Switches

Our most famous hardware security feature is our hardware kill switches (HKS), a set of physical switches that disables the webcam and microphone, or WiFi, in hardware; and on our phones we added cellular as well as lockdown mode. Placing a sticker over a webcam is a nice start, but with HKS you can be sure that your computer isn’t spying on you and can conveniently enable the camera and microphone only when you need it.

Anti-interdiction Service

Purism established the best-in-class anti-interdiction service, an add-on service that we custom-tailor for each customer to add multiple levels of tamper detection to an order. With anti-interdiction in place, a customer can detect any attempt to tamper with the package, the computer hardware, or the firmware during shipping. This service is a remarkably popular add-on request for customers highlighting the importance of our efforts around security and user control over their security.

Removing Low Level BIOS/UEFI Exploits

The more doors you have the more doors can be opened, at Purism we remove the BIOS/UEFI and either install coreboot or PureBoot, which oftentimes allows us and our customers the pleasurable experience of avoiding critical security exploits that oftentimes occurs with the large (aka bloated) BIOS/UEFI found on other companies’ devices. One such example from 2017 still resonates today why our approach improves user security.

Purism addresses security by putting the user (or IT team of a company, organization, or agency) in control of the device and the keys. Whomever controls the keys controls the device, and we want that control to be squarely in your hands and not in ours. This security policy is written and enforced by our articles of incorporation where we specifically state “The Corporation will prioritize privacy, security, and freedom for its customers.” and “The Corporation will release encryption tools and services and will design these tools such that The Corporation will have no means to access users’ encrypted data.”

Purism Products and Availability Chart

	Model	Status	Lead Time
	Librem Key (Made in USA)	In Stock ($59+)	10 business days	Learn More Buy Now
	Librem 5	In Stock ($699+) 3GB/32GB	10 business days	Learn More Buy Now
	Librem 5 COMSEC Bundle	In Stock ($1299+) Qty 2; 3GB/32GB	10 business days	Learn More Buy Now
	Liberty Phone (Made in USA Electronics)	Backorder ($1,999+) 4GB/128GB	Estimated fulfillment early November	Learn More Buy Now
	Librem 5 + SIMple (3 GB Data)	In Stock ($99/mo)	10 business days	Learn More Buy Now
	Librem 5 + SIMple Plus (5 GB Data)	In Stock ($129/mo)	10 business days	Learn More Buy Now
	Librem 5 + AweSIM (Unlimited Data)	In Stock ($169/mo)	10 business days	Learn More Buy Now
	Librem 11	In Stock ($999+) 8GB/1TB	10 business days	Learn More Buy Now
	Librem 14	Backorder ($1,370+)	Estimated fulfillment date pending	Learn More Buy Now
	Librem Mini	Backorder ($799+)	Estimated fulfillment November	Learn More Buy Now
	Librem Server	In Stock ($2,999+)	45 business days	Learn More Buy Now