We’ve been asked several times to highlight how we protect against the kind of in-transit modifying that have been performed on other products in the past.

Many of our security features are good mitigation to this kind of interference in a general sense. The security mesh, for example, prevents things such as physical replacement of SPI flash (where BIOS is stored) or any other component for that matter. The one component that could theoretically be replaced to get around the tamper protection is the secure microcontroller itself, so we’ve designed the following:

• During manufacturing the ORWL unit is tasked with generating a random 4-digit PIN and a separate ORWL ID. When we ship, we will ship the PIN and the ORWL ID in a PIN mailer, separate from the ORWL unit.
• When you receive the ORWL, plug it in, and turn it on, the first thing you have to do is enter your PIN from the mailer to indicate you are the correct recipient. The ORWL unit will respond to the correct PIN by displaying it’s ID. The owner will verify it matches the ORWL ID in the PIN mailer.

In this way, if the unit is intercepted mid-shipment, it cannot be replaced with a dummy unit that can emulate the same behavior as the attacker will not know either the PIN or the ORWL ID. Further, the keyfob is still unpaired at this point. The pairing mechanism makes use of proper banking encryption running in a JavaCard OS on the keyfob (from G & D). The pairing applet must be a signed genuine app from Design SHIFT in order for the pairing process to proceed. So replacing a keyfob during shipment will also not create an opening.