Safor: a realistic 2FA device for SAFE network launcher security

So I had an idea for a device that would handle logging in to the SAFE network and encrypting your files before upload, in some cases also decrypting before sending to the app.
It would stop keylogging attempts as well as keep the data atlas out of the host computer’s memory.
Because communication from the launcher to the SAFE network is encrypted, even on a compromised network, you couldn’t find out the location of your data atlas, nor the decryption key for it.
The only remaining security threat (once Maidsafe realizes disabling the launcher to app encryption was a terrible idea) with the use of this system (as far as I can reason it) would be an attacker compromising the keys of the apps that are running on the host computer and impersonating them. But this would be limited to the apps you authorize on the device, and any privacy loss would be limited to that app you authenticated. Other data would still be secure.

For simplicity’s sake, I will call it the Safor for now (SAFE + Trezor)

The Safor operates wildly differently from a Trezor though, so the name may not be apt.
The Safor would feature a touchscreen, a USB input operating in device mode, a wi-fi adapter/ethernet adapter/both, an ARM core (or two), some flash for storage of drivers/helper applications, and some kind of secure storage for a pin code for emergency firmware updates when they can’t be done over SAFE. The secure chip might also contain one, both or part of one or part of both of your credentials, but would default to a “dumb” operating mode where the Safor doesn’t know who has used it.
The Safor would present itself as both a USB NIC (network adapter) and a USB thumbdrive to the operating system of the host computer. It would act as a bridge going from computer to Safor to your network to SAFE. It could even use a different network from the host computer if you paired it to a phone’s wi-fi for instance.

The Safor’s mode of operation would be simple, you would connect it to a USB port on the computer you want to access the SAFE network on, configure the Safor’s networking options, enter your credentials on the Safor’s touchscreen and you’re off to the races. Any apps you run on the host computer would now present an authentication request on the Safor’s screen, which you would accept using the touch screen on the Safor.

I think this device could work by basically overriding the api.safenet API endpoint to be the Safor’s IP address, for example something like This would require no extra programming on the app developers’ side.
Just as long as they use the API endpoint api.safenet, rather than hardcoding in localhost, they’ll be fine. Even if they hardcode localhost, it could be mitigated with a simple app redirecting traffic from the localhost to the Safor and back again.
Alternatively, the official launcher could be updated to support doing this redirect, I doubt it would be a big change for the developers.
For firmware updates, the Safor could look on the SAFE network for signed updated firmware and install it when the user gives permission.

So for understanding’s sake, here is the full list of steps required for a first time user of Safor when a wi-fi network is available.

  1. Start host computer.
  2. Connect Safor to computer’s USB port
  3. Enter wi-fi details on Safor touchscreen
  4. Enter SAFE login details on Safor touchscreen
  5. (optional, if completed, go to step 8) Start routing application off Safor USB drive that takes everything sent to localhost:8100 as well as api.safenet:8100 and forwards it to the Safor’s IP
  6. Download and start the SAFE browser or other application on the host computer
  7. Tell the SAFE browser or app to connect to the Safor instead of the launcher
  8. Enjoy the SAFE network

I believe this is the first feasible (if expensive) method to thwart keylogging and snagging of the data atlas and the keys within that has been presented.

To reiterate what I alluded to in the beginning though, is that this device would be very much useless unless Maidsafe re-enables the encryption between the launcher and the apps. I suppose it would stop a complete takeover of your account, but any keys the applications use for signing would be easily compromised by anyone with a packet inspector.
At least with the encryption, you need to have access to memory scanning AND know how the keys are stored and whether or not they’re encrypted in memory in any way, which would be different for every application. This makes it much more difficult to compromise keys. With some effort to support the Safor from the core devs’ side though, would make it so that the external device could do all signing, verification, encryption and decryption if the app developer chose to support it.

I apologize if this post is a bit unclear or hard to read, please feel free to ask questions, but keep in mind that I’m no security expert nor am I a very good programmer or electronics designer (yet). I will however do my best to answer any questions you have. :grin:


From my understanding, the SAFE launcher interface is designed to only ever be used over the loopback interface. Since (as far as I know) one’s computer would pretty much already be compromised if hackers got to the point of being able to sniff packets off the loopback interface, encrypting the traffic is superfluous. Safor is a different matter, though, since (as described) it would require using the launcher API over a real network interface and all of the risks that come with that (and the requirement for encryption). However, I don’t think that is the best approach: if the user accidentally launches a SAFE app when the Safor isn’t connected or isn’t configured correctly, the app will attempt to connect to something on the internet instead and someone could possibly set up a server which pretends to be a Safor and the app won’t have any easy way to tell the difference besides the fact that the fake Safor wouldn’t have any of the user’s data (unless the app is designed in such a way that it sends some of it before the user realizes what is going on). Depending on how apps are designed this might not be a very dangerous vulnerability, but it’s still worrying nonetheless.

So, I would suggest not exposing a NIC interface and instead just have a “proxy launcher” like the one that was mentioned for handling redirection make requests directly to the Safor over a specialized USB protocol. Doing this avoids the possibility of SAFE launcher traffic spilling onto the network and it has the added bonus of not requiring the Safor to handle any non-SAFE network traffic, which means that it doesn’t have to be quite as complex of a device.

The other features of the device are really cool, though: especially being able to mount one’s SAFE drive like an ordinary flash drive.

1 Like