As the year draws to a close, it’s natural to reflect on the past 12 months. 2024 marked the second full year of operations for Tillitis, and while it had its challenges, it was also a year of progress and learning.  

Let’s start by picking up from where we left off in 2023. Late that year, we launched our bug bounty program. We received several reports, one of which identified a potential vulnerability where a memory erase instruction was optimized away by the compiler. While this firmware issue was ultimately deemed a relatively minor bug (as no sensitive data was leaked), we updated the firmware and released a new version. You can read more about the discovery and resolution in our blog post.  

The same researcher reportered also a potential RAM disclosure issue in device applications. This report required extensive investigation and testing to fully understand and resolve the problem. We documented the findings in our security bulletin 240115-1, and we also published a security advisory with CVE ID CVE-2024-32482.  In April, we released updated versions of the affected applications by the RAM disclosure bug: tkey-ssh-agent, tkey-sign-cli, and tkey-verification. A big thanks to Sergei of Hexplot for reporting these issues and collaborating with us throughout the resolution process.  

A Python-module, that can be used by Python developers for communicating with TKey, was made during the year with help from our friend kchr.

In December, we created a proof of concept for a TKey SSH CA. SSH certificates can simplify key distribution and manage server access rights for SSH users, making them especially useful for organisations.

We also expanded our reach. In March, we opened our web shop to customers in Australia and New Zealand.  

In September, our colleague mc presented our TKey verification feature at the community day of sec-t. It was a great event, and we hope to return in 2025 to continue sharing and learning with the security researcher community.  

During the year we also participated at Elekronikmässan in Stockholm, showcasing our TKey SSH Agent and how it effectively is an MFA for SSH. We also sponsored of Securityfest and Advent of Code.

In October, we decided to change the license for our source code from GPLv2-only to 2-Clause BSD. This decision was driven by a desire to make our design and code more accessible to individuals and organisations. The change particularly benefits our software libraries, which can now be used more freely without impacting linked code.

There were also some community activities during the year. We are aware of e.g. rusTkey (“rusty key”) — a rust library for tillitis TKey application development and an application for TKey that provides nostr identity functionality and the team around TinyGo are adding support for TKey and as of writing this is available in the development branch. Full list of community projects we are aware of can be found in the developer handbook.

Further TKey SSH Agent has been packaged in Debian Unstable and Alpine Edge.

The community is growing and we have had the pleasure of meeting many new people and engaging in many interesting discussions during the year, which has influenced our work. We hope to show it with new releases during 2025. 

Wishing you all a relaxing holiday season. See you in 2025!  

**The Tillitis Team**