Preventing shipment interception, providing hardware integrity verification

I was thinking the same thing. After watching Jacob Abbelbaums talks this seems very important, I got my librem 15 today and there was no seal whatsoever… concerning…

1 Like

We have tested an interdiction prevention process. That process is eerily similar to cat’s proposal.

  1. We uniquely seal the surrounding bag and/or box.
  2. We photograph that unique seal.
  3. We post that unique seal to the user’s account and/or encrypted email.

We have tested that to find out both cost, and process, and hope to announce that offering soon.

9 Likes

What can I say, great minds think alike I suppose? :wink:

I imagine this wouldn’t be something in place by the time my already ordered Rev 15 ships, would it?

2 Likes

I am eager to see more about this box sealing/interdiction prevention process. This is probably the only thing preventing me from buying a Librem laptop.

2 Likes

Having recently watched Jacob Applebaum’s various presentations on YouTube, this is extremely important to me too.

Please keep us updated, Todd!

2 Likes

This video shows that the CIA has been known to take packages of electronics after they’re shipped, plants malware on the device inside and then forwards the package on to you. (30:35 of video explains this process)

How can Purism prevent this? What packaging can fool proof this method of attack?

3 Likes

What the fuck that is crazy.
Hell.
We’re gonna have to ship in destroy-content-if-opened-before-date boxes …

1 Like

I’m thinking of holographic seal tapes for the future (and maybe there could be some sort of holographic tape that changes if it gets attacked by a hair dryer?), in addition to having pictures of the motherboard taken before shipment… Other ideas?

4 Likes
I’m thinking of holographic seal tapes for the future (and maybe there could be some sort of holographic tape that changes if it gets attacked by a hair dryer?), in addition to having pictures of the motherboard taken before shipment… Other ideas?

I like where both ideas are going. If the package snatcher’s intentions are to put malicious code on the computer, at the lowest levels, then a picture won’t show that.

Is there a way to display some sort of “last time booted up” message or something similar? Is that a BIOS feature that could even be implemented?
Then you could at least know with time stamping and package tracking information when it booted up last.

How about shipping the battery and power charger separate, a few days apart?

1 Like

holographic seal tape can be defeated by using a syringe to inject acetone just under its surface, temporarily disabling the adhesive. after the attacker is done, they just put it back.

  1. purism makes laptop signing key, fingerprints available on puri.sm, github, keybase, and business cards.
  2. glittery nail polish over the screwholes. this is discussed on several sites.
  3. signed picture of nail polish emailed to user and available by user login.

the glitter pattern is random and very difficult to reproduce.

one problem is blink testing, taking your own picture and overlaying to spot differences, is also difficult. you cant put your camera in the same place, have the same settings, and lighting that the factory did. the only way i can think of around this is a few pics, or maybe a short animation showing a few different angles, and having the user visually inspect that the pattern is close enough. it should still be difficult or time consuming for the attacker to make a close pattern. a well funded adversary could have the resources to build a custom glitter sprayer, so this may not deter a nation state.

4 Likes

This actually ain’t such a bad idea.

3 Likes

Damnit @pixel now you’re depressing me :wink: I hope glitter nail polish is not our only remaining option…

2 Likes

you welcome! :slight_smile:

i’ve thought of self adhesive tape with the nail polish on it, but the adhesive could also be vulnerable.

2 Likes

The other topic is closed, but I worked in cyber for the gov’t and I know for a fact that many, many, servers, new from the manufacturer, have chips replaced and additional functionality has been added to those chips. Same with laptops, desktops, phones, you name it. My last investigation before I retired was a nasty one ad no information was available for… at least not unclassified information. The EPO server was the primary target and before they took it away I compared it to valid schematics of the server and it was not kosher. Not even close.

3 Likes

First of the reason why opensource is advocated in security therms is that you can check it. The same should work with hardware no? If you publish the schematics, you should be able to check if all the components are as they should be. that should work too no?

The second thing, would be to check the firmware. So maybe the way to go is to create a tool to check if nothing has been tempered with that side maybe by doing checksum on the firemware, installed coreboot, check if there is any additional hardware or stuff like that…

Isn’t it possible to realise those things?

6 Likes

What about dispatching the laptops in “kit” form, like a kit house… ?

Post some parts (top and bottom aluminum cases and charger, and perhaps the SSD drive. A week later post the mother board WITHOUT the parts you already posted like the SSD Drive or such… and we assemble once all parts are received. So it can not be booted in transit, and shows on paperwork as PC “parts” NOT a PC… ? Or do they NOT need to boot it up to install their malware… ???

I have two laptops on order with you but what is the point if they will be compromised as they leave Purism / USA, before they arrive in my country… ? If I were them, targeting all laptops from a company like Purism would be a good idea… obviously someone ordering a Purism laptop is a much more “interesting” target :frowning:

1 Like

You basically just described Novena!

2 Likes

update. self adhesive tape was a total fail. too easily stretched. was hoping for something cleaner than gooping up the screw holes like that.

nail polish over covers (i.e. battery on some laptops) can sometimes break in hard to see ways.

look forward to seeing what you come up with.

2 Likes

It does not literally have to be nail-polish, it could be easy-to-clean; it just has to survive non-tamper shipping but absolutely not survive any tampering (of course, TLA could formulate their own and replace it, but the glitter arrangement would be different.

1 Like

Firstly, let me be clear: I highly respect and appreciate everything the Purism Team have done to date, want to support you and have an L13 and L15 on order, however am now feeling like I may need to cancel my orders.

THE PROBLEM
The real issue here for me, and surely must be for everyone else too (?) is what’s the point of stripping all the spyware / hack vulnerability out of these laptops to then allow it to be reinserted again during transit to the end user? Seriously, doesn’t this make the whole Purism project a fail, until we resolve this?

In the post “Preventing Shipment Interception”, solutions were proposed (holographic seal tapes, glitter nail polish over screws, etc) then quickly defeated with confirmed existing government practices (syringe to inject acetone under seal surface etc). To me, these solutions only help us confirm we have received a hijacked device which is then of no use to us. The real objective / solution surely is to deliver the Librem to the end user in a “guaranteed secure state”.

THE SOLUTION
Are there solutions that can be developed / offered (even at additional cost?) to receive in a “guaranteed secure state”? such as:

SOLUTION - Technical
Is it technically possible to deliver solutions like suggested by @pixel such as laptop signing key, fingerprints, etc, which would cryptographically sign the motherboard to prevent change, or similar ideas?

SOLUTION - Physical
Just sharing thoughts, but I may be interested in an “option” to choose some additional physical security. If we made it “too difficult” for them to quickly interfere with the laptop while in transit(?)
For example:
I) to choose one-way security screws, in conjunction with having you “super-glue” or “Loctite” the screws in the back cover. Also use super-glue to glue the back cover on even under the screws so they can not access inside. I accept that would mean I have to purchase a new replacement cover along with a replacement battery 2 years down the track, but thats a cost I would accept.

II) use stainless steel screws as they are a lot more difficult to micro-drill into the head and use an “easyout” (screw extractor) to remove the screw.

III) if points above were implemented and did actually stop a hardware / chip hack, but laptop was shipped in a bootable state, then we are still susceptible to boot / software install which still means delivered device may not be secure.

IV) deliver each Librem in multiple shipments for end user assembly(?) to avoid “boot-n-tamper” in transit(?) but then is susceptible to chip replacement hack as case is not super-glued together.

V) Other feasible solutions(?)

FINAL COMMENT
If you think this post is an over-reaction, consider this: Purism is manufacturing laptops DELIBERATELY designed to circumvent government malware / hacking / hardware monitoring, so if YOU were in charge of such monitoring, would you not specifically target ALL products dispatched by such a niche manufacture? I think this “delivered in a guaranteed secure state” is as important as all the other aspects you have so brilliantly addressed to date.

@mladen @jeff @pixel @jvader @todd-weaver and others, I would seriously appreciate your response to my thoughts above AND/OR other solutions as I am genuinely seeking a solution for us all, and so I do NOT have to cancel my orders.

Thx
bit

3 Likes