I guess it might be relevant to Librem 5, since it’s based on NXP from 2018.
Time to plan for Fir then.
Also, 2017-2020 (Spring).
Not really. The Spyware on CPUs is just for Online and daily Cloud Services risky. If you use your Librem 5 with new or self wrote software and be often offline you are not included for this attack. Cause the Idea of A.I. synced Information about Client, and distributed to Companies Database, was not ready before 2019.
This seems bad for Librem 5’s. What can we do to verify their hardware isn’t backdoored?
NXP? It depends.
If the Chinese government only had read access then it is more likely industrial espionage than an attempted backdooring.
In particular, if NXP’s systems were well set up (e.g. you only get the access that you need or e.g. airgapping where appropriate or e.g. even just separating out unrelated functionality onto different servers) then it might be that the accounts that were hacked into did not have read-write access.
The article implies that no write access occurred but, from long experience of these stories, what you know in the immediate aftermath of a detection is often much less than what is known after months of investigation.
Against that, this story appears to be several years old. So if the hack was more than industrial espionage, you would think that this would have been discovered by now.
One way to detect a maliciously altered file is to compare the file with a known good backup. That in turn would depend on the strength of their backup regime.
Another way is to maintain offline cryptographic hashes of files.
Both of these could be defeated if the system in question is completely compromised. Neither of these is at all a recent innovation.
To get the information required to know that, you need the hardware schematics. As for how to obtain them legally, you would have to ask NXP. Depending on your business, they may grant you a license under an NDA.
Even if there is no intentional backdoor created, there may still be hardware vulnerabilities that can be exploited to create one.
Access hardware schematics by seeking NXP’s permission; they may grant a license under NDA, crucial for understanding and ensuring compliance. Potential vulnerabilities, intentional or not, could allow exploitation for backdoor creation.
Well, that would be the legal method.
And assumes that NXP agrees to allow that access.
Hmm. So, instead of signing away my freedoms in an NDA, if part of the whole reason I want to move to products like Purism in my life is freedom, then could that mean a better way to learn about NXP chip specs would be to find the Chinese folks who got the specs and offer them money for it, in the hopes that even if they charge more money than NXP for information they might not require me to sign an NDA?
Just brainstorming. I don’t have experience interacting with people like that.
There are many ways to achieve the same goal, but the legally compliant way is as I mentioned earlier in this thread.
That is all I can speak about from my public identity.