Interdiction attacks on these products: “Librem Key”, “Vault USB Drive” (part of “PureBoot Bundle”), “USB Flash Drive”

The title says it all.

An attacker might interdict the shipment of one of these products:

  • “Librem Key”.
  • “Vault USB Drive”. This is part of the “PureBoot Bundle”. I think this is just a blank drive (EDIT: Kyle says it ships containing the public key corresponding to the private keys on the Librem Key) to ensure that the customer has one when they reach a point in the instructions calling for one.
  • “USB Flash Drive”. I think this has had one of 3 specific ISO filesystems installed on it. It is to be used for (re)installing an operating system.

What attacks can be carried out by an attacker with temporary possession of one, two, or all three of these before they reach the customer? Assume the attacker has a nation-state level of resources. What effective countermeasures can the customer take? Discuss.

[edited to clarify question]

2 Likes

if a certain nation-state had an interest in protecting the “customer” would it not already know HOW to do so ? and if it ALREADY knows how to do so would it not be safe to assume that it also knows how to do the OPPOSITE ? :upside_down_face:

1 Like

This is what our anti-interdiction services attempt to address.

1 Like

How does Purism’s anti-interdiction service address the dangers of replacing the USB drives or the Librem Key with malevolent hardware? The Librem Key protects the Librem 14/15, but what protects the Librem Key? And the Vault USB Drive stores backups of private keys. What if it has been replaced by a device that sends a radio copy? Etc. Where is the threat analysis document for these auxiliary parts?

The sensitive data on the Librem Key is the private GPG keys it stores on a tamper-resistant OpenPGP smartcard. I’m unclear what someone would accomplish by replacing it with malevolent hardware (but again we address this with tamper-evident tape around the Librem Key when we ship it separately from the laptop in anti-interdiction services).

The vault USB drive contains a copy of the public key that corresponds to the private keys on the Librem Key by default. We supply you with it so you have something to store backups of any private keys you generate after you receive it. Again in the case of anti-interdiction services, these devices are behind a few layers of tamper-evident tape while shipping.

I should also note that all of these secrets are just to protect the device during transit. We recommend customers replace all of these keys with their own once they verify the laptop hasn’t been tampered with in PureBoot.

Regarding all 3 items: Kyle says the protection against modification is just the tamper-evidencing packaging (and presumably photos of this sent separately?).

Regarding the Librem Key: Kyle doesn’t think the attacker can get anything out of replacing the smart card or installing a radio to copy all bits sent in/out of the card or any other hack of a similar scope.

Regarding the Vault USB Drive: Kyle, could you please tell your support staff that this does not ship to the customer blank (because that’s what they told me)? Kyle thinks there is no danger in the attacker installing a radio (or some other hack of similar scope) in this drive which copies the private keys that the Purism documentation recommends saving on this drive after the customer creates them.

USB Flash Drive: Kyle doesn’t think there is any danger from an attacker modifying this drive, even though this might lead to the customer installing an operating system of the attacker’s choice.

[edited to fix confusing punctuation]

The secondary protection against the kind of far-fetched modification you are describing is simply to remove the case and inspect the hardware for radios and anyone who is legitimately under that kind of threat should be used to doing that. Nation states prefer software exploits to hardware implants because implants are easier to detect (inspect the hardware) and harder to explain away (why is there a tiny antenna inside my USB thumb drive?). This is why I’m skeptical about that Supermicro server implant story that made the news a few years ago–why implant a remote access chip when the vulnerable BMC chip is already there?

A lot of the proof of concept stunt hacks you see are not practical to carry out in practice. It’s a lot easier to explain away an exploit, or backdoored firmware, as an innocent bug, or a mistake at the factory that installed firmware with debug enabled and that’s the attack vector worth the most attention. This is why, while we also provide countermeasures to detect hardware tampering, and in the case of anti-interdiction orders will provide custom tweaks to the default steps based on the customer’s threat model (such as shipping the Librem Key and laptop to completely separate locations potentially under different names), a lot of our focus and our advancements have been in the realm of detecting software tampering because that’s the larger and more practical threat.

2 Likes

So Purism supplies pictures of what each of these items looks like with the case off? And instructions on how to remove the cases without breaking the items?

And Purism believes there is no danger from simply reinstalling different file system contents on the USB Flash Drive?

by the way if we open the thumb drives provided by Purism will we VOID the warranty ? will this process destroy any part of the thumb drive ? what if an antenna is internal to the drive itself and not observable at first glance ?

this is all just for the sake of conversation … i didn’t bother with any anti-interdiction from you guys so far … i’ll have to see how that played out though … lol

We do with the laptop (and in the case of anti-interdiction we also supply the customer with pictures of their specific motherboard). We haven’t for the Librem Key because up to this point it hasn’t been necessary, but if an anti-interdiction customer were to demand it, we could provide a picture of Librem Key electronics without the case, although you could also just refer to the Nitrokey hardware PCB design as that’s what we based our Librem Key from. This is the value of using open hardware with open specifications whenever possible.

The Librem Key case is glued in place and we don’t typically recommend customers remove it unless they are ok with risking cracking it and voiding their warranty, however I’ve been able to remove the case on mine without any damage before.

1 Like

Looking at our new thumb drives, you would need to be a practiced hand to take it apart without bending/damaging the components. It could certainly be done if you have experience with electronics as it’s a case of removing a few metal sleeves around components. I might be wrong but I don’t think we would honor a warranty for a customer who thought the government was after them and damaged their thumb drive while taking it apart looking for a transmitter and antenna.

Removing the screws on the bottom of the laptop is different though and we support that.

1 Like

Additional threat: Turn the Librem Key into a tracking device. This would take advantage of the likelihood of the customer taking their Librem Key with them everywhere. This has nothing to do with attacking the keys or the Librem computers the Librem Key is used with.

what is the difference between a hacker opening the bottom of the laptop and another one doing the same to a usb-thumb-drive ? is it just the increased level of paranoia that gives it away ? lol

To clear up any confusion: I’m asking serious questions about the threat analysis: what are the threats and what are the countermeasures and what are the costs to the attacker and the defender.

Complete with power supply (i.e. battery)? Otherwise it is only useful for tracking while connected.

It is certainly possible to have a USB flash drive sized device that has a rechargeable battery inside it (I own one) but it might be more difficult to adjust an existing device while retaining the exact form factor. (I wonder how many people would notice if the form factor changed i.e. it got bigger?)

I don’t think that you can replace the existing device because then the keys won’t work properly. (Yes, there are questions over whether a very sophisticated attacker is able to extract keys from a TPM, without destroying it first - and of course if a very sophisticated attacker has broken the underlying asymmetric key encryption then all bets are off.)

To be honest if you were going to attempt this (tracking device) attack, it may be easier to do so on the host device e.g. bypass HKS on the cellular modem (I wonder how many people would notice?) or e.g. install a separate tracking device in the host or e.g. install a separate tracking device in the car.

It doesn’t seem as if anyone has mentioned the anti-interdiction nail polish that is used to detect physical tampering e.g. with the phone and laptop.

It’s a rabbit hole with no bottom Joe. No matter the solution there will always be another threat. It would be probably easier to just compare what purism does to address these threats versus other manufacturers.

You cannot and will not ever buy anything that is or will stay 100% secure.

2disbetter, everyone here fully understands that there is no fully secure system. The topic is: What are the specific attacks and countermeasures, what are the costs of these attacks and countermeasures, and how effective are these attacks and countermeasures? It is important to actually think about these to get a sense of whether the vulnerabilities are addressed appropriately for any particular threat model.