Preventing shipment interception, providing hardware integrity verification

I might be wrong, but I think one of the major reasons we don’t have this service, even after two and a half years of discussion is because of the legal/cost aspect of it.

AFAIK interceptions can be as much illegal as legal. So what if an interception is officially labeled as “legal”, who is to pay for shipping, because I believe this is what’s gonna happen if the package will show “signs” of it being opened, most probably the customer will ship the unit back and then Purism will have to ship a new one in exchange.
These are extra costs, and then, what if it happens over and over when trying to send a package to a specific address?

If the interception would be illegal, I guess we would have the “guilty” one cover the costs both for shipping and for attorneys, which Purism will have to hire.

All these questions can only be answered by professional attorney and hiring a team of attorneys and dealing with such situations will not be cheap, and $99 will surely not cover that.

Disclaimer: please treat this comment as a subjective opinion.

I think 99%+ shipments won’t actually be intercepted though, and the $99 fee will help cover any and all associated costs. Plus once a shipment is actually intercepted & tampered with, Purism could advise that specific customer that they’ll be unable to offer future interception prevention for that individual - he/she would always have the option to pick the laptop up in person from Purism offices.

Basically this is an important service that will provide peace of mind to Purism customers that their Librems haven’t been altered during shipment. The mere presence of this anti-interdiction system will deter attackers, and it can always be re-evaluated in the future if there is a significant uptick in interdiction events. I see no reason to not move forward with this right way.

This is why it is important that purism has a seller outside NSA’s jurisdiction, who will receive the units directly from the factory. And this should be a small stable country. Not Germany or France. Try Belgium, Greece , Portugal, etc. Actually Greece is an entry point for Asian products for the EU.

guys this is very premature. Purism doesn’t even have RYF certification yet.

i was thinking the same thing before i tracked my package online with usps.

it was showing a gap of 3 days after it entered my country so 3 days of silence from the airport to my local post office/customs.
but not complete silence since it reported the package beeing taken to unkown place sometimes in between the moment it left the airport and the local destination. where ? bah … just communist security having a look at this bad boy i guess
guess it’s ok if i refused it because of no hot-swapable batteries
i think i would ask Cable from x-m** to scan my device with his eye and tell me what is wrong

Tamper-evidence for shipping is obviously something that Purism needs to work on. I would be happy to see all expenditure on PureOS dropped and diverted to this.

Also, I know that Purism is very busy with the Librem 5, but buyers of the Librem 5 will want it shipped tamper-evidently. So, this issue should be addressed before the Librem 5 ships.

For those in this thread who have been suggesting tamper-evident tape or seals, you should know that these are typically more easily bypassed than their marketing material will acknowledge. See, for example, Datagram’s talk from 2011 at DEF CON 19: Introduction to Tamper Evident Devices. I am not aware of many sources with information about tamper-evident seals that are both effective and inexpensive. Reasonable starting points are those discussed by R. Johnston et al in the Journal of Nuclear Materials Management, which is available fairly inexpensively from the Institute for Nuclear Materials Management.

Also, in order for Purism to be able to send photos of any seals to customers, without those photos themselves being undetectably intercepted and tampered with, the customer would need to already have a means to trust Purism’s public key, in order to trust Purism’s signature. (The key distribution problem.) If the customer is willing to trust Purism’s web server and its HTTPS connection to deliver them the correct key, fair enough. Users requiring stronger verification should do some upfront work to learn how to use the OpenPGP web of trust.

A least one person on this forum has reported that their parcel appears to have been tampered with during shipping: Laptop arrived today. Shipping box was tampered.

Since anti-interdiction has not become available, how can we take steps to return our Librems to factory state? I understand that certain hardware methods of interdiction are not easily detected by the average person, such as myself, but there must be a way to flash a stock BIOS, core boot, OS, etc. Basically everything from the ground up.

Is there a way to do this at home after receiving the unit?

https://puri.sm/posts/pureboot-the-high-security-boot-process/

Scroll down to “Interdiction”.
If you’re serious about it, make sure to supply your secondary shipment address via encrypted mail. The whole team has GPG keys.

Thanks for your reply, Caliga. That article was the reason for placing my order of both a Librem 15 and a Librem Key.

I did reach out to the Ops team following my order to ask about the anti-interdiction service and was told the service is not yet available.

To clarify my question:

Since anti-interdiction using a pre-configured Librem Key shipped separately from the machine was not possible, I must take steps to ensure my system is secure upon receipt. I would think this involves flashing known-clean coreboot, Heads, and OS.

Reinstalling coreboot:
https://puri.sm/coreboot/
This document mentions that it must all be done on the Librem machine in question. Assuming the Librem in question is compromised, would the new coreboot image generated not then also potentially be compromised?

Heads: same concerns as above

OS: If the above are compromised, then OS security doesn’t matter.

If my thinking above is correct, can anyone point me in the direction of securing my new hardware?

If my thinking is incorrect, can anyone explain why and point me in the right direction?

Many thanks in advance!

This document mentions that it must all be done on the Librem machine in question. Assuming the Librem in question is compromised, would the new coreboot image generated not then also potentially be compromised?

Since 2 months ago, no more replies to this important question. Did you receive any info from Purism themselves?

But it should also involve the firmware (and potentially hardware) of the TPM, the CPU, especially the IME, the SPI, embedded controllers and other), as anz of those might compromise you. In other words you would have to replace pretty much the entire system: There is no way to be really sure your laptop is not compromised (you could of cause assume, that an attacker would nt bother to compromise anything deeper than your BIOS or OS and just reflash/reinstall those).

I agree and found the solution provided me to be inadequate. I also found it to be the best reasonable immediately available solution among those recommended to me.

Decency warning:
If they want to fuck us, they will.

**I flagged myself **

2 questions:

1. Anyone knowing if also mobile phones have been tampered with while crossing border?

2. Anyone experience of bringing a laptop from the US to Europe on own travel? I surely would have to specify that I am bringing a laptop for the import country’s customs, but do the US custom check what is leaving their country?

With heads and disk encryption there are more secure ways to confirm that nobody tampered with a Librem during shipping:

• heads installed and initialized by default
• not shipping a device with disk encryption without a protecting password
• if ordered along: using the excellent LibremKey

Purism could install the Librems like before, but with the (final) heads/coreboot. The encrypted disk would be protected by an initial password.

If the user bought a LibremKey it is inititalized with the needed keys, used for heads and for disk encryption. Then it is shipped in a different package on a different day. The pins protecting the LibremKey are given to the customer directly using a different transport medium than shipping (phone, encrypted mail, download link, personal meeting - whatever level of paranoia the customer is willing to pay for).

If the user didn’t buy a LibremKey the passwords to unlock the initial disk encryption and the seed to initialize totp are provided the same way.

On initial setup the user should be warned to re-encrypt the disk to replace the master encryption key which had been generated at Purism with a knew one generated under the hands of the customer.

This is really good news then!

@todd-weaver Will the LibremKey be shipped in a different package? Why use an default password?

The LibremKey and the disk encryption key should be protected by an individual password/pin during shipping that should be given to the customer personally like proposed above.

Probably there would still be an attack vector, but it would be a lot more difficult than just getting the parcel(s), tampering the device, signing using the LibremKey and the default password, copy the disk encryption masterkey and sending the device(s) on to the customer.

The initial goal with the PureBoot Bundle is to make it easy for the average user to detect tampering after they get the laptop so they don’t have to go through the (somewhat complicated) initial PureBoot setup. Shipping the Librem Key in the same package and with default passwords helps with ease of use–the goal isn’t anti-interdiction except for in the most basic cases (average customs official, etc.).

To help protect against interdiction, you have to get our additional anti-interdiction services. This sort of thing requires extra work and back-and-forth communication between us and the customer so it’s not something we can offer as a default (or for free). But, as I mention in the article, the PureBoot Bundle does greatly enhance our already-existing anti-interdiction services because now we can do things like you are suggesting, including accepting a private key to pre-load onto the Librem Key, setting a new unique user and admin PIN, and shipping the Librem Key separately (and optionally to a separate address).

@Kyle_Rankin you wrote:

“With the PureBoot Bundle, you will be able to detect firmware tampering and rootkits out of the box! Just unbox the laptop, plug in the Librem Key and turn it on–if the Librem Key blinks green, your laptop is safe; if it blinks red, it was tampered with in transit.”

“if it blinks red, it was tampered with in transit” in my understanding is the promise that what you describe in your announcement helps to detect tampering during transport.

Later on you confirm this by writing: “When you get your PureBoot Bundle, you can immediately test whether the firmware was tampered with during shipment.”

Yes, there is also the offer to contact you for a non-standard delivery: “For an additional charge, you can contact us about our anti-interdiction services which, among other measures, ships the Librem laptop and Librem Key separately.”

But how many people do understand what you write and are able to distinct between “tampering detection during shipping” and “anti-interdiction services”?

I’ll let alone the - from my point of view - nearly not detectable border between those two in your argumentation.

I looked up “interdictin” on Wikipedia and found the following paragraph:

The term interdiction is also used by the NSA when an electronics shipment is secretly intercepted by an intelligence service (domestic or foreign) for the purpose of implanting bugs before they reach their destination. According to Der Spiegel, the NSA’s TAO group is able to divert shipping deliveries to its own “secret workshops” in a method called interdiction, where agents load malware onto the electronics or install malicious hardware that can give US intelligence agencies remote access. The report also indicates that the NSA, in collaboration with the CIA and FBI, routinely and secretly intercepts shipping deliveries for laptops or other computer accessories, such as a computer monitor or keyboard cables with hidden wireless transmitters bugs built-in for eavesdropping on video and keylogging.

I’ll cite from your FAQ:

Bildschirmfoto%20von%202019-09-05%2009-26-131041×412 32.6 KB

In your FAQ you compare security and privacy to “installing cameras” and “want unwanted people having access […] to your camera or microphone”. Theses are usually not attacks of average custom officers or script kiddies, but theses are standards you set - and for good.

From my point of view your announcement for the average user is highly misleading.

And yes, you’re right, what you call “anti-iterdiction service” has to be paid for because it needs more work and time on your side. But people are here at Purism already paying higher prices, because it is exactly what at least I want to do:

Pay a fair price (and thereby I mean that from my point of view Purisms pricing is more than fair looking at the work you put into it) to get products focused on privacy and security achieved by using open source and open hardware as far as possible - and not to forget for the necessary processes to handle this software and devices.

My suggestion: Design a way you’d like to handle secure communication for pins and passwords, calculate what it costs and what costs sending the LibremKey in an additional shipment, add it to the pricing for “PureBoot Bundle” and offer only that.

Yes, you can detect firmware and rootkit tampering in transit with the PureBoot Bundle without extra anti-interdiction work, just not from a sophisticated attacker. As I said before, it is enough if your threat is an average customs official, but likely not if your attacker is more sophisticated–responding to that requires more effort both on our and on the customer’s part.

That extra level of sophistication is not something all customers face, are worried about, or are willing to pay extra for. With all of our security measures we try to balance an option for the extreme case with what actual people need in the average case. This is why, for instance, the Librem 5 has 3, but not 10, kill switches and our compromise is to offer “Lockdown Mode” for those people who do need that option.

I don’t understand this: Can you explain which attack vector / risk you mean by “average customs official” and how “PureBoot Bundle” defends against it? What do you think an “average customs official” might do that can be detected by using “PureBoot Bundle”?