Preventing shipment interception, providing hardware integrity verification

To clarify my question:

Since anti-interdiction using a pre-configured Librem Key shipped separately from the machine was not possible, I must take steps to ensure my system is secure upon receipt. I would think this involves flashing known-clean coreboot, Heads, and OS.

Reinstalling coreboot:
https://puri.sm/coreboot/
This document mentions that it must all be done on the Librem machine in question. Assuming the Librem in question is compromised, would the new coreboot image generated not then also potentially be compromised?

Heads: same concerns as above

OS: If the above are compromised, then OS security doesn’t matter.

If my thinking above is correct, can anyone point me in the direction of securing my new hardware?

If my thinking is incorrect, can anyone explain why and point me in the right direction?

Many thanks in advance!

This document mentions that it must all be done on the Librem machine in question. Assuming the Librem in question is compromised, would the new coreboot image generated not then also potentially be compromised?

Since 2 months ago, no more replies to this important question. Did you receive any info from Purism themselves?

But it should also involve the firmware (and potentially hardware) of the TPM, the CPU, especially the IME, the SPI, embedded controllers and other), as anz of those might compromise you. In other words you would have to replace pretty much the entire system: There is no way to be really sure your laptop is not compromised (you could of cause assume, that an attacker would nt bother to compromise anything deeper than your BIOS or OS and just reflash/reinstall those).

I agree and found the solution provided me to be inadequate. I also found it to be the best reasonable immediately available solution among those recommended to me.

Decency warning:
If they want to fuck us, they will.

**I flagged myself **

2 questions:

1. Anyone knowing if also mobile phones have been tampered with while crossing border?

2. Anyone experience of bringing a laptop from the US to Europe on own travel? I surely would have to specify that I am bringing a laptop for the import country’s customs, but do the US custom check what is leaving their country?

With heads and disk encryption there are more secure ways to confirm that nobody tampered with a Librem during shipping:

• heads installed and initialized by default
• not shipping a device with disk encryption without a protecting password
• if ordered along: using the excellent LibremKey

Purism could install the Librems like before, but with the (final) heads/coreboot. The encrypted disk would be protected by an initial password.

If the user bought a LibremKey it is inititalized with the needed keys, used for heads and for disk encryption. Then it is shipped in a different package on a different day. The pins protecting the LibremKey are given to the customer directly using a different transport medium than shipping (phone, encrypted mail, download link, personal meeting - whatever level of paranoia the customer is willing to pay for).

If the user didn’t buy a LibremKey the passwords to unlock the initial disk encryption and the seed to initialize totp are provided the same way.

On initial setup the user should be warned to re-encrypt the disk to replace the master encryption key which had been generated at Purism with a knew one generated under the hands of the customer.

This is really good news then!

@todd-weaver Will the LibremKey be shipped in a different package? Why use an default password?

The LibremKey and the disk encryption key should be protected by an individual password/pin during shipping that should be given to the customer personally like proposed above.

Probably there would still be an attack vector, but it would be a lot more difficult than just getting the parcel(s), tampering the device, signing using the LibremKey and the default password, copy the disk encryption masterkey and sending the device(s) on to the customer.

The initial goal with the PureBoot Bundle is to make it easy for the average user to detect tampering after they get the laptop so they don’t have to go through the (somewhat complicated) initial PureBoot setup. Shipping the Librem Key in the same package and with default passwords helps with ease of use–the goal isn’t anti-interdiction except for in the most basic cases (average customs official, etc.).

To help protect against interdiction, you have to get our additional anti-interdiction services. This sort of thing requires extra work and back-and-forth communication between us and the customer so it’s not something we can offer as a default (or for free). But, as I mention in the article, the PureBoot Bundle does greatly enhance our already-existing anti-interdiction services because now we can do things like you are suggesting, including accepting a private key to pre-load onto the Librem Key, setting a new unique user and admin PIN, and shipping the Librem Key separately (and optionally to a separate address).

@Kyle_Rankin you wrote:

“With the PureBoot Bundle, you will be able to detect firmware tampering and rootkits out of the box! Just unbox the laptop, plug in the Librem Key and turn it on–if the Librem Key blinks green, your laptop is safe; if it blinks red, it was tampered with in transit.”

“if it blinks red, it was tampered with in transit” in my understanding is the promise that what you describe in your announcement helps to detect tampering during transport.

Later on you confirm this by writing: “When you get your PureBoot Bundle, you can immediately test whether the firmware was tampered with during shipment.”

Yes, there is also the offer to contact you for a non-standard delivery: “For an additional charge, you can contact us about our anti-interdiction services which, among other measures, ships the Librem laptop and Librem Key separately.”

But how many people do understand what you write and are able to distinct between “tampering detection during shipping” and “anti-interdiction services”?

I’ll let alone the - from my point of view - nearly not detectable border between those two in your argumentation.

I looked up “interdictin” on Wikipedia and found the following paragraph:

The term interdiction is also used by the NSA when an electronics shipment is secretly intercepted by an intelligence service (domestic or foreign) for the purpose of implanting bugs before they reach their destination. According to Der Spiegel, the NSA’s TAO group is able to divert shipping deliveries to its own “secret workshops” in a method called interdiction, where agents load malware onto the electronics or install malicious hardware that can give US intelligence agencies remote access. The report also indicates that the NSA, in collaboration with the CIA and FBI, routinely and secretly intercepts shipping deliveries for laptops or other computer accessories, such as a computer monitor or keyboard cables with hidden wireless transmitters bugs built-in for eavesdropping on video and keylogging.

I’ll cite from your FAQ:

Bildschirmfoto%20von%202019-09-05%2009-26-131041×412 32.6 KB

In your FAQ you compare security and privacy to “installing cameras” and “want unwanted people having access […] to your camera or microphone”. Theses are usually not attacks of average custom officers or script kiddies, but theses are standards you set - and for good.

From my point of view your announcement for the average user is highly misleading.

And yes, you’re right, what you call “anti-iterdiction service” has to be paid for because it needs more work and time on your side. But people are here at Purism already paying higher prices, because it is exactly what at least I want to do:

Pay a fair price (and thereby I mean that from my point of view Purisms pricing is more than fair looking at the work you put into it) to get products focused on privacy and security achieved by using open source and open hardware as far as possible - and not to forget for the necessary processes to handle this software and devices.

My suggestion: Design a way you’d like to handle secure communication for pins and passwords, calculate what it costs and what costs sending the LibremKey in an additional shipment, add it to the pricing for “PureBoot Bundle” and offer only that.

Yes, you can detect firmware and rootkit tampering in transit with the PureBoot Bundle without extra anti-interdiction work, just not from a sophisticated attacker. As I said before, it is enough if your threat is an average customs official, but likely not if your attacker is more sophisticated–responding to that requires more effort both on our and on the customer’s part.

That extra level of sophistication is not something all customers face, are worried about, or are willing to pay extra for. With all of our security measures we try to balance an option for the extreme case with what actual people need in the average case. This is why, for instance, the Librem 5 has 3, but not 10, kill switches and our compromise is to offer “Lockdown Mode” for those people who do need that option.

I don’t understand this: Can you explain which attack vector / risk you mean by “average customs official” and how “PureBoot Bundle” defends against it? What do you think an “average customs official” might do that can be detected by using “PureBoot Bundle”?

I’m not trying to be misleading at all, that’s one reason why we aren’t shipping the Librem Key separately by default with default settings to the same address because I feel it would give people a false sense of security against sophisticated interdiction. To do it properly against that real threat requires not just shipping a key separate, but extra work from our side and extra work from the customer side (and a lot of extra coordination between the two parties).

With the default PureBoot Bundle, any attack in transit against either the firmware or files in /boot (so attempts to install a rootkit by booting some kind of automated USB-based OS) by someone not sophisticated enough to be well-versed in PureBoot, Librem Keys, etc. would be detected.

You could make the argument, I suppose, that only someone very sophisticated would even attempt modifying PureBoot firmware since it’s so specialized, so the more likely attack by a less sophisticated attacker would just be focused on rootkits.

I wouldn’t worry about it. If they wanna getcha they’ll getcha. Just consider Epstein.

My favorite is the darn hard plastic they seal small parts in at the store. Its near darn tamper proof even after you buy it. Even a package of 10 philips-head wood screws I could barely open with tin snips.

Perhaps have the initial shipment be a laptop with no OS, and a build of coreboot capable only of validating a GPG key and booting from USB.

Then, once the machine arrives, the end user downloads an OS install/bios install image that, upon signature verification flashes the bios and installs the os image.

Even then and with the key, you’d still have to be worried about the firmware of all the controllers, unless the aforementioned image reflashes and validates them all.

That looks really Really cool!

I may consider that $99 worth it. I’m not living in a way that I need to hid things, but I talk so much shit about the Israeli Govt, Putin, Trump, China’s Winnie the Pooh, and many more. That $99 might prevent a lot of gray hairs from forming early.

@Kyle_Rankin, I know that you’re not trying to be misleading and I believe that all of you people at Purism give your best and still - with all my questions and critics - I think you’re doing a great job developing things into the right direction. You are being an example for others - especially with your openness and willingness to discuss things.

But that said …

Exactly. What kind of attacker would do anything illegal to a parcel in shipping? Yes, there might be the person paid to just switch on any notebook while connected to an usb stick. But really, how likely is that?

Further more: Just by being Purism and being customer to Purism we already proclaim that we are aware of surveillance and we are willing to invest effort and money to protect our self.

I’d suppose the latter already gives us some focus by people who are interested in other peoples data.

I guess, if there is something like “interdictin” happening on a regular basis, people who interdict shippings sent by Purism know about the hurdles and about the weaknesses.

I just wanted to follow up and thank you @ChriChri for reviving this discussion on interdiction and the impact of the PureBoot Bundle on it. Ever since this discussion I’ve been thinking about this and even though shipping the Librem Key separately doesn’t provide the same level of safety as our full anti-interdiction service, we should allow it as an option because it does protect against more of the casual interdiction threats than what we currently offer.

We just added an extra “PureBoot Bundle Plus” option when ordering a laptop that will ship the Librem Key separately. It costs a bit more than the default PureBoot Bundle to account for the extra shipping and handling.

I’ll try to follow up with a blog post soon that describes the different threat models at play here so people can make a better-informed decision about which option they want.

I know this thread is finished, but I just had a thought while looking at the users manual.
https://docs.puri.sm/Librem_5/Settings.html#changing-your-passcode

If the Librem 5 is being delivered with an unstated preset passcode, does that mean it is somewhat randomly set and unique to each device shipped?

It occurred to me that it would be pretty good protection to have the recipient use their librem eMail to notify Purism of the shipments arrival, which would trigger a reply eMail holding a one time coded time sensitive link to a Librem page which displays the correct unlock code and the aggregate number of times the unlock code was queried.

When you start adding a lot of customization for each customer, in particular when that customization requires a lot of back-and-forth emails to coordinate, it becomes time-consuming and therefore expensive to do. This is why we offer anti-interdiction services as an add-on for the laptops, for folks who want that kind of customization and more advanced measures put in place: