The links in the OG blog post about evil maid attack no longer works. Do anyone have alternative links? Below are the two links that are not working.
1 Like
On a related note, I recently watched a video where the presenter mentioned multiple times that certain firmware exploits are permanent and the motherboard has to be shredded to get rid of that exploit. Are there any write up on how such exploits work. I was under the impression that firmware exploits can be removed by flashing the firmware using an external programmer.
I have not watched the video yet but reading about Fuse and Lock bits of EEPROMS, Microcontrollers and similar chips might be informative & inspirational in this case. Having said that, it would be necessary to study the schematic of the mentioned motherboard to see if such bits exists on the Firmware chips and if the lock bits could be fused by software. Also before shredding the motherboard, maybe the locked chip is a SOIC-8 which could be replaced with a freshly programmed chip if you have the necessary skills and tools for SMD rework. Shredding the motherboard is a little bit wasteful. Maybe it could be donated to Firmware security researchers.
I am pretty sure the presenter was not literal. He was emphasizing the nature of exploit.
1 Like
So… here’s the question: Are you willing to gamble all future security on that system that you know exactly what was done, to what, and how?
If it’s just the main firmware chip, sure. You can externally reprogram or replace that. But look into just how many things on a typical mainboard have some variety of programmable storage on them. Drive controllers, hard drives/flash devices, NICs, GPUs, and all sorts of other devices have some amount of flash - and it’s usually not documented in any great detail, nor can you get images to verify it against. For a firmware type attack, one can safely assume a very sophisticated, well resourced adversary, and those sorts tend to be quite clever in what they can accomplish.
If I had reason to believe that a system of mine had some variety of firmware compromise, I’d shred the system and everything that had been installed in it at any point, because I have no way to validate all aspects of it. Honestly, were I to believe that I’d been the subject of such an attack, I’d probably just clean sweep replace all my computing hardware at once, and be very careful how I sourced replacements.
I’m certain he was being quite literal. I’ve seen hardware shredded for far less than a high end firmware exploit.