Installation security docs say that usb firmware could be “untrustworthy”, even if the drive is new. What does that mean exactly? After re-verifying the checksum on the usb post writing, how could the usb firmware still compromise the installation? Could the malicious controller firmware insert malware hidden in some sector during installation or could the malware fit on the firmware itself?
If it is possible, then it would the best practice to re-flash the controller firmware using MPTool (Mass Production Tool) and then perform a low-level format (from a trusted machine), before creating the installation media? Could such usb be considered “trustworthy”? What are your thoughts?
Welcome, I think ot implies that the manufacturer could have placed a backdoor. Tge qubes modes is dont trust anything. Reinstalling the firmware could be a way to minimize risk of compromise in your usb but i personally wouldn’t do this. Unless its in your threat model(having a serious player after you) you definitely dont need to do this.
If it could be a way to minimize risk, then why wouldn’t you do this? It is the source of trust for your machine potentially for year to come, so it doesn’t seem like a huge time investment nor an unrealistic threat, since there is malware out there that can replace the firmware of a usb controller. Most people use usb drives to install their OS, so it is very attractive attack vector. If you are not using freshly bought usb drive, then all it takes is plugging the usb once into infected machine (during the usb life time) for it to become a time bomb, sitting there waiting for someone to use it as installation media. The irony is that you could initially have a clean usb and use a malicious MPTool to infect yourself, so you got to trust the source of the tool. That’s why I am asking if such malware could fit in the controller firmware itself or would it have to be hidden in some sector.
Installation security docs say that usb firmware could be “untrustworthy”, even if the drive is new. What does that mean exactly?
What it means for every proprietary software.
After re-verifying the checksum on the usb post writing, how could the usb firmware still compromise the installation?
The firmware has full low-level read/write access to the data.
Could the malicious controller firmware insert malware hidden in some sector during installation
There can be a hidden partition which only the firmware can see and from which it can copy/transfer data.
or could the malware fit on the firmware itself?
If fits in the memory.
If it is possible, then it would the best practice to re-flash the controller firmware using MPTool (Mass Production Tool) and then perform a low-level format (from a trusted machine), before creating the installation media? Could such usb be considered “trustworthy”? What are your thoughts?
Best practice: use NitroKey Storage - the only FOSS/H USB storage (AFAIK). Nothing proprietary is fully trustworthy (unless tested extensively and proven).
Another good idea would be to have encrypted installation media, thus making the firmware “blind” to the data. I don’t know if that is possible though because at least the bootloader needs to be accessible.
Anything is possible. You still have to download the firmware from the same company that makes the usb. If you dont read the open source code to verify that it does not have a backdoor whats the point? A malicious actor flashing malicious firmware by opening the boxes->flashing malicious firmware-> reclosing the packages is highly possible but extremely unlikely. It isnt as simple as “Is it best practice”, it ultimately depends on what your threat model is. In my opinion somethings you are obligated to trust like your computer for example.
The biggest threat when purchasing a USB stick is having the shipment intercepted before delivery. The manufacturer would be out of business overnight if they just blindly installed a backdoor on every device, but if you are on some nation states watch list then things get a little more interesting.
At the laboratory where I used to work we had strict guidelines on where and how we could procure our USB drives. In theory, if you purchase from a third-party reseller and they recognize you as a customer, they could devise a custom payload, replace the device, and reseal the package so that it is not obvious. These packages do not come from the manufacturer in tamper resistant packaging so there would be no obvious way to tell if it had been tampered with.
Best practice is, if you know that some nation state actors are actually targeting you then you should purchase the product directly from the manufacturer and use tracking information on that delivery so that you can tell that it was not intercepted and delayed somewhere that it was not origionally intended to go. Validate the normal delivery path for that shipper if possible.
Buying anything from a third party source would be a total crap-shoot and it would depend on your own personal threat model because they essentially have infinite time to make any modifications and then ship you a customized version made just for you.
The safest thing to do is to buy the USB stick directly from a reputable manufacturer who you (mostly) trust and then pay the higher cost of ordering it from them with proper tracking information. This is not 100% assurance but it’s still far better than the alternative.