NitroPad X230 laptop

I feel obligated to mention that while it is cheaper to buy from eBay or another online store, please keep in mind that sufficiently powerful adversaries may “interdict” your package in-transit and install sophisticated malware that will permanently compromise your machine and cannot be easily or effectively removed, at least not with any strong certainty. Additionally, eBay sellers may themselves be targets of such attacks, or of supply-chain attacks against replacement ThinkPad parts, or may themselves be adversarial fronts. If this is part of your threat model, then the extra cost of a NitroPad may be worth it due to the high-assurance measures taken to protect it from tampering and verify that it has not underwent clandestine modification.

Because NitroPads also require an online purchase that will be shipped to you, however, this necessitates trusting that NitroPad’s anti-tampering measures are sufficient to secure the device from unauthorized modification during transit and that the device is not tampered with in ways that NitroPad/NitroKey is unable to prevent—and, of course, trusting the company itself.

If you are not comfortable with this degree of trust either, or otherwise consider it insufficient for your threat model, the only other option that includes an X230 with a NitroPad-like setup is to buy the used X230 laptop locally from someone else, preferably a known and trusted associate but otherwise someone with no association with you and who knows nothing about you, and personally configure the system to your liking. Such a purchase may be best done anonymously during a local meet-up or at a local used electronics store, using cash or a private cryptocurrency like Monero, and with minimal delay between first contact and having the laptop in your hands. This approach is very inconvenient and may not even be rational; it will likely require diligence in searching for a listing and patience in waiting for one to show up in a local newspaper ad or Craigslist listing, since creating a listing yourself of your interest in purchasing one can serve as an attack vector in which you are sold an intentionally malicious machine by an adversary that suspects you to be the lister. Having ample luck will make it all much easier, though, so use it if you have any.

But even this maddeningly inconvenient and paranoid method is not bulletproof, because it ultimately just shifts the trust to less known actors and attempts to achieve additional security through obscurity, all with unclear privacy gains. Not a very good situation. For example, there is no guarantee that the used machine is not already compromised, or that the seller has not at some point themselves been a target by a powerful adversary, or how many hands that machine as passed through, or whether any of those other people may have been targets, or whether any original or replacement parts in the machine may have themselves been victims of supply-chain attacks, or that the seller themselves is not an adversary.

My point here is that without understanding the threat model, it is unclear what exactly may be the best course of action; but as the threat model’s adversary grows ever larger and more powerful, further steps may be necessary to mitigate increasingly more costly and sophisticated attacks. Unfortunately, there comes a point at which there is actually no way to mitigate a sufficiently powerful adversary, especially not with used hardware with many more unknowns in its history than there might be with a locally purchased new device from a physical retailer.

Were it not for the fact that we are talking about the NitroPad, a device intended for high-assurance security, I would not lead us all down this rabbit hole. If you are someone who is seriously considering a fully decked out NitroPad (as much as ~$1,400 USD for a modded refurb from 2012 is quite an investment), however, then you are also someone who may seriously need to consider the extent to which purchasing a NitroPad even makes sense for your threat model.

For the vast majority of people, including probably the vast majority who ever consider a NitroPad, the assurance level that the NitroPad provides is more than adequate. Even if not, compelling arguments can be made that alternative methods of achieving the same general setup, such as those described above, are actually worse and expose one to more risk than does an online NitroPad purchase, even when trust in NitroPad/NitroKey is less than certain.

As you all surely know, this is why threat modelling matters, as is one’s tolerance for jumping through hoops. If physical killswitches are on your radar and you are wondering if installing Qubes OS on a NitroPad yourself is safer, though, then the above considerations might deserve to be, too.

2 Likes