Due to some unfortunate circumstances, it will be rather difficult for me to find a laptop that has Coreboot support and have the time to Coreboot it.
I wanted to know the possible attack vectors from keeping the proprietary BIOS from Dell/HP. I believe something like a reverse-shell is possible (and because I don’t know much about the subject I’m going to have to research more about how I can prevent that in my network), but what other avenues should I be considering? Suggestions for both physical and remote security are welcome!
Thanks
You don’t really need to do anything, except maybe don’t give strangers unsupervised access to your device.
The firmware is rarely the initial attack vector, a remote attacker would need to compromise dom0 to flash a new ROM, at which point the firmware probably isn’t your biggest worry.
If your firmware has an option to lock the firmware, it’s close to impossible to flash the ROM without having physical access to the device.
If you also use a firmware password, you can be fairly confident the attacker would need both physical access and an EPROM programmer to flash the ROM,
You could then try to make the screws to prevent someone from being able to open the device undetected, or permanently secure the screws to make nondestructive opening of the device impossible.
Keep in mind, your device is protected by Boot Guard, it’s very likely going to require some high level government authority to be able to make working firmware for your laptop. It’s not something everyone can do, it needs to be signed by Dell.
3 Likes
What about special bits in RAM that trigger some functionality? One could in theory make something like this, put this in a simple looking .exe/.deb and/or distribute it in any fashion possible and ME would pick up on it.
Have you taken measures to prevent reverse-shell attacks on your infrastructure at home? Is it even possible to do anything about it? Well I guess controlling outbound traffic on the network level is an option.
Thanks for the reassurance about locking the BIOS with a password (I assume that’s what you mean by “firmware”) and the fact that Dell needs to sign everything, which means I’d have to become a serious threat for anybody to attempt this lol
No, I don’t worry about “secret agents” covertly braking into my house, and flashing an advanced theoretical firmware backdoor onto my computer for no apparent reason.
If I understand correctly, @obituary is concerned about backdoors universally deployed in the official firmware, which has not been demonstrated (as far as I know) but is within the realm of possibility. Consider the recent XZ attack whose explicit purpose was to make every linux server compromisable (as long as they have the attacker’s private key). The strategy of “put a backdoor into everything so we don’t have to spend a bunch of resources attacking individual targets” is being actively pursued by at least some entities.
If you actually need to be worried about well funded adversaries (unlikely, but I don’t know where you live or what you do with your time), or someone who is affiliated with a well-funded adversary and is able to abuse the power they were entrusted with for personal reasons, then you need to keep the computer on your person at all times and never connect it to a network. But that’s only if they care about you knowing that they are targeting you and/or leaving evidence that they did so; if they can just grab you off the street and take your laptop by force there’s not much you can do.
That said, if your worried about more common scenarios, such as random hackers getting your bank account information or an angry ex hacking into your computer, the BIOS isn’t worth worrying about. There are far easier ways for them to attack you, and using QubesOS properly, setting up a password manager, etc will be a more valuable use of your time.
1 Like
Letter agencies are often big enough to push seeminly harmless code that produce “magic” signals which a proprietary UEFI might pick up (since it’s scanning all RAM anyway). It is definitely in the realm of possibility and can be happening right now
Thanks yes, the post was about (hopefully) unlikely scenarios and is a bit of an extreme when it comes to the boundaries of my threat model. However it is definitely something to keep in mind, is what I feel. I intended to ask for options for partial mitigation (the reason why I keep parroting reverse-shell attacks)