I bought a desktop motherboard that was shipped internationally and I am feeling nervous about “trusting” it, as it was held in customs for several days past what I thought was normal. In hindsight I should have requested some form of anti-tampering proofs, even if just some low-budget solution and not necessarily all the bells and whistles.
I don’t think I need to tell this crowd that wanting a computing system without the fear of being unnecessarily spied upon might as well be a human right but I digress. Is there a reasonable way to “re-own” the hardware and feel confident it wasn’t tampered with at this point?
On this topic, say someone did not re-flash the BIOS for example…and there was some form of tampering in that or another firmware device. I can only imagine the goals of any adversary would be remote access. So to that end, if you were to use firewall rules to only allow that machine to talk to say a VPN server would that actually do anything to mitigate some malware at the firmware level (BIOS, or otherwise)? Or once you connect to the VPN and have wide internet access, that broad connection is also shared with whatever malicious firmware malware also?
There are several questions and concerns here. I hope they were intelligible.
AFAIK, there is nothing you can do. There is no practical way to be certain that hardware hasn’t been compromised and no way to definitively “clean” hardware after it has been in the possession of an untrusted party.
If that makes you feel better, anti-tampering only gets so far anyway past very fast transit times.
On the other hand, ordinary things tend to happen for ordinary reasons. Unless you’ve got specific reasons to be concerned @loren19, it might not be unreasonable to attribute delays in customs to an overworked and understaffed public service.
Of course, one can only speculate either way: testing can prove the presence of bugs (or compromise) but not their absence.
My two cents is that it might not be worth ruining your experience of getting the new motherboard and everything you planned to so with it, without good reasons for concern (by your own definition of “good reasons”). Especially IMHO if you’re otherwise taking care of flashing a BIOS you trust etc.
That is unfortunate to say the least, but yes if I consider the possibilities and variables of my circumstances vs. someone like a political dissident it offers some respite I guess. But I fear it will always be in the back of my head, and one of the things Qubes says is if you don’t trust the hardware then
If I did want to do some extra research, how do you find out which firmware on a motherboard is writable vs. read-only? My thought is couldn’t I at least eliminate X number of the chips present by the fact that they are read-only? Then at least you would have a smaller focus area?
@gonzalo-bulnes What about my question on restricting firewall rules? Say for example we assume something malicious trying to call out to home is in BIOS and I did not flash upon receipt - would that callback only exist outside the OS or would it share w/e internet connection the OS eventually gets (i.e. a VPN or proxy)?
Yes that is true, just seems extra in relation to Qubes since we go through all this trouble to use a secure system that in the end could easily just be completely subverted if you don’t have eyes on your system at all times. Like how does anyone buy a motherboard, desktop, laptop…heck a phone even, and get it shipped to them domestic or international without the fear of it being compromised along the way then?
Kind of disheartening to be honest.
Any thoughts on my question about using the network to A: search for malicious things calling out to home and/or B: attempt to block potential malware from calling out?
That’s why it all depends on your threat model. Trying to defend against nation state adversaries is entirely different from defending against profit-motivated black hats or script kiddies. If you don’t know what you’re trying to defend against, you don’t which threats you need to worry about or who you can trust. If you decide that you can’t trust anyone else at all, you’re going to have a hard time rebuilding a modern tech stack from the ground up out of transistors or vacuum tubes or whatever.
I don’t know how to do any of that beyond just using the Qubes firewall to selectively allow certain traffic, but even that isn’t intended to be a leak-prevention mechanism:
loren19
On this topic, say someone did not re-flash the BIOS for example…and there was some form of tampering in that or another firmware device. I can only imagine the goals of any adversary would be remote access. So to that end, if you were to use firewall rules to only allow that machine to talk to say a VPN server would that actually do anything to mitigate some malware at the firmware level (BIOS, or otherwise)? Or once you connect to the VPN and have wide internet access, that broad connection is also shared with whatever malicious firmware malware also?
That wouldn’t do anything as Intel vPro for example would communicate over specific ports and blocking those ports would be pointless on the OS. It would have to be set on your router firewall. I would suggest removing the Wireless card and only using a WiFi or ethernet USB adapter for wifi as the IME supposedly can’t detect non onboard NIC cards. Or put a AMD card in and Intel machine may make the it not be able to read in firmware. I know this is related to Intel management engine but that is a sepperate chip on the board that many believe is a backdoor. I believe it is possibility to be exploited by malware and pretty sure that’s why Intel released “patches” for it. Also possibly out of band connections.
Lenovo had a thing I believe in supply chain attack few years ago where chips were added that were trying to make wifi connections or scanning and they released and emergency firmware patch to make it unreadable the similar to ime_cleaner but for this spy chip. Not to mention Superfish
I’m deeply interested in securing BIOS also. The best thing you could do is flash coreboot or libreboot.
If you can’t you should atleast download latest BIOS update and run me_cleaner and DXE_cleaner as it seems DXE modules are commonly used with BIOS malware but not sure if this would clean them enough?
@gonzalo-bulnes
Unless you’ve got specific reasons to be concerned @loren19, it might not be unreasonable to attribute delays in customs to an overworked and understaffed public service.
Yeah I never flashed Coreboot or things above but am worried that a ch431a programmer could be malicious? I bought this one to learn how to flash and fix used computers I get from people. However the order got lost in transit in the facility near me . So I reordered again and it came right away which makes me question if its the same one that got lost. Not sure if thats how Amazon Scamazon works (reshipping lost items)?
