Re: Study: Attacks on package managers (inclusing apt)

[Michael Stone <mstone@debian.org>]

On Thu, Jul 17, 2008 at 11:30:12AM -0400, Micah Anderson wrote:
> Although PGP-signed Release file prevent tampering with files, the
> attack doesn't require tampering with files or tampering with signed
> release files. If I were to MitM security.debian.org, I could provide
> an outdated (yet properly signed) mirror of the security packages to
> you. I would simply supply, via a MitM, a mirror that was not updated,
> so that the packages you were getting were valid and signed. They just
> are out-dated, so that you would not receive critical security
> upgrades.

Sure. Luckily we have multiple channels by which information about 
security updates is distributed, so people will know if they are missing 
updates. Note that you will have to MITM multiple servers as 
security.debian.org is a round robin, and any update of the Packages 
will invalidate older versions.

> Following on that attack is the fact that its easy to join the mirror
> network and once you are in, you can do the same thing as above and
> keep your mirror a day or four out of date, so that people who use
> your mirror aren't getting updates for issues that enter through the
> normal channels. You also have a list of IPs that use your mirror that
> don't have these updates.

It is not easy to become a security mirror. Becoming a non-security 
mirror doesn't lead to obviously interesting attack. Unless you're 
talking about people tracking unstable, but in my experience people 
tracking unstable notice if a day passes without updates...

Mike Stone