Re: Have I caught a firmware attack in the act? Or am I just paranoid?
Dear Rebecca
Am 13.08.19 um 09:14 schrieb Rebecca N. Palmer:
(b), physical access attack, would require an attacker breaking into
my home. (It has been several years since I last took the affected
flash drive anywhere else or plugged it into any other computer.) If
they're willing to do that, I seem a strange choice of target: a
Debian Maintainer is high-value compared to a random user (because
their uploads can infect others) but probably not the highest-value
target in a tech-heavy city.
Just think of central intelligence. They know when you are outside of
your home by locating your mobile phone and they can easily unlock your
door because they have access to the lock and key service. Central
intelligence usually does not target Debian software directly. If a
malware was distributed via the official release or update service then
someone would get to know it and proper antivirus/malware detection
software could be written. They will never do so. They only target
specific individuals like you - and many people do not know in a first
hand why they are targeted. What they also do is steeling secret gpg
keys from computers that are online.
My integrity_check.py script (checking that system files match the
Debian packages they come from) and clamav don't find such malware,
but that's not proof. usbguard probably blocks the DFU method of
writing to firmware (since I don't have any 0xFE interfaces in my
allowed list), but at least some USB flash drives instead use an SCSI
command [1], which usbguard won't catch.
Have you written something like debcheckroot? If yes I would be
interested in it. debcheckroot is GPL so it could be an option to
continue developing it though I did not have the time to do so in the
last years. However it currently still uses unsafe md5sum. However I
have not seen the checksum algorithm being targeted directly up to now
yet. It may be more probable that they simply infect a hidden file in
your home directory or some binary file like the syslog which then loads
the malware on every boot. Comparing or checksuming files can not detect
such kind of malware.
https://www.elstel.org/debcheckroot/
I would presume that you have booted from DVD when checking your
installation since it does not make sense to check from within an
infected system. That would be going to fail in almost 100% of the cases.
I have unplugged the affected flash drive, but either (b) or (c) would
imply that it may not be the only device infected - and also that even
if I do replace my whole computer, they may be able to repeat the attack.
There is hardly any way to get a computer safe except when you remove
all networking hardware putting the computer offline and then always
carry the M.2 drive to boot from with you. It would be a question why
they would target your USB drive and not your computer or why they do
not simply break in via your email or web browsing program. I have only
seen intelligence visiting my home when I left an offline computer
around with HDD.
In case your are interested here is some more security related
material on my web page:
https://www.elstel.org/software/GnuPG-usage.html.en
https://www.elstel.org/CyberAttack-elstel.html.en
Regards,
Elmar
Reply to: