Re: Have I caught a firmware attack in the act? Or am I just paranoid?

[Elmar Stellnberger <estellnb@gmail.com>]

Dear Rebecca

Am 13.08.19 um 09:14 schrieb Rebecca N. Palmer:
> (b), physical access attack, would require an attacker breaking into 
> my home.  (It has been several years since I last took the affected 
> flash drive anywhere else or plugged it into any other computer.) If 
> they're willing to do that, I seem a strange choice of target: a 
> Debian Maintainer is high-value compared to a random user (because 
> their uploads can infect others) but probably not the highest-value 
> target in a tech-heavy city.

  Just think of central intelligence. They know when you are outside of 
your home by locating your mobile phone and they can easily unlock your 
door because they have access to the lock and key service. Central 
intelligence usually does not target Debian software directly. If a 
malware was distributed via the official release or update service then 
someone would get to know it and proper antivirus/malware detection 
software could be written. They will never do so. They only target 
specific individuals like you - and many people do not know in a first 
hand why they are targeted. What they also do is steeling secret gpg 
keys from computers that are online.

> My integrity_check.py script (checking that system files match the 
> Debian packages they come from) and clamav don't find such malware, 
> but that's not proof.  usbguard probably blocks the DFU method of 
> writing to firmware (since I don't have any 0xFE interfaces in my 
> allowed list), but at least some USB flash drives instead use an SCSI 
> command [1], which usbguard won't catch.

  Have you written something like debcheckroot? If yes I would be 
interested in it. debcheckroot is GPL so it could be an option to 
continue developing it though I did not have the time to do so in the 
last years. However it currently still uses unsafe md5sum. However I 
have not seen the checksum algorithm being targeted directly up to now 
yet. It may be more probable that they simply infect a hidden file in 
your home directory or some binary file like the syslog which then loads 
the malware on every boot. Comparing or checksuming files can not detect 
such kind of malware.

https://www.elstel.org/debcheckroot/

  I would presume that you have booted from DVD when checking your 
installation since it does not make sense to check from within an 
infected system. That would be going to fail in almost 100% of the cases.

> I have unplugged the affected flash drive, but either (b) or (c) would 
> imply that it may not be the only device infected - and also that even 
> if I do replace my whole computer, they may be able to repeat the attack.

  There is hardly any way to get a computer safe except when you remove 
all networking hardware putting the computer offline and then always 
carry the M.2 drive to boot from with you. It would be a question why 
they would target your USB drive and not your computer or why they do 
not simply break in via your email or web browsing program. I have only 
seen intelligence visiting my home when I left an offline computer 
around with HDD.

  In case your are interested here is some more security related 
material on my web page:

https://www.elstel.org/software/GnuPG-usage.html.en

https://www.elstel.org/CyberAttack-elstel.html.en


Regards,

Elmar