[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Have I caught a firmware attack in the act? Or am I just paranoid?

Dear Rebecca

Am 13.08.19 um 09:14 schrieb Rebecca N. Palmer:
(b), physical access attack, would require an attacker breaking into my home.  (It has been several years since I last took the affected flash drive anywhere else or plugged it into any other computer.) If they're willing to do that, I seem a strange choice of target: a Debian Maintainer is high-value compared to a random user (because their uploads can infect others) but probably not the highest-value target in a tech-heavy city.

  Just think of central intelligence. They know when you are outside of your home by locating your mobile phone and they can easily unlock your door because they have access to the lock and key service. Central intelligence usually does not target Debian software directly. If a malware was distributed via the official release or update service then someone would get to know it and proper antivirus/malware detection software could be written. They will never do so. They only target specific individuals like you - and many people do not know in a first hand why they are targeted. What they also do is steeling secret gpg keys from computers that are online.

My integrity_check.py script (checking that system files match the Debian packages they come from) and clamav don't find such malware, but that's not proof.  usbguard probably blocks the DFU method of writing to firmware (since I don't have any 0xFE interfaces in my allowed list), but at least some USB flash drives instead use an SCSI command [1], which usbguard won't catch.

  Have you written something like debcheckroot? If yes I would be interested in it. debcheckroot is GPL so it could be an option to continue developing it though I did not have the time to do so in the last years. However it currently still uses unsafe md5sum. However I have not seen the checksum algorithm being targeted directly up to now yet. It may be more probable that they simply infect a hidden file in your home directory or some binary file like the syslog which then loads the malware on every boot. Comparing or checksuming files can not detect such kind of malware.


  I would presume that you have booted from DVD when checking your installation since it does not make sense to check from within an infected system. That would be going to fail in almost 100% of the cases.

I have unplugged the affected flash drive, but either (b) or (c) would imply that it may not be the only device infected - and also that even if I do replace my whole computer, they may be able to repeat the attack.

  There is hardly any way to get a computer safe except when you remove all networking hardware putting the computer offline and then always carry the M.2 drive to boot from with you. It would be a question why they would target your USB drive and not your computer or why they do not simply break in via your email or web browsing program. I have only seen intelligence visiting my home when I left an offline computer around with HDD.

  In case your are interested here is some more security related material on my web page:





Reply to: