Security / firmware / Excessive caution / delivery / hacking

Hey All,

Say you were an activist and wanted to ensure a secure boot, secure firmware, and secure everything, or say you were an agent wanting to intercept a delivery and hack the shit out of it because no one is there to tell you not to, what would be the way to identify this?

If you receive all the parts, which would be compromised? How would you undo that hack? Can firmware be re-flashed by the consumer?

Overly cautious / paranoid solutions welcome! Brainstorming.

Of course this never ever happens, but just say it did!? :slight_smile:

If your threat model is that high, you would have to go through some extreme measures to try to feel some sense of security.

With a high enough threat model, you simply can not be secure with modern computers. How about discussing more reasonable threat models? The first step in something like this is creating a real and reasonable threat model for yourself. Honestly assessing how much resources, in money, time and manpower someone would spend on you. What are you really worth to them.

1 Like

You would treat it like an explosive threat, that your life depends on it. Don’t approach it, ditch it.

You don’t know what you don’t know. And that includes the threat actors’ ability manipulation the object / laptop. It could be beyond your skill to identify the modification, and beyond your ability to remediate it.

Get another unit and modify your supply chain / logistic process.

2 Likes

If someone is willing to monitor and intercept a hardware delivery to compromise you, you have bigger worries than getting a computer delivered. Enthusiast security is a really cool field, but it has to be grounded in a reasonable threat model. Much more immediate is post-boot data aggregation, especially what we do online.

Modern privacy OSes actually do have compartmentalization and hardware trust levels. Qubes for certain would be worthwhile researching if you’re worried about hardware compromise.

5 Likes

Get the Framework Chromebook, and use it only with a Google account with the Advanced Protection Program turned on.

Powerwash the device prior to travelling through any checkpoints.

Log out and use the guest mode for browsing whenever it’s not necessary to have access to your account.

See these docs for background on security considerations underlying ChromeOS devices:

https://www.chromium.org/chromium-os/chromiumos-design-docs/

2 Likes

Qubes is pretty interesting. And yes, this is the idea, how to build an end point machine running as secure as possible. Part mental exercise, but also, to do the best one can to achieve this.

Asking for a friend of course.

I’ve used a Chromebook and it can be great aside the Google data collection business model. (a principle kind of thing).

Thanks all for the replies. I"ll move my line of questioning to more security focused forums. But it would be cool to know what to look for if a computer was tampered with!

Ie, how to dump and checksum a firmware on arrival, and/or wipe it clean. (I’ll read the docs!). And to compare a board with photos of what it should arrive like. Perhaps Frame.work supplies those photos.

I think everyone should concern themselves with end point security as much as they possibly can. Journalists & activists especially.

Take care and thanks again!

How to read the embedded controller manually

There are some photos on Framework’s upgrade and repair guides, but I don’t know if you can read all of the chip part numbers on those. Some chip part numbers might be found in Framework’s github. I recall the Embedded Controller part number is there.