Michael English: > Intrigeri,
>
> First, we should identify the problem. Tails does not replace all of the
> software on one's computer. There is additional storage on the SPI flash
> chip which carries the BIOS and ME, and there is the USB stick which has
> its own firmware. As shown by LegbaCore, this software outside of Tails
> can be easily infected. “Since almost no organizations in the world
> provide BIOS patch management, it is almost guaranteed that any given
> system has at least one exploitable BIOS vulnerability that has
> previously been publicly disclosed. Also, the high amount of code reuse
> across UEFI BIOSes means that BIOS infection is automatable and
> reliable.” Once the firmware is infected, the malware is more privileged
> than all applications and operating systems. Basically, Tails is
> completely useless on insecure hardware.
>
> Your question about the audience is a bit of a leading question. All
> Tails users should be the audience. Currently, Tails only has
> documentation about warnings of firmware vulnerabilities. However,
> readers have no course of action to take against this serious problem.
> Anyone who cares about their privacy/security/freedom enough to run
> Tails should purchase or configure secure hardware.
>
> One solution to the vulnerable SPI flash chip that we can document is
> Libreboot. Unlike Coreboot, Libreboot is completely open-source without
> the Intel FSP and provides easy to understand documentation. There are
> two options to get a Libreboot X200. First, one can buy a refurbished
> Lenovo ThinkPad X200 from a electronics store like Newegg in the United
> States. (I assume that there is a European equivalent.) Then, he or she
> can follow the relatively easy-to-understand instructions on the
> Libreboot website for installing the BIOS
> https://libreboot.org/docs/hcl/x200.html and removing the ME
> https://libreboot.org/docs/hcl/gm45_remove_me.html . Second, one can buy
> a laptop with Libreboot pre-installed. The Free Software Foundation has
> a list of hardware that respects your freedom and currently includes two
> companies that sell Libreboot laptops:
> https://www.fsf.org/resources/hw/endorsement/respects-your-freedom . I
> personally recommend Minifree which is run by the same person who
> founded Libreboot. When buying a laptop with Libreboot pre-installed,
> one does not have to worry about making a mistake in the installation
> process, financially supports Libreboot, and gets a longer warranty in
> the case of Minifree which offers a whole two year warranty. I do not
> recommend that we specifically promote one company on the Tails website,
> but we should link to the Respects Your Freedom page as an option
> instead of the manual install.
>
> Another small note about the X200 is that it has a wireless kill switch
> to prevent the leaking of sensitive information over the network without
> the user noticing.
>
> I am unsure what to do about the vulnerable firmware on the USB stick
> that runs Tails. As far as I know, there is no open-source USB
> drives/firmware. Though, USB drive malware could be almost as damaging
> as the BIOS/ME because it can perform MITM attacks between the OS and
> flash memory. Here are a couple videos which explain USB stick/SD card
> firmware vulnerabilities: https://www.youtube.com/watch?v=nuruzFqMgIw > https://www.youtube.com/watch?v=CPEzLNh5YIo . Please let me know if
> there is a solution to vulnerable USB stick firmware and if some USB
> sticks more secure than others.
>
> Cheers,
> Michael English
>
