Re: [Tails-dev] BIOS attack

Delete this message

Reply to this message
Author: Tobias Frei
Date:  
To: The Tails public development discussion list
CC: james.john.jones
Subject: Re: [Tails-dev] BIOS attack
Hey,

Disclaimer: I am a regular user, not a security expert. I am not a
developer in this project, I'm subscribed to the list because I ran a Tails
mirror for some years.

Three things that came to my naive mind when reading:

- Cui bono?
- Hanlon's Razor
- Number of users vs. Coincidence

Is there any reason for an attack? Does the specific worker have any
theoretical reason to be malicious here?

Also, when a product is used by a billion people, a bug with a probability
of "only 1:1000000" will occur about 1000 times. Extremely unlikely
scenarios can suddenly actually happen when many people are using the same
software. It is almost guaranteed that somewhere in the world, an
earthquake will occur in the moment someone starts their computer. The
computer, however, did not cause the earthquake to happen.

There is a wonderful book called "Spurious Correlations". It makes fun of
exactly this problem.

Best regards
Tobias Frei


On Fri, Feb 2, 2018, 19:40 <james.john.jones@???> wrote:

> Excuse me - I have joined this group to discuss what may have been a 'high
> end' BIOS attack.
> I am presuming that this group contains the most knowledgeable people.
> I need that.
>
> While the scenario outlined below is very 'Grand Jeu' I will not be at all
> surprised to learn that you believe this to be a hack.
>
> ---------------------------------------
>
> This is exactly what happened:
>
> Laptop circa 2011 (bios date)
> AMD DCP C-50
> Tails 3.5 loaded from a USB drive
>
> At a friends - laptop on the table in kitchen (pre-arranged over the
> phone).
> Workmen are doing jobs.
> (The IP box can give the WiFi connection at the press of a button) ;)
>
> A Libre Office doc saved in the session - other docs saved on a mounted
> removable drive.
>
> One worker comes in the kitchen - he starts tapping away on his mobile
> (just 3 meters away).
>
> Note - he has no need to be in the kitchen to get a signal - the walls are
> thick, so outside would be better (if you don't have the wifi code).
>
> He makes a final tap, and walks... and my pc shuts down.
> Some code appeared, but it shut down.
>
> Obviously it could be coincidental; but I'm sick of frigging coincidences.
> The shutdown was simultaneous to his final tap on his mobile.
>
> ---------------------------------------------
>
> Post reboot - no apparent problems, other than it seemed to take slightly
> longer to log into accounts.
> I carried out my communications.
>
> A day later, I posted an email to tails-support-private@??? (on this
> question).
> I received no reply.
>
> Researched BIOS attacks, and checked my bios version.
> https://www.schneier.com/blog/archives/2015/03/bios_hacking.html
>
> Talk of :
> "Their exploit turns down existing protections in place to prevent
> re-flashing of the firmware, enabling the implant to be inserted and
> executed.
>
> The devious part of their exploit is that they've found a way to insert
> their agent into System Management Mode, which is used by firmware and runs
> separately from the operating system, managing various hardware controls.
> System Management Mode also has access to memory, which puts supposedly
> secure operating systems such as Tails in the line of fire of the implant."
>
>
> Also:
> "The method used to get at the BIOS then allows the likes of GCHQ et al to
> get at other modifiable ROM in the likes of HDs, Sound Chips, Network cards
> and other "below the OS" areas.
>
> Having done this they can then put the main BIOS back the way it was, so
> that it's harder to find what they have been up to."
>
> ---------------------------------------------
>
> Rebooted to Tails.
> Tails warns: can't check for upgrades.
>
> Tutanota mailbox warns: Couldn't connect to server - it seems like you are
> offline.
> But I was online, and could see my mailbox.
> ---------------------------------------------
>
> First thing is:
> Have you received this mail?
> Could someone respond, to confirm this?
>
> Does it seem likely that I have been hacked?
> Is there any way of knowing eg. running tests?
> If it has been hacked - is the laptop now unusable?
> If I was hacked - have they got everything that I've done since that point
> (and the data off my drives)?
>
> I'm cool either way.
> What's done is done; but I'd rather know
>
> BTW, I tried to get a riseup email, but it kept demanding an invite code.
> Anyway, I figured that I first need to check with you guys re my current
> status, before doing anything else.
>
> Thanks :)
>
> --
> Securely sent with Tutanota. Claim your encrypted mailbox today!
> https://tutanota.com
> _______________________________________________
> Tails-dev mailing list
> Tails-dev@???
> https://mailman.boum.org/listinfo/tails-dev
> To unsubscribe from this list, send an empty email to
> Tails-dev-unsubscribe@???.