Re: [Tails-dev] BIOS attack

Delete this message

Reply to this message
Author: Tobias Frei
Date:  
To: james.john.jones
CC: The Tails public development discussion list
Subject: Re: [Tails-dev] BIOS attack
Hi,

"in all likelihood": When you hear hoofbeats, think of horses not zebras.
;)

https://en.wikipedia.org/wiki/Soft_error

Best regards
Tobias Frei

On Fri, Feb 2, 2018, 21:50 <james.john.jones@???> wrote:

> Thanks Tobias,
> It is always good to know that contact has been made.
> What a shame that it is not likely to be one of those scenarios that you
> outline :(
>
> I do accept that it could be a bizarre coincidence, but.....
>
>
> "While the scenario outlined below is very 'Grand Jeu' I will not be at
> all surprised to learn that you believe this to be a hack."
> ----------------------------------------
>
> This must be taken seriously.
> I haven't carefully crafted the email to waste peoples valuable time.
> There is every reason to consider the event as a realistic scenario.
>
> It may not be.
> That would be great.
>
> My problem is that, like most people, I never studied digital security.
> I'm having to catch up; but I can't - it's too complex.
>
> I got Tails, and some secure mailboxes.
> However, with hindsight; logically, this is merely a security layer to be
> overcome.
>
> Anyway, my guess is: that is what happened.
>
> For a variety of reasons, it would be useful to know.
> Even if we can't run tests.
>
> Can such a hack be implemented with a mobile phone?
> Is the laptop in all likelihood lost?
>
> Are there any devs that can answer these questions?
>
> I'm one of the good guys.
> I'd appreciate some help on this :)
>
>
>
>
> --
> Securely sent with Tutanota. Claim your encrypted mailbox today!
> https://tutanota.com
>
> 2. Feb 2018 19:12 by tobias@???:
>
>
> Hey,
>
> Disclaimer: I am a regular user, not a security expert. I am not a
> developer in this project, I'm subscribed to the list because I ran a Tails
> mirror for some years.
>
> Three things that came to my naive mind when reading:
>
> - Cui bono?
> - Hanlon's Razor
> - Number of users vs. Coincidence
>
> Is there any reason for an attack? Does the specific worker have any
> theoretical reason to be malicious here?
>
> Also, when a product is used by a billion people, a bug with a probability
> of "only 1:1000000" will occur about 1000 times. Extremely unlikely
> scenarios can suddenly actually happen when many people are using the same
> software. It is almost guaranteed that somewhere in the world, an
> earthquake will occur in the moment someone starts their computer. The
> computer, however, did not cause the earthquake to happen.
>
> There is a wonderful book called "Spurious Correlations". It makes fun of
> exactly this problem.
>
> Best regards
> Tobias Frei
>
>
> On Fri, Feb 2, 2018, 19:40 <james.john.jones@???> wrote:
>
>> Excuse me - I have joined this group to discuss what may have been a
>> 'high end' BIOS attack.
>> I am presuming that this group contains the most knowledgeable people.
>> I need that.
>>
>> While the scenario outlined below is very 'Grand Jeu' I will not be at
>> all surprised to learn that you believe this to be a hack.
>>
>> ---------------------------------------
>>
>> This is exactly what happened:
>>
>> Laptop circa 2011 (bios date)
>> AMD DCP C-50
>> Tails 3.5 loaded from a USB drive
>>
>> At a friends - laptop on the table in kitchen (pre-arranged over the
>> phone).
>> Workmen are doing jobs.
>> (The IP box can give the WiFi connection at the press of a button) ;)
>>
>> A Libre Office doc saved in the session - other docs saved on a mounted
>> removable drive.
>>
>> One worker comes in the kitchen - he starts tapping away on his mobile
>> (just 3 meters away).
>>
>> Note - he has no need to be in the kitchen to get a signal - the walls
>> are thick, so outside would be better (if you don't have the wifi code).
>>
>> He makes a final tap, and walks... and my pc shuts down.
>> Some code appeared, but it shut down.
>>
>> Obviously it could be coincidental; but I'm sick of frigging coincidences.
>> The shutdown was simultaneous to his final tap on his mobile.
>>
>> ---------------------------------------------
>>
>> Post reboot - no apparent problems, other than it seemed to take slightly
>> longer to log into accounts.
>> I carried out my communications.
>>
>> A day later, I posted an email to tails-support-private@??? (on
>> this question).
>> I received no reply.
>>
>> Researched BIOS attacks, and checked my bios version.
>> https://www.schneier.com/blog/archives/2015/03/bios_hacking.html
>>
>> Talk of :
>> "Their exploit turns down existing protections in place to prevent
>> re-flashing of the firmware, enabling the implant to be inserted and
>> executed.
>>
>> The devious part of their exploit is that they've found a way to insert
>> their agent into System Management Mode, which is used by firmware and runs
>> separately from the operating system, managing various hardware controls.
>> System Management Mode also has access to memory, which puts supposedly
>> secure operating systems such as Tails in the line of fire of the implant."
>>
>>
>> Also:
>> "The method used to get at the BIOS then allows the likes of GCHQ et al
>> to get at other modifiable ROM in the likes of HDs, Sound Chips, Network
>> cards and other "below the OS" areas.
>>
>> Having done this they can then put the main BIOS back the way it was, so
>> that it's harder to find what they have been up to."
>>
>> ---------------------------------------------
>>
>> Rebooted to Tails.
>> Tails warns: can't check for upgrades.
>>
>> Tutanota mailbox warns: Couldn't connect to server - it seems like you
>> are offline.
>> But I was online, and could see my mailbox.
>> ---------------------------------------------
>>
>> First thing is:
>> Have you received this mail?
>> Could someone respond, to confirm this?
>>
>> Does it seem likely that I have been hacked?
>> Is there any way of knowing eg. running tests?
>> If it has been hacked - is the laptop now unusable?
>> If I was hacked - have they got everything that I've done since that
>> point (and the data off my drives)?
>>
>> I'm cool either way.
>> What's done is done; but I'd rather know
>>
>> BTW, I tried to get a riseup email, but it kept demanding an invite code.
>> Anyway, I figured that I first need to check with you guys re my current
>> status, before doing anything else.
>>
>> Thanks :)
>>
>> --
>> Securely sent with Tutanota. Claim your encrypted mailbox today!
>> https://tutanota.com
>> _______________________________________________
>> Tails-dev mailing list
>> Tails-dev@???
>> https://mailman.boum.org/listinfo/tails-dev
>> To unsubscribe from this list, send an empty email to
>> Tails-dev-unsubscribe@???.
>
>