This reminds me of a recently discussed [0,1] new method for tamper evident packing. The item is completely surrounded with multi-colored small objects (like rice, though plastic pellets would probably be better for customs to avoid plant pest inspections) in a clear vacuum sealed bag. The random patterns are too complex to recreate after tampering since accessing the device requires breaking the vacuum seal and disturbing the pattern, then resealing it and somehow manipulating the grains back into place from the other side of the plastic. Sending photos from each side for comparison on an off-channel medium is all that's required to verify tamper safety. The pellets or rice stay in place surprisingly well under a vacuum seal, and nesting of vacuum seal bags can be used to increase security or daisy-chain in multiple packages.
This might be worth looking into for Purism since it takes a lot less effort than painting each screwhead, which I believe has also been defeated without detection (it's mentioned in the linked article). Maybe a combined approach would work best for narrowing down the tampered with areas.
Two factors are important for a viable anti-tamper technology.
First, the recipient must have an available technology to verify
integrity. The random beads/rice method is cool because you just need
a digital camera. Software that works like face recognition (a set of
distance vectors between identifiable features) can run in seconds.
There are 3D scanners that can snapshot an object to such accuracy
that fingerprints will show up like mountain ranges. The point cloud
for a laptop PCB is many gigabytes. We can send a hash to save
space. Of course it's totally useless to an average person who doesn't
have the same advanced scanner which costs millions. X-rays, which are
super useful for supply chain integrity present a similar problem.
But that creates a second problem, worse in a way. The technology
cannot be too good. The scanner will pick up the thermal drift of
solder during transit. That, or speck of dust, will then throw up a
false positive. Unless you visually verify what the disturbance is
(can't do that with the hash, need the full scan and it's time
consuming) now you have a suspect device.
Because digital devices might be maliciously soft-modified in
undetectable ways, we can't take a chance. a $1000 device has to go in
the trash. Too many false positives and it's not viable.
My feeling is that several low-tech methods in cascade (to create
defence in depth) are better than any single hi-tech method.
Lossily compress the point cloud then, come on. For thin two-sided objects like laptops, rasterize the depth map of each side.
You might be interested in how biometric hashes for things like fingerprints or irises work, since these have the same problems: the biometric is decomposed into a “stable” part and an “unstable” part. The stable part is hashed and the unstable part is encoded as a residual. W.J.Scheirer and T.E.Boult’s work on bipartite biotokens is one potential implementation
> W.J.Scheirer and T.E.Boult's work on bipartite biotokens is one
potential implementation
Cheers. Something maybe like that already going on with a bespoke
principal component analysis. But finding the needle in the haystack
is knowing what _might_ change and be significant. Perhaps someone
re-flashes a EEPROM, leaving only tiny dimple in a gold PCB pad. A
system sensitive enough to pick that up doesn't necessarily know that
a micro-fracture caused by vibration isn't a threat. What you're
suggesting might be good for image processing of the plastic bead
vacuum shield though.
> Additionally, the seal has a blob of glue with multi-coloured glitter inside. This is photographed close-up by the inspectors once it is in place and then again when inspectors return.
It is different, the glue with glitter is hardened and adhered to the seal, making hard to replace that specific seal with another like seal. The vacuum sealed package compress and lock the beads (but could be glitter) into place, if the seal is broken, the random pattern visible through the vacuum sealed package is broken.
Glitter nail polish is literally the first item discussed in the article linked by the parent poster, with the claim notably being:
"With the first two methods [of applying glitter nail polish], it is sometimes very difficult or even impossible to detect manipulations. However, a thorough approach can increase the chances."
Additionally, glitter nail polish is specifically what's written in the OP post (by the Librem team).
If you want to protect a device between the factory and receipt by the customer, pellets are a far less invasive way to solve the issue. I don't expect the device to be compromised after it gets to me, mainly because it's within my sight at all times (unless I'm sleeping) because I use it all the time.
Maybe they could briefly mention what "anti-interdiction" actually means in this context? This way you have to open one of the links in the first paragraph and scroll down to get to the following key phrase:
> The word interdiction in our context refers to a laptop being intercepted between the time it leaves our fulfillment center and the time you receive and open the box.
That's very interesting, because it has nothing to do with the usual meaning of "interdiction", which is (1) "the action of prohibiting or forbidding something" or
(2) "the action of intercepting and preventing the movement of a prohibited commodity or person". So my first thought when reading "anti-interdiction" was "are they trying to stop others from forbidding something?". Ok, you could somehow derive their meaning of "interdiction" from (2), but it's a stretch. Also it's contrary to the etymology - from Latin inter "between" + dicere "to speak, to say". I mean, the bad guys are not saying something, they're doing something to your laptop. Maybe "interfaction" (doing something in between) would be a better word?
The term interdiction is used heavily within three letter agencies across many governments and countries to refer to interception (and presumably, modification) of electronics hardware. See: https://en.m.wikipedia.org/wiki/Interdiction
Ok, TIL... I still think it's nonsense to use this term, but probably the NSA preferred this one rather than using "interception" or similar so it could more easily present it as legitimate.
Anti-interception would make more sense, but it doesn't sound nearly as badass, and when you're offering a service that 99.9% of people don't need, sounding badass helps a lot.
I don't know, I mean my made-up word "interfaction" sounds a lot like "infraction" which is "a violation or infringement of a law or agreement", so "anti-interfaction" has a certain level of "badass-ness" as well. Or people will think that you misspelled "infraction", which would be not so good. Oh well...
Interfaction looks like it means between-factions, in fact I could swear I've seen it used like that... anyway, it looks to me like it would be describing some sort of civil unrest (interfactional fighting broke out in <country> today...) or bureaucratic nonsense in a company (BigSoftwareCompany was unable to respond to their upstart rivals due to interfactional disagreements about which pointy haired boss would get more seats to fill). Neither is really badass -- the latter is mostly tedious, the former is often horrifying.
Probably you are busy because 99% of your customers do not face any possible threat but are just paranoid, that's it. I am personally fine if all those paranoid people will generate enough market to make open source firmware/hardware sustainable.
Also, glitter nail polish does not work. It can be lifted and reapplied without disturbing.
I suggest that painting and photographing multiple individual blobs on each device is inefficient and a better method would be putting the device in a bag of coloured rice and evacuating air (was discussed on HN some time ago).
I work in interdiction/interception (a long time now), yes people are way over paranoid about this type of stuff. Media makes so much sound like we're some james bond movie..
Depending on the T(ce) and solvent compatibility/bond strength to surrounding plastic it could be as easy as pouring some LN2 on it and it might even pop itself out.
The whole glitter thing does provide really strong security against any attempt to melt/dissolve it, as well as good resilience against mechanical attacks, especially when adhered to materials it bonds strongly to, typically ones that dissolve in the solvents it contains. (iso acetone, mek, etc)
It's actually pretty interesting and refreshing how companies are responding to threats at every level from software to hardware "enhancements" may be offered free by "interested parties".
Seeing these small news restore my faith in both Free/Open hardware and software, esp. when the attacks are somewhat increased.
"Most customers opt to wait until the package arrives before they ask for the pictures."
Seems backwards. Photos ought to precede shipping. Sending the photos once the device is in hand makes it much easier for fake photos to be injected. With GPG signing and such it would still be nontrivial, but much easier. Am I missing something?
I guess the idea is that if the pictures are sent too early, the pictures could be intercepted, phone interdicted, and photos used to help workaround the anti-interdiction protection.
Maybe, but then they have to fake the context (camera, lighting, room) and be extremely careful not to accidentally give away clues about their operation.
Being paranoid and acting on it will always be enough to make you a very shiny bright glittering target. Perhaps being really paranoid is all about being discovered and exposed, which would make sense.
Has anyone tried to remove the nail polish, then reapply with a matched nail polish? I imagine that it would be very difficult to tell the difference between the tampered and non-tampered.
I agree, the small size of individual elements makes it difficult to differentiate by eye. I read an article on this that suggested a cheap USB microscope as tool detect tampering for this reason.
I find it fascinating that glitter nail polish has such high tech applications. I don't think the threat model really applies to me, but I'm tempted to get some glitter nail polish to use for tamper detection on my devices just for the privacy nerd status symbol.
Random glitter pattern recreation simply doesn't seem that hard to duplicate given NSA-level resources.
1. Lay down a blob of nail polish that's color-matched to the original. Use a 3D or inkjet-like additive printing method that allows you to closely approximate the shape of the original blob along all 3 axes.
2. Physical glitter can be inserted into, or printed onto, the replica blob during this additive printing.
Given a budget of tens (hundreds?) of millions of dollars, it seems extremely do-able.
The results would of course only withstand a certain level of scrutiny. The recipient would possibly (likely?) need some kind of microscopic analysis to detect this fraud. However it certainly seems possible (given aforementioned state-level backing) to have a high chance of fooling the victim, especially if the victim does not have state level resources.
The best bet might be for a company like Librem to employ a variety of these cheap antiinterdiction methods. Glitter polish, colored vacuum-packed rice, etc. Layer them when applicable, and randomly alternate the ones that are mutually exclusive. Each method, while defeatable, poses a fairly significant time and resource burden on the interdictor.
Take a Dremel to the phone to scratch it random and custom. Laser etch a QR code if you want, maybe a GPG signature.
Freeze the phone in a 5-gallon bucket.
FedEx overnight early AM international delivery.
Full LTE GPS tracker on the package with minute-by-minute updates.
Ensure customer tests melted water for co2 content (it will fizz) and nitrogen content (will probably also fizz) in case somebody was clever and dropped LNOX or dry ice to re-freeze.
Retrieve phone that was tampered at the factory ahead of time, despite best efforts.
None of this prevents or exposes tampering except possibly a picture of the random air bubbles in the ice, which only provides exactly the same protection as the glitter and by the same mechanism. Everything else is just a lot of silly theater.
I think the idea is that the shipping time will be too short to allow freezing the tampered-with phone into a new block of ice of such size, and the scratches prevent it from being substituted by a pre-frozen replacement.
Might be countered by supercooled water if the crystallization can be made to look natural.
That sort of all-or-nothing threat model isn't particularly useful.
You can never hope for perfect unassailable security. The best you can do is make attacks too expensive/complex for the attackers you're concerned about. From that point of view, glitter varnish produces exceedingly good results for minimal costs.
One thing to note about the Librem 5 USA version. The case is made in China. I’ve asked them for years to make the case in the US but nothing yet. That’s the only thing preventing me from purchasing it.
Excuse my ignorance, but what's the reason for wanting the case made in the US? I could understand for an electronic part, but the case would seem to not present any security issues being made by an untrusted party?
Besides the security implication that mschuster mentioned there is also: misleading marketing, if a product is marketed as Made in USA it should consist of a majority of parts made locally.
My product, currently in prototype stage, is made locally here in London. I go to great lengths to ensure that (even down to raw material level where possible). It’s not economical, but that’s not why I’m doing it. I’m doing it because I believe in it. Way too many known and unknown companies just offshore manufacturing. Globalisation is bad. Support the local industry and make better things here!
Isn't Librem 5 USA just a hype? I mean from what I understand only a PCB and some insignificant compotents are made in the US and all the rest is sourced from around the world? Like the CPU comes from South Korea etc.
So what's the difference whether it is assembled in the US and say in China?
How they ensure the parts they install are not compromised?
Do they only employ US and security cleared workers on the assembly line?
How hard would be for the Chinese or Russians to pay an employee to slip some compromised chips to pick and place machine?
The further you are removed from the end product, the harder it is to perform targeted attacks. Sure, they could build a backdoor into every component they produce and hope it won't go detected, but the possibility of the subversion being detected scales linearly with the occurrence rate. And if they only subvert 1 in 1000 chips, how are they going to ensure those chips end up at their intended targets?
How hard would be for the Chinese or Russians to pay an employee to slip some compromised chips to pick and place machine?
Probably some orders of magnitude harder than if it were assembled in China.
This might be worth looking into for Purism since it takes a lot less effort than painting each screwhead, which I believe has also been defeated without detection (it's mentioned in the linked article). Maybe a combined approach would work best for narrowing down the tampered with areas.
0: https://news.ycombinator.com/item?id=31897530
1: https://dys2p.com/en/2021-12-tamper-evident-protection.html