Author: Todd Weaver

Founder and CEO
PGP Fingerprint: B8CA ACEA D949 30F1 23C4 642C 23CF 2E3D 2545 14F7

Yet Another EFI/UEFI Exploit, this one Utilizing NVRAM and Persistent Storage

Continuing on our previous post on this topic, another EFI/UEFI BIOS exploit theoretically known–and even proven to work by Trammel hudson some years ago–that resurfaced through the Vault 7 documents, is the EFI/UEFI exploit that can write to NVRAM or persistent storage. This means that this exploit cannot be detected from hard drive inspection, and can survive through a complete OS reinstall if you’re using EFI/UEFI (which is not a problem for Purism users running coreboot).

The CIA documents describe it best:

“These variables present interesting opportunities for our tools since they will survive a OS reinstall and are invisible to a forensic image of the hard drive. What’s also interesting is that there is no way to enumerate NVRAM variables from the OS… you have to know the exact GUID and name of the variable to even determine that it exists.” — the CIA, as leaked through the Vault 7 Persistent Storage Document

This line also summarizes intent for the exploit:

“This might be a good place to put either implants or encryption keys. If every implant deployment used a different GUID/name pair, it would make the variables a bit more difficult to discover.” — the CIA, from the Vault 7 Persistent Storage Document

This continues to reinforce that our philosophy and beliefs are the only way to have long-term products that respects users’ digital rights.

Proving the Known, EFI/UEFI Exploited for BIOS Level Attacks

We’re continuing with a second report (many more coming!) on the “Vault 7” Documents we started digesting recently. There is an extensive section dedicated to EFI/UEFI exploitations. While this threat has been known from a theoretical standpoint from the moment the non-free BIOS replacement–EFI/UEFI–came into existence, the Vault 7 documents published recently now confirm that these threats are real and these weaknesses are actively being exploited.

One interesting read we’re focusing on today is the EFI/UEFI “ExitBootServices Hooking” exploit and sample copy-and-paste code to inject a hook into the last execute state of the EFI/UEFI process (the “ExitBootServices”).

Copy-and-paste code was included in the leaks which allow for the exploitation of UEFI-based boot systems by altering the operating system’s kernel which is loaded into memory before exiting the UEFI boot sequence. The copy-and-paste code allows for an attacker to insert a custom hook which can be used to arbitrarily alter the operating system’s kernel in memory immediately before execution control is handed to the kernel. — Wikipedia’s summary.

It is trivial to utilize this exploit:

Because the ExitBootServices service can be found by getting its pointer from the global EFI_BOOT_SERVICES table, hooking the ExitBootServices call is trivial. […] When you’re running in UEFI, that EFI_BOOT_SERVICES table isn’t protected by anything, so you can just write directly to it. — Vault 7 ExitBootServices Hooking

The result is that the entire system is compromised. As the page highlights, “At this point, you can do whatever you want.”

This type of exploit once-again highlights that security is a game of depth. This exploit is one level below the kernel, which means it has complete control of every level above it, such as the kernel, the entire operating system, any and all applications, network traffic, web application usage, and all user interaction.

The good news is, Purism recently completed the port of coreboot to the Librem 13 v1 (with more ports to come for the rest of our devices), providing a free/libre and open source replacement for EFI/UEFI which avoids all of the exploits mentioned within the documents.

The only long-term approach to protect oneself is to have complete control of the device. Control is the key word, and there is no other way to have complete control than to have as much of the software released under free software licenses where the source code is available to confirm it operates in your best interest and not that of criminals, spies, bad hackers, nations, or thieves.

Confirming that EFI/UEFI has a known and trivial exploit that is built into the standard also confirms that there is no depth too deep to exploit, and the only defense against unwanted stripping of a users’ digital rights is to use hardware and software that you control. Purism does just that by releasing all software under a free software license where the source code is available to be audited, reviewed, and scrutinized making a user control their device not the device controlling the user.

What the US Senate Vote Barring the FCC from Protecting the Privacy of Customers Means

On March 23rd, 2017 the US Congress disapproved the rule submitted by the Federal Communications Commission relating to “Protecting the Privacy of Customers of Broadband and Other Telecommunications Services”, and so that rule shall have no force or effect.

This means the FCC does not have the legal authority to protect the privacy of customers from ISPs gobbling up all the data they want to. The ISPs own the connection from your router to the Internet at large. ISPs have access to everything that passes over the connection including any non-encrypted content such as, every webpage you visit, every email you send, every photo you share, every document you deliver, and any social media post you make. Utilizing SSL helps guard against this threat of ISPs selling your head-end usage data, which is why Purism integrates EFF‘s HTTPS Everywhere in PureOS by default. In the future Purism will also be including SSL tunneling by default to help users stop ISPs from the privacy invading fire-hose of everything you do online.

What the CIA Vault 7 Documents Mean

WikiLeaks has recently released a treasure trove of documents, codenamed Vault 7, that will take weeks to digest. And we will digest it all. But before we go document by document, we wanted to address top-level concerns users have, and how our philosophy and business model are the only ones that can withstand the test of time against this type of user device control. Read more

Todd’s Purism Librem 13 experience with coreboot and a neutralized ME

A few days ago, I got to experience the efforts of a culmination of free software supporters; from Purism team members, ME hackers, coreboot developers, and a lot of other individuals. I am very pleased to run a Librem 13 with coreboot, running a neutralized Intel Management Engine, and no microcode update. I used that setup to type this blog post! Read more

Growing to Ship from Inventory in 2017

Thank you all for supporting Purism, with ordering hardware, donations, volunteering, downloading PureOS, using our products, and of course the kind words. We are excited to finally approach the transition from “build-to-order” (where users have tended to wait months for Librem products) to shipping from inventory, where new users will be waiting merely days for Librem products. This is the most important step we’re taking yet.

To do this, we are leveraging past sales revenue to get investment and a larger line-of-credit, so we can place an even larger order for all the supplies, hardware, and component parts needed to build and house inventory.

The Librem 13 v2 prototype
The Librem 13 v2 prototype

This larger order is expected to be placed in January, and we intend it to include: the Librem 13 v2, the Librem 15 v2, and the Librem 11 v1. There is typically an 8 week lead time for fabrication, which means placing our bulk inventory orders in January will allow us to fulfill the remaining preorders and backorders in March, and ship-from-inventory beginning in April of 2017.

This is a very exciting transition for Purism to grow to meet the demand of users worldwide, and we could not have done this without your support, so thank you again.

Apple’s Collecting User Calls and Messages, and How Purism Avoids This Type of Threat

Another day, another corporate surveillance story; this time it is Apple who decides to secretly send users’ call history, as well as messages, to the “cloud” (which in this case is iCloud servers, owned and controlled by Apple).

This brings up a number of issues we have spoken about before, that users who buy Apple products think they own the device, until the realization—through near daily stories reporting on Apple undermining the privacy of user data—that Apple actually owns the iPhone device, and that iOS users are simply renting it as well as the software and services that run on it.

The Problem

Apple, like Google and Microsoft, controls the software that runs on your phone. Those companies will not relinquish control of their devices nor software because users continue to buy and finance their bad practices of exploiting users.

The Solution

Use, support, and buy products that are completely free software, where the source code is available, so that all the software on your device can be controlled by the user, not the software giants who undermine digital rights.


Purism ships PureOS with its products, which is completely free software. Customers can also elect to have Qubes preinstalled, or to install their own operating sytsem. Purism hopes to get PureOS officially endorsed by the Free Software Foundation very soon. Additionally, in the long term Purism is working towards its ambitious goal to fully free its hardware and get hardware certification by the FSF, becoming the first manufacturer of “brand new” high-performance laptops to achieve this.

Android’s Secret Backdoor, and How Purism’s Business Model Avoids This Type of Threat

photo
Security contractors recently discovered preinstalled software in some Android phones that monitors where users go, whom they talk to and what they write in text messages. Emilio Morenatti/Associated Press

Today we learned once more why utilizing pure free software where the source code is available is critical to protect users’ rights to privacy, security, freedom, and anonymity.

The New York Times points out that this latest security breach “shows how companies throughout the technology supply chain can compromise privacy, with or without the knowledge of manufacturers or customers.”

Let’s examine the problem and see what can be done about it. It’s not too late to stand up for your rights.


The Fundamental Problem

All phones and tablets on the market today suffer from the same problem: the code that operates those devices are a mystery to the users. In this specific case Google’s Android, but the same problem exists with Apple devices and Windows devices, where the operating system, software-updated firmware, and most software that runs on those devices do not have the source code available to verify that there are no backdoors sending your private data to unwanted third parties.

Purism Competitive Privacy Matrix

What this means is there is absolutely no way, for a user of Android, iOS, OSX, Windows, or any operating system that does not release all the source code, to guarantee he/she is not being illegally spied upon for nefarious reasons, corporate surveillance, government spying, and/or private data mining.

The tracking built into mobile devices is at every level imaginable. We need to create a better, digital rights respecting future for computing.

The Future of Computing

If we, as users, continue to morally and financially support Android, iOS, OSX, Windows or any other operating system that strip away the digital rights of users, we continue to advance a future where:

  • users are controlled for profit;
  • private data is mined for advertising revenue;
  • governments spy on people;
  • corporations capitalize on every user interaction;
  • security breaches involve staggering amounts of personal data, with enormous consequences for individuals—even worse than what we’ve been seeing in recent years.

Every time you purchase a device from hardware companies that pre-install Android, iOS, OSX, Windows, and other nonfree operating systems, you are contributing to the erosion of your rights. Buying an HTC device benefits HTC, Google, the carrier, and all software companies that preinstall their privacy-stripping binaries. Similarly, buying Apple benefits Apple, the carrier, and all software apps preinstalled or even later installed.

Current technology purchasing decisions,
Current technology purchasing decisions. Can you smell the smoke?

The Solution

  1. Use a free software operating system, where the source code is released.
  2. Use hardware that allows you to run a completely freed operating system, where there is no mystery binaries, no private data delivered anywhere, and most importantly that you control.
  3. Support companies and organizations like Purism, and know that every penny of a purchase goes to benefit the future of computing and the digital rights for users. Make informed purchasing decisions and support hardware manufacturers that push Free Software’s agenda all the way through the supply chain.

The Upcoming Purism Phone and services infrastructure

Subscribe to our newsletter (simply send an email to announce-join@announce.puri.sm to subscribe automatically) or follow us (see website footer for social links), then you will be notified when Purism launches the first freedom, security, and privacy respecting phone.

Purism’s Zlatan Todorić is Officially a Debian Developer

Zlatan Todoric - Website HeadshotSometimes it’s nice for a little public congratulations for one of our team members, Zlatan Todorić is now officially a Debian Developer (DD). Becoming a DD is proof-positive of having devotion to free software, since Debian GNU/Linux is the gold standard for a high-quality user-respecting socially-responsible universal operating system.

Zlatan, while continuing to benefit Purism and its users by managing our technical team, will also be advancing Debian and its beliefs, which we are proud to say is a win-win for the world as a whole.

We are excited and honored to associate ourselves with talented developers such as Zlatan Todorić.

For more information about becoming a DD yourself head on over to https://wiki.debian.org/DebianDeveloper.

Note: Purism’s own PureOS is a fork of Debian GNU/Linux designed specifically to run on Librem hardware with software additions and changes that meets FSF endorsement criteria and protects users’ rights to privacy, security, and freedom by default.

4K At Last! Purism Librem 15 rev2 4K

We have had a long road to get to 4K in our second revision of the Librem 15 units. This has not been without frustration with supply chain delays, but we are finally finished testing a fully functional 4K prototype that is ready for mass production.

librem-15-rev2-4k-full-1920px

The story to get the 4K panel is full of ups, downs, twists, and turns. When we learned from one of our suppliers that we could get Samsung 4K panels in our Librem 15, we jumped at the opportunity. We prepaid for the panels, moved the Librem 15 line from 2K (1920×1080) to 4K (3840×2160), and asked if backers would like to get 2K or 4K, shipping 2K and holding the 4K until they would arrive, which moved most orders to 4K. All this was exciting, until Samsung’s 4K panels were on backorder, then backorder again, and again. We were in a real bind, because there was no alternative 4K screen, until LG entered the scene. We then requested a sample 4K screen from LG, modified the case and front panel to fit the new LG 4K screen. We then hit an additional delay on funding the screen purchase, tooling, and assembly, since we prepaid for the Samsung panels we had to look at how to cover the additional cost of LG screens. After juggling some pieces, such as refunds on the Samsung screens, negotiating lower cost from the delays with the supply chain to cover the screen price increase, and even supply chain funding, we got the LG based Librem 15 rev2 4k prototype approved and ready for mass production.

librem-15-rev2-4k-right-side-1920px

Now that we are approved for mass production on the Librem 15 rev2 4k, we can provide more accurate dates for delivery to backers as we approach receipt of the panels. LG expects to get us the full panel order within 6 to 8 weeks, and we will then assemble and ship through all our back orders within 3 to 4 weeks. Any new orders will be shipping after September.

Thank you for all the support, and patience, as we have worked through an unbelievably painful process working through the supply chain delays. We have learned a lot through this process, and are going to work even harder to avoid this type of delay ever again. We are looking to remove any supply chain delays in the future by raising funds to be able to order enough product to ship from stock.

librem-15-rev2-4k-left-side-1920px