A visitor to the Purism site contacted us with a question. It’s a question that we sometimes encounter when we’re with friends or at events, and so we thought we’d share the response to his query.
Q: On your website, you state:
“All other laptops use hardware chips coupled with software that can betray you. News stories have shown how these chips can surreptitiously transmit voice, networking, picture or video signals. Other chips are used to install spyware, malware or viruses.”
I know about software vulnerabilities, but I had not heard of hardware itself having built-in backdoors. Could you provide any news articles to back up this assertion?
Computerworld—a sober, technical publication—has an article outlining 17 Exploits the NSA Uses to Hack PCs, Routers and Servers for Surveillance, providing many links to original sources. It concerns their Tailored Access Operations Program (TAO) and reports from the Snowden Archive are six years old. Thus what we know of today is almost certainly worse that what’s current. And what we know now is very, very troubling.
As the computer trade magazine notes, before giving four screens of examples:
Some of the exploits are deployed remotely and others are physically installed. Those hands-on operations may occur while the product is being shipped; it could be snagged during shipping so an obscure group like an FBI black bag team can do the NSA’s domestic dirty work. There are too many exploits listed in the leak to cover in one post, but I thought you might like to know about some that target servers, routers and PCs. Please note, however, that ANT can exploit nearly every major software, hardware and firmware.
Noted computer security authority and journalist Jacob Appelbaum referenced exploits used to spy on Americans and foreigners alike – with the data-sharing agreements in place, it’s important to recognize this is fast becoming an academic distinction – by observing, “This is Turnkey Tyranny and it is here.”
Videos for the 30th Chaos Communication Congress, where Mr. Appelbaum’s two lectures (and many more covering this topic) are here.
As our blog article, “Shine A Light On It: Why Verifying Is Required, Why Only Libre Allows It” notes,
In the tech field, what a few do today, more will do tomorrow and nearly everyone will be doing next week. Even if you trust intelligence agency bureaucracies – yours or others – to not spy too much on you, your family and your friends, it’s not “just” them. It’s those that will follow that will also be able to spy on you and yours using similar techniques, for much cheaper.
Just since June ’15 alone, the OPM hacks purportedly by Chinese agents and—the irony—the Italian Hacking Team itself getting hacked proves our blog article’s concerns were, if not prescient, accurate. Smaller agencies than the NSA/GCHQ and even private parties—both who can categorically be characterized as not being particularly protective of American or even European citizens’ rights, security or well-being—are using similar exploits.
It’s code. It’s protocols. It doesn’t check first for the proper badge before running. There is no “magic golden key” allowing only The Good Guys™ from executing code.
All of this leaving aside the issue that hardware and software are becoming more conceptual categories than practical ones. Securing one or the other is no longer a guarantee of safety. You need to have both secured. And, given the complexities involved, the only reliable way to do this is to use the F/LOSSH (Free/Libre Open Source Software and Hardware) model. Since without verification, there can be no trust. Since, even though we may trust an institution or person now, we can’t have faith that five years from now, these organizations will be the same, or the people we trusted still in place.
We genuinely wish we lived in a world where our caution we have for our customers was unjustified or even, hysterical. We genuinely wish there wasn’t a need for someone like Purism to develop verifiably secure, transparent ways for people to organize their thoughts then share them. The world would be a better place. We’d probably all enjoy a bit more extra sleep. But that’s not the world we’ve inherited. So instead, we’re energized at the challenges we all face. And we’re excited at the opportunity to do our small part in correcting this very unwelcome change in our digital environment.