We offer a lot of unique, high-security features at Purism (I discuss the most secure options for the Librem 14 in this post). One of the most interesting things we offer is our anti-interdiction service, an add-on service that we custom-tailor for each customer to add multiple levels of tamper detection to an order. With anti-interdiction in place, a customer can detect any attempt to tamper with the package, the computer hardware, or the firmware during shipping. In 2021 we saw more anti-interdiction orders than ever before. In this post I wanted to talk through some of the highlights of anti-interdiction in 2021 including some of the most common anti-interdiction steps our customers choose.
One of the more surprising things to see this year is just how popular tamper detection is among our customers. Almost half of our Librem 14 orders upgraded to some form of the “PureBoot Bundle” instead of our default coreboot as the boot firmware. Selecting the PureBoot Bundle installs our tamper-detecting PureBoot boot firmware and automatically adds a Librem Key that is paired with the laptop, so that when the customer boots the computer for the first time, they can look at the blinking green or red LED on the Librem Key to detect attempts to tamper with the boot firmware itself, and use PureBoot to detect tampering in their OS’s kernel and other boot files. More recently we even added the feature to extend PureBoot tamper detection into the root filesystem.
About 20% of the Librem 14 customers that selected some form of PureBoot Bundle upgraded from there to full anti-interdiction services. When someone selects anti-interdiction services, we start with some basic physical tamper detection measures:
These steps allow the customer to detect whether someone has opened the package during shipping, and therefore the laptop should get extra scrutiny. Pictures of the motherboard allow the custom to have a “known good” state for the motherboard, RAM, and disk in case they are concerned that an attacker may have replaced or added to the laptop during shipment.
In addition to these steps, we also offer additional, optional measures and work with each customer (over GPG-encrypted email if they prefer) to determine their particular threats, and decide which combination of additional anti-interdiction measures are appropriate. It’s always interesting to see which measures customers pick, and which threats they are facing. Our average customer doesn’t necessarily face specific threats, but instead wants the highest level of protection possible for extra peace of mind. They might not know for sure that someone is targeting them, but if someone does tamper with their laptop during shipping, they’d like to know about it.
One of the more unique options for anti-interdiction orders is painting glitter nail polish on the bottom screws. The principle behind this measure starts with the fact that you have to remove the bottom case screws to tamper with the laptop motherboard. If you were to cover those screws with some sort of paint, someone would have to disturb the paint to access that hardware and then attempt to repaint it. Glitter nail polish leaves behind a unique, random, 3-dimensional pattern of glitter that, once disturbed, is incredibly difficult and time-consuming to replace. We provide each anti-interdiction customer who selects this option pictures of these glitter patterns on request so they can compare them with the laptop they receive. They can also compare the laptop against pictures whenever their laptop is left unattended.
We offer a wide range of color choices, and customers who choose this option tend to pick either a more muted color that won’t draw attention like silver, or they pick a color that stands out (like red or gold). Customers who want that additional layer of protection tend to pick our rainbow color option, which has glitter of all sorts of colors. Customers can either choose to paint only the corner screws, or all screws, and so far neither option seems much more popular than the other. Customers who intend on removing the bottom case in the future do tend to choose only the corner screws, so that they can remove the nail polish gently with a bit of acetone. This is actually one of the more time-consuming parts of the anti-interdiction process, because we need to wait for the paint to dry before we can take pictures and package up the laptop!
By default we ship the Librem Key and laptop separately for anti-interdiction orders. The principle behind this measure is simply that it’s more difficult to intercept two packages than one, and you need both the laptop and the Librem Key to reset factory-generated keys and shared secrets. To frustrate interception even further, we also offer the option to ship the Librem Key and laptop to separate addresses, and to stagger the shipment of the Librem Key and laptop so that the Librem Key ships a few days ahead of time. We also offer the option to ship the Librem Key and hold the laptop until the customer confirms receipt of the Librem Key. This is the most secure option, as it makes it impossible for an attacker to intercept both packages at the same time.
For the most part, unless they are in a hurry, customers choose to wait to ship the laptop until they confirm receipt of the Librem Key. Because the Librem Key ships in a small package and by itself isn’t that expensive, often customers will select a PO Box, a work address, or a friend’s address for it.
By default when we set up PureBoot, the GPG user PIN is set to 123456 and the admin PIN and TPM PIN are set to 12345678. Anti-interdiction customers have the option to change this to a single, custom PIN of their choice. This measure protects against an attacker who is able to intercept both packages, make changes, and then use the default PIN to sign their changes so they seem legitimate. Because the attacker can’t guess the custom PIN, they won’t be able to make undetectable changes. For some customers, particularly those who want a custom PIN but don’t want to share a secret over unencrypted email ahead of time, we will generate a custom, random PIN for their order, that we only share with them after they have confirmed receipt of the laptop, that way we don’t have to worry about interception of the email containing the custom PIN.
Many if not most anti-interdiction customers do choose some sort of custom PIN either that they or we generate. A custom PIN, and anti-interdiction in general, is only intended to detect tampering during shipping. Once a customer has confirmed the laptop is safe, they no longer need factory-generated keys or PINs and can use their own. We advise all customers with PureBoot to change all of their PINs to something new once they receive the computer and verify it, so that we no longer have a copy.
One of the most exciting developments with anti-interdiction in 2021 was the expansion into new hardware. Traditionally customers have only selected anti-interdiction with laptop orders but in 2021 we have started to see more anti-interdiction services added to Librem Mini and Librem Server orders as well. In these cases the options are essentially the same as for the Librem 14, just adapted to the screw locations for this hardware.
We have also started to offer anti-interdiction services for Librem 5 and Librem 5 USA orders. Because the Librem 5 series does not (yet) run a form of PureBoot, anti-interdiction for a phone focuses on physical tampering. In addition to the default tamper seals on the packaging, and pictures of the inside of the case, we also offer glitter nail polish, either on the sides of the back case, on the screws covering the plastic cover over the WiFi and modem M.2 cards, or both.
We try very hard to offer advanced, but convenient, security measures for our customers and I am very pleased to see so many customers choose the PureBoot Bundle and anti-interdiction. We continue to look for ways to improve our anti-interdiction service, so if there is a new anti-interdiction improvement you’d like us to consider, please let us know. If you’d like your own Librem 14 with all the high security bells and whistles, check out my article full of high security Librem 14 recommendations, which walks you through all the options to select in the shop.
Model | Status | Lead Time | ||
---|---|---|---|---|
Librem Key (Made in USA) | In Stock ($59+) | 10 business days | ||
Librem 5 | In Stock ($699+) 3GB/32GB | 10 business days | ||
Librem 5 COMSEC Bundle | In Stock ($1299+) Qty 2; 3GB/32GB | 10 business days | ||
Liberty Phone (Made in USA Electronics) | Backorder ($1,999+) 4GB/128GB | Estimated fulfillment early November | ||
Librem 5 + SIMple (3 GB Data) | In Stock ($99/mo) | 10 business days | ||
Librem 5 + SIMple Plus (5 GB Data) | In Stock ($129/mo) | 10 business days | ||
Librem 5 + AweSIM (Unlimited Data) | In Stock ($169/mo) | 10 business days | ||
Librem 11 | Backorder ($999+) 8GB/1TB | Estimated fulfillment mid-October | ||
Librem 14 | In Stock ($1,370+) | 10 business days | ||
Librem Mini | Backorder ($799+) | Estimated delivery November | ||
Librem Server | In Stock ($2,999+) | 45 business days |