Continuing on our previous post on this topic, another EFI/UEFI BIOS exploit theoretically known–and even proven to work by Trammel hudson some years ago–that resurfaced through the Vault 7 documents, is the EFI/UEFI exploit that can write to NVRAM or persistent storage. This means that this exploit cannot be detected from hard drive inspection, and can survive through a complete OS reinstall if you’re using EFI/UEFI (which is not a problem for Purism users running coreboot).
The CIA documents describe it best:
“These variables present interesting opportunities for our tools since they will survive a OS reinstall and are invisible to a forensic image of the hard drive. What’s also interesting is that there is no way to enumerate NVRAM variables from the OS… you have to know the exact GUID and name of the variable to even determine that it exists.” — the CIA, as leaked through the Vault 7 Persistent Storage Document
This line also summarizes intent for the exploit:
“This might be a good place to put either implants or encryption keys. If every implant deployment used a different GUID/name pair, it would make the variables a bit more difficult to discover.” — the CIA, from the Vault 7 Persistent Storage Document
This continues to reinforce that our philosophy and beliefs are the only way to have long-term products that respects users’ digital rights.
We’re continuing with a second report (many more coming!) on the “Vault 7” Documents we started digesting recently. There is an extensive section dedicated to EFI/UEFI exploitations. While this threat has been known from a theoretical standpoint from the moment the non-free BIOS replacement–EFI/UEFI–came into existence, the Vault 7 documents published recently now confirm that these threats are real and these weaknesses are actively being exploited.
One interesting read we’re focusing on today is the EFI/UEFI “ExitBootServices Hooking” exploit and sample copy-and-paste code to inject a hook into the last execute state of the EFI/UEFI process (the “ExitBootServices”).
Copy-and-paste code was included in the leaks which allow for the exploitation of UEFI-based boot systems by altering the operating system’s kernel which is loaded into memory before exiting the UEFI boot sequence. The copy-and-paste code allows for an attacker to insert a custom hook which can be used to arbitrarily alter the operating system’s kernel in memory immediately before execution control is handed to the kernel. — Wikipedia’s summary.
It is trivial to utilize this exploit:
Because the ExitBootServices service can be found by getting its pointer from the global EFI_BOOT_SERVICES table, hooking the ExitBootServices call is trivial. […] When you’re running in UEFI, that EFI_BOOT_SERVICES table isn’t protected by anything, so you can just write directly to it. — Vault 7 ExitBootServices Hooking
The result is that the entire system is compromised. As the page highlights, “At this point, you can do whatever you want.”
This type of exploit once-again highlights that security is a game of depth. This exploit is one level below the kernel, which means it has complete control of every level above it, such as the kernel, the entire operating system, any and all applications, network traffic, web application usage, and all user interaction.
The good news is, Purism recently completed the port of coreboot to the Librem 13 v1 (with more ports to come for the rest of our devices), providing a free/libre and open source replacement for EFI/UEFI which avoids all of the exploits mentioned within the documents.
The only long-term approach to protect oneself is to have complete control of the device. Control is the key word, and there is no other way to have complete control than to have as much of the software released under free software licenses where the source code is available to confirm it operates in your best interest and not that of criminals, spies, bad hackers, nations, or thieves.
Confirming that EFI/UEFI has a known and trivial exploit that is built into the standard also confirms that there is no depth too deep to exploit, and the only defense against unwanted stripping of a users’ digital rights is to use hardware and software that you control. Purism does just that by releasing all software under a free software license where the source code is available to be audited, reviewed, and scrutinized making a user control their device not the device controlling the user.
On March 23rd, 2017 the US Congress disapproved the rule submitted by the Federal Communications Commission relating to “Protecting the Privacy of Customers of Broadband and Other Telecommunications Services”, and so that rule shall have no force or effect.
This means the FCC does not have the legal authority to protect the privacy of customers from ISPs gobbling up all the data they want to. The ISPs own the connection from your router to the Internet at large. ISPs have access to everything that passes over the connection including any non-encrypted content such as, every webpage you visit, every email you send, every photo you share, every document you deliver, and any social media post you make. Utilizing SSL helps guard against this threat of ISPs selling your head-end usage data, which is why Purism integrates EFF‘s HTTPS Everywhere in PureOS by default. In the future Purism will also be including SSL tunneling by default to help users stop ISPs from the privacy invading fire-hose of everything you do online.
WikiLeaks has recently released a treasure trove of documents, codenamed Vault 7, that will take weeks to digest. And we will digest it all. But before we go document by document, we wanted to address top-level concerns users have, and how our philosophy and business model are the only ones that can withstand the test of time against this type of user device control. Read more
In my last blog post, I have spoken of the completion of the Purism coreboot port for the Librem 13 v1 and mentioned that I had some good news about the Intel Management Engine disablement efforts (to go further than our existing quarantine) and to “stay tuned” for more information. Since then I got a little side-tracked with some more work on coreboot (more below), but now it’s time to share with you the good news! Read more
Another day, another corporate surveillance story; this time it is Apple who decides to secretly send users’ call history, as well as messages, to the “cloud” (which in this case is iCloud servers, owned and controlled by Apple).
This brings up a number of issues we have spoken about before, that users who buy Apple products think they own the device, until the realization—through near daily stories reporting on Apple undermining the privacy of user data—that Apple actually owns the iPhone device, and that iOS users are simply renting it as well as the software and services that run on it.
Apple, like Google and Microsoft, controls the software that runs on your phone. Those companies will not relinquish control of their devices nor software because users continue to buy and finance their bad practices of exploiting users.
Use, support, and buy products that are completely free software, where the source code is available, so that all the software on your device can be controlled by the user, not the software giants who undermine digital rights.
Purism ships PureOS with its products, which is completely free software. Customers can also elect to have Qubes preinstalled, or to install their own operating sytsem. Purism hopes to get PureOS officially endorsed by the Free Software Foundation very soon. Additionally, in the long term Purism is working towards its ambitious goal to fully free its hardware and get hardware certification by the FSF, becoming the first manufacturer of “brand new” high-performance laptops to achieve this.
Today we learned once more why utilizing pure free software where the source code is available is critical to protect users’ rights to privacy, security, freedom, and anonymity.
The New York Times points out that this latest security breach “shows how companies throughout the technology supply chain can compromise privacy, with or without the knowledge of manufacturers or customers.”
Let’s examine the problem and see what can be done about it. It’s not too late to stand up for your rights.
The Fundamental Problem
All phones and tablets on the market today suffer from the same problem: the code that operates those devices are a mystery to the users. In this specific case Google’s Android, but the same problem exists with Apple devices and Windows devices, where the operating system, software-updated firmware, and most software that runs on those devices do not have the source code available to verify that there are no backdoors sending your private data to unwanted third parties.
What this means is there is absolutely no way, for a user of Android, iOS, OSX, Windows, or any operating system that does not release all the source code, to guarantee he/she is not being illegally spied upon for nefarious reasons, corporate surveillance, government spying, and/or private data mining.
The tracking built into mobile devices is at every level imaginable. We need to create a better, digital rights respecting future for computing.
The Future of Computing
If we, as users, continue to morally and financially support Android, iOS, OSX, Windows or any other operating system that strip away the digital rights of users, we continue to advance a future where:
users are controlled for profit;
private data is mined for advertising revenue;
governments spy on people;
corporations capitalize on every user interaction;
security breaches involve staggering amounts of personal data, with enormous consequences for individuals—even worse than what we’ve been seeing in recent years.
Every time you purchase a device from hardware companies that pre-install Android, iOS, OSX, Windows, and other nonfree operating systems, you are contributing to the erosion of your rights. Buying an HTC device benefits HTC, Google, the carrier, and all software companies that preinstall their privacy-stripping binaries. Similarly, buying Apple benefits Apple, the carrier, and all software apps preinstalled or even later installed.
The Upcoming Purism Phone and services infrastructure
Subscribe to our newsletter (simply send an email to firstname.lastname@example.org to subscribe automatically) or follow us (see website footer for social links), then you will be notified when Purism launches the first freedom, security, and privacy respecting phone.