Tag: Security

Proving the Known, EFI/UEFI Exploited for BIOS Level Attacks

We’re continuing with a second report (many more coming!) on the “Vault 7” Documents we started digesting recently. There is an extensive section dedicated to EFI/UEFI exploitations. While this threat has been known from a theoretical standpoint from the moment the non-free BIOS replacement–EFI/UEFI–came into existence, the Vault 7 documents published recently now confirm that these threats are real and these weaknesses are actively being exploited.

One interesting read we’re focusing on today is the EFI/UEFI “ExitBootServices Hooking” exploit and sample copy-and-paste code to inject a hook into the last execute state of the EFI/UEFI process (the “ExitBootServices”).

Copy-and-paste code was included in the leaks which allow for the exploitation of UEFI-based boot systems by altering the operating system’s kernel which is loaded into memory before exiting the UEFI boot sequence. The copy-and-paste code allows for an attacker to insert a custom hook which can be used to arbitrarily alter the operating system’s kernel in memory immediately before execution control is handed to the kernel. — Wikipedia’s summary.

It is trivial to utilize this exploit:

Because the ExitBootServices service can be found by getting its pointer from the global EFI_BOOT_SERVICES table, hooking the ExitBootServices call is trivial. […] When you’re running in UEFI, that EFI_BOOT_SERVICES table isn’t protected by anything, so you can just write directly to it. — Vault 7 ExitBootServices Hooking

The result is that the entire system is compromised. As the page highlights, “At this point, you can do whatever you want.”

This type of exploit once-again highlights that security is a game of depth. This exploit is one level below the kernel, which means it has complete control of every level above it, such as the kernel, the entire operating system, any and all applications, network traffic, web application usage, and all user interaction.

The good news is, Purism recently completed the port of coreboot to the Librem 13 v1 (with more ports to come for the rest of our devices), providing a free/libre and open source replacement for EFI/UEFI which avoids all of the exploits mentioned within the documents.

The only long-term approach to protect oneself is to have complete control of the device. Control is the key word, and there is no other way to have complete control than to have as much of the software released under free software licenses where the source code is available to confirm it operates in your best interest and not that of criminals, spies, bad hackers, nations, or thieves.

Confirming that EFI/UEFI has a known and trivial exploit that is built into the standard also confirms that there is no depth too deep to exploit, and the only defense against unwanted stripping of a users’ digital rights is to use hardware and software that you control. Purism does just that by releasing all software under a free software license where the source code is available to be audited, reviewed, and scrutinized making a user control their device not the device controlling the user.

Releasing the beta of PureOS 3

After our alpha release in November, we are today releasing the beta for PureOS 3.0, which we intend to release as a final release in time for our upcoming new laptop batch shipment (more news on that soon).

As PureOS uses a rolling release model, software all across the stack continued to receive updates since our first alpha some months ago, even though the core of our work has been to improve and deploy new infrastructure to support efficient development of this operating system and to make the PureOS experience more pleasant for users, too. The PureOS infrastructure is now better at exposing migration/update issues, which means that we iron out broken or missing package dependencies more quickly (with the goal of preventing them from ever being encountered by users, although such occurrences are already rare). Building this infrastructure for PureOS is some very ambitious—and often invisible—work that we are accomplishing as the foundation for all PureOS development.

We are also in the final stages of preparing proper developer documentation, closely modeled on Debian’s contributors documentation and procedures, but pointing to the right bits and pieces when it comes to PureOS.

FSF endorsement is work in progress: we are working with the FSF and addressing any concerns or requests they may have. As per the FSF’s requests:

  • The new PureOS website is now fully separate and works with LibreJS.
  • Iceweasel/Firefox was removed from the archive (its presence there was actually due to a repository synchronization bug) and we modified the add-ons system to avoid the possibility of installing non-free add-ons by mistake. That said, this is one of the reasons why PureBrowser exists, and PureBrowser will continue to be the default. The forced removal of Firefox/Iceweasel caused some trouble with the PureOS package repositories archive but this will be fixed before the final release.
  • TorBrowser is now torbrowser-launcher, a package that downloads and installs the official Tor browser with updates being applied as soon as the Tor project publishes them.

On the security front:

  • A Wayland-based GNOME 3 experience remains what we ship by default.
  • We have started preparing our Linux kernel to be based on the grsecurity kernel. This is available as a package in the beta’s repositories but is not enabled by default, as we consider it requires more testing (you can help!) so we can use it as the default Linux kernel in the future (for PureOS 3.0’s final release, hopefully!)… so feel free to install and try it out (don’t forget to install paxctld as well)! This will be a huge step forward in terms of security. While most regular GNU/Linux distributions are more secure and privacy-respecting than proprietary OSes, having the grsecurity patchset in PureOS’ Linux kernel by default will bring PureOS far above the norm in terms of desktop GNU/Linux security practices.
  • We look forward to integrating flatpak in the future to benefit from its sandboxing capabilities

As you can see, we’re making some nice progress and PureOS has great plans ahead to achieve a great user experience that balances security and usability. This is quite a bit better than running OSes that work against you or that strip you of control over the applications layer!

What the CIA Vault 7 Documents Mean

WikiLeaks has recently released a treasure trove of documents, codenamed Vault 7, that will take weeks to digest. And we will digest it all. But before we go document by document, we wanted to address top-level concerns users have, and how our philosophy and business model are the only ones that can withstand the test of time against this type of user device control. Read more

Neutralizing the Intel Management Engine on Librem Laptops

In my last blog post, I have spoken of the completion of the Purism coreboot port for the Librem 13 v1 and mentioned that I had some good news about the Intel Management Engine disablement efforts (to go further than our existing quarantine) and to “stay tuned” for more information. Since then I got a little side-tracked with some more work on coreboot (more below), but now it’s time to share with you the good news! Read more

Purism Warrant Canary Updated January 1st 2017

Happy GNU year!

Before (or on) the first day of each quarter, Purism, following the general rules of warrant canaries, will update its own Warrant Canary page if none of the listed items occurs.


Warrant Canary, January 1st 2017

  1. We have not placed any backdoors into our software or hardware, and we have not complied with any requests to do so.
  2. We have not received, nor complied with any National Security Letters or FISA court orders.
  3. We have not been subject to any gag order by a FISA court.

The next statement will be published on the first day of each quarter (January 1st, April 1st, July 1st, October 1st). Please refer to the Warrant Canary page for details and digital signatures.

Purism Warrant Canary Updated October 1st 2016

Before (or on) the first day of each quarter, Purism, following the general rules of warrant canaries, will update its own Warrant Canary page if none of the listed items occurs.


Warrant Canary, October 1st 2016

  1. We have not placed any backdoors into our software or hardware, and we have not complied with any requests to do so.
  2. We have not received, nor complied with any National Security Letters or FISA court orders.
  3. We have not been subject to any gag order by a FISA court.

The next statement will be published on the first day of each quarter (January 1st, April 1st, July 1st, October 1st). Please refer to the Warrant Canary page for details and digital signatures.

Meet up at Defcon & Todd joins Leo on The Twit Network

Purism’s Director of Technology, Zlatan Todoric, will be at the Defcon 24 through August 7th.  He will be available for any questions that you may have regarding Purism and our products.  He will also be happy to show off the Librem 13 to anyone wishing to take a look at our hardware.  You can contact him on Twitter @zlatandebian or via email zlatan.todoric(at)puri.sm

CEO Todd Weaver will be on the Twit network on Saturday August 6th, 2016 for an appearance with Leo Laporte on The New Screen Savers.  Todd will be discussing with Leo, among other things, the Purism line of products, the importance of free/open source software, what sets the Librem line apart from other free and non-free offerings from other companies, our web browser, our operating system and Purism’s Philosophy.  Join him here live at 3pm PT.

ICYMI: https://twit.tv/shows/new-screen-savers/episodes/65?autostart=false  Interview starts at 52:15

Apple v FBI: It’s About Control

86.5% of Americans use a cell phone. When you purchased your phone, you most likely believed you owned it outright, just as you own your toaster, your electric razor, or your hair dryer. The device in your purse or pocket, however, is not your own–you are essentially renting it from companies such as Apple, Google and Microsoft. Once you purchase an Apple product, for example, you relinquish control of the device, thereby giving up your legal rights to Apple.

How was this allowed to happen? By agreeing to the terms of service and upgrades, along with the proprietary software pre-installed on the phone, you married yourself to a machine that is essentially controlled by these companies. The news of the collusion and voluntary surrender of information to the NSA of our data, emails, and phone calls–all of which were collected whether or not the information was needed–is fresh in our memory.

It appears Apple, Google and Microsoft would like the American public to forget they voluntarily and summarily collected and offered up all of our data to the NSA in the name of national security post 9-11; now, they would like us to believe they are protecting our rights and our privacy by refusing to allow the FBI access to the phone used by one of the shooters in the San Bernardino attack. While some believe Apple noble to not provide a bypass to the FBI, others are on the side of the government, thinking these companies should be doing whatever it takes to protect America. It is obvious, however, that both sides are missing the point.

We can use the only known legal precedent as an analogy. If you have a safe that requires a key to unlock it, a warrant is legally required to force the holder of that key to turn it over, thus gaining access to the contents of the safe. If, however, you have a combination safe, you can claim the 5th amendment, and no warrant, no court, can compel you to incriminate yourself, extracting the combination from your brain.

That same logic can be applied to the Apple v FBI case. Apple has the key to your phone, by controlling the operating system. Apple can, at any time, circumvent the security features that are supposed to protect you by simply upgrading the operating system.

Think of it this way: If you stay in a hotel, you are renting a room. When you check in, you are given a key to access that room; the hotel still has a master key. Apple is the hotel, and your phone is the room. You are renting it from Apple and they can come in, clean, look around, divulge, steal, expose your information, or not.

You don’t actually own your phone. If we truly owned our phones, court ordered warrants would be served directly to the owner of the phone. The warrants in the case of Apple v FBI were served to Apple, who actually has control of your phone.

The legal issue of whether Apple must give up the key, whether through legal maneuvering around the First Amendment, or an act of Congress, avoids the larger issue of control: if Apple loses this legal battle, all phones, tablets, and computing devices that are under the control of a company are then legally bound to comply with a warrant to give up the key that controls your device. If Apple, or any organization, controls your device, you are giving your legal rights over to that organization.

But if you control your device, there is no master key. Only you have the combination under your control, and never have to relinquish that control. This is the ultimate in security and privacy.

The discussion about whether or not Apple should be compelled to give up the master key is missing the larger point, that Apple should never have had the key to begin with. It is possible to control your device by using free software. With Purism products and the free software that comes with it, you own and control your device. Purism will never be issued a warrant to force us to give up anything relating to your device. Purism doesn’t control the products we sell—you do.

You might also like: “Android and iOS’s Secret Backdoors, and How Purism’s Business Model Avoids This Type of Threat

Hardware Can Be Your New Best Friend

A visitor to the Purism site contacted us with a question. It’s a question that we sometimes encounter when we’re with friends or at events, and so we thought we’d share the response to his query.

Q: On your website, you state:

“All other laptops use hardware chips coupled with software that can betray you. News stories have shown how these chips can surreptitiously transmit voice, networking, picture or video signals. Other chips are used to install spyware, malware or viruses.”

I know about software vulnerabilities, but I had not heard of hardware itself having built-in backdoors. Could you provide any news articles to back up this assertion?

Computerworld—a sober, technical publication—has an article outlining 17 Exploits the NSA Uses to Hack PCs, Routers and Servers for Surveillance, providing many links to original sources. It concerns their Tailored Access Operations Program (TAO) and reports from the Snowden Archive are six years old. Thus what we know of today is almost certainly worse that what’s current. And what we know now is very, very troubling.

As the computer trade magazine notes, before giving four screens of examples:

Some of the exploits are deployed remotely and others are physically installed. Those hands-on operations may occur while the product is being shipped; it could be snagged during shipping so an obscure group like an FBI black bag team can do the NSA’s domestic dirty work. There are too many exploits listed in the leak to cover in one post, but I thought you might like to know about some that target servers, routers and PCs. Please note, however, that ANT can exploit nearly every major software, hardware and firmware.

Noted computer security authority and journalist Jacob Appelbaum referenced exploits used to spy on Americans and foreigners alike – with the data-sharing agreements in place, it’s important to recognize this is fast becoming an academic distinction – by observing, “This is Turnkey Tyranny and it is here.”

Videos for the 30th Chaos Communication Congress, where Mr. Appelbaum’s two lectures (and many more covering this topic) are here.

As our blog article, “Shine A Light On It: Why Verifying Is Required, Why Only Libre Allows It” notes,

In the tech field, what a few do today, more will do tomorrow and nearly everyone will be doing next week. Even if you trust intelligence agency bureaucracies – yours or others – to not spy too much on you, your family and your friends, it’s not “just” them. It’s those that will follow that will also be able to spy on you and yours using similar techniques, for much cheaper.

Just since June ’15 alone, the OPM hacks purportedly by Chinese agents and—the irony—the Italian Hacking Team itself getting hacked proves our blog article’s concerns were, if not prescient, accurate. Smaller agencies than the NSA/GCHQ and even private parties—both who can categorically be characterized as not being particularly protective of American or even European citizens’ rights, security or well-being—are using similar exploits.

It’s code. It’s protocols. It doesn’t check first for the proper badge before running. There is no “magic golden key” allowing only The Good Guys™ from executing code.

All of this leaving aside the issue that hardware and software are becoming more conceptual categories than practical ones. Securing one or the other is no longer a guarantee of safety. You need to have both secured. And, given the complexities involved, the only reliable way to do this is to use the F/LOSSH (Free/Libre Open Source Software and Hardware) model. Since without verification, there can be no trust. Since, even though we may trust an institution or person now, we can’t have faith that five years from now, these organizations will be the same, or the people we trusted still in place.

We genuinely wish we lived in a world where our caution we have for our customers was unjustified or even, hysterical. We genuinely wish there wasn’t a need for someone like Purism to develop verifiably secure, transparent ways for people to organize their thoughts then share them. The world would be a better place. We’d probably all enjoy a bit more extra sleep. But that’s not the world we’ve inherited. So instead, we’re energized at the challenges we all face. And we’re excited at the opportunity to do our small part in correcting this very unwelcome change in our digital environment.

The Four [Browser] Freedoms

Seventy-five years ago, Franklin D. Roosevelt proposed four fundamental freedoms that people everywhere in the world should enjoy. Purism now proposes four fundamental freedoms we should insist in our digital lives. In the first of a series of discussions, we focus on what we demand in a web browser before it’s included in PureOS.

Purism’s default web browser—PureBrowser—is one of the most secure, private, and freedom-respecting browser available, with a philosophy that will keep it respecting users’ rights in the future as new exploits and vulnerabilities are exposed and discovered.

There is only one sure way to ensure total security and privacy: don’t go online. However, that would make us even less free. Freedom compels risk-taking. Inaction is another path to servitude.

PureOS demands four fundamental freedoms:

  1. Useable to everyone; safety in numbers. A secure system few use is as bad as a compromised system everyone uses. Safety is contagious. If only a few people are using online privacy schemes, they stand out to thieves and other hostile entities. This isolation makes them targets. Thus, everyone’s privacy matters. Protecting less technically sophisticated users strengthens even the most sophisticated of us.
  2. Individual & personal. Everyone’s threat model – who is after you, for what, why & how – differs. Even for the same person, it changes, depending on context. Freedom means making knowledgeable choices that best suit our circumstances. Our fluid circumstances.
  3. Collectively verifiable & reliable. With your digital life at stake, promises are the wind. Only by using Free/Libre Open Software & Hardware (F/LOSSH) can we objectively verify claims.
  4. Transparent. Your software and hardware – and those making it – should be forthright in its function, capable in delivering them and limited to doing only what they promise.

Compared to common browsers, PureBrowser respects and protects your rights to privacy, security, and freedom by:

  1. Blocking third party trackers & advertisers by default. These are designed to gather private details about your browsing habits. Opting in should be your choice – not opting out.
  2. Using HTTPS where ever possible by default. Encrypting these connections prevents your behavior and information from being monitored by malicious groups while it is in transit. This also prevents you or the site you think you’re visiting from being hijacked by a third party.
  3. Being Free/Libre Open Software (F/LOSS). Without the ability to audit the software, it’s impossible to be certain how it works. Since Libre software’s source is made available – every line of code, by definition, has to be – it can be verified that it is what it purports to be. Communities together ensure this is the case. F/LOSS principles don’t require that we trust the author, it requires we trust the community.
  4. Never “phoning home” any personally identifying information surreptitiously. Information collected is, inevitably, information used. Chekhov’s Database, if you will.


The Four [Browser] Freedoms

MS Internet
Blocks sending identifying details
HTTPS Everywhere by default
Free/Libre & Open Source
Blocks 3rd Party trackers by default
1. Sends information to Apple for diagnostic purposes and to facilitate user-anticipated services.
2. Source code is released under free licenses, but other freedom and privacy restricting features exist.
3. Blocks 3rd party cookies; can send HTTP header request to them.

Summarizing the table above:

  • Microsoft’s Internet Explorer – and most likely their in-development browser, Edge – fail all four of these essential tests.
  • Google’s browser fails more than three of the four.
  • As of this writing, the general release of Firefox also fails three-quarters of them.
  • Apple’s Safari fails half.
  • PureBrowser passes all four of these essential tests. From the start, Purism’s PureBrowser blocks your personal information from being sent to groups you most likely do not want them to have.

Purism uses a fork—creates a distinct & separate piece of software—of Firefox, developed by the Trisquel development team. Wikipedia characterizes Trisquel as a fully F/LOSS system without proprietary software or firmware, noting that it is “listed by the Free Software Foundation as a distribution that contains only Free software.” Purism takes this already exemplary version then optimize it for the Librem laptops running PureOS and adds more privacy protections.

We carefully select privacy-enhancing add-ons, by default, such as the EFF’s Privacy Badger, that blocks third-party advertisers tracking literally every site you visit, page you view & video you watch.

PureOS also includes the EFF’s HTTPS Everywhere browser extension, which is also turned on by default.

Finally, we proudly include the superlative Tor Browser from the Tor Project to ensure your anonymity.

The threats we face are many, varied and constantly evolving. Purism will be constantly evolving, too. We’ll continue evaluating the best, most effective add-ons, the tightest, best source code and most cunning new exploits to keep PureBrowser the most rights-respecting browser available to safeguard your privacy.

We were delighted to discover, while writing this article, that the founder of the Free Software Movement, Dr. Richard Stallman, was also inspired by President Roosevelt when he proposed his Four Essential Freedoms. We ecstatically, humbly, follow these two superlative tracks of footsteps.

Rather than close with a The only thing we have to fear…, let us instead close with Mr. Roosevelt’s, Happiness lies in the joy of achievement and the thrill of creative effort.