39

I am currently receiving an order of computer parts in the mail including an SSD. Tracking showed that the package arrived in my town on day X, and was originally scheduled for delivery on day X as well. Tracking now says it is going to be delivered on day (X+3).

Being the paranoid person that I am, is there a reason to fear that the SSD is being tampered with/malware installed on it? Is there anything I can do before/when I install the OS in order to check for tampering?

J Sargent
  • 103
  • 1
  • 5
Eric Johnson
  • 715
  • 1
  • 6
  • 11
  • 45
    Do you have a reason to believe you've pissed off the government? – Mark Buffalo Dec 06 '15 at 17:58
  • 13
    Further to Mark Hulkalo's comment, do you have trouble getting on airline flights? (My comment is serious; since I have a very common name, I had such trouble until I paid the bribe, erm I mean fee, to get a Known Traveler Number. It is apparently very easy to get on various watch lists, although I've to to say that "Eric Johnson" is a lot like "Bob Brown" in terms of potential for duplicates.) – Bob Brown Dec 06 '15 at 20:51
  • 4
    @MarkHulkalo: I am a paranoid person. – Eric Johnson Dec 06 '15 at 22:20
  • 2
    @BobBrown: I have never had problems with that ... yet. – Eric Johnson Dec 06 '15 at 22:20
  • 4
    @EricJohnson Just because you're paranoid doesn't mean they aren't watching. :( – Mark Buffalo Dec 07 '15 at 00:52
  • 4
    I've been shipping and receiving packages (e.g. from eBay) and I've noticed a lot of delayed packages. It's probably not just you. This seems to happen every December. – Michael Hampton Dec 07 '15 at 01:26
  • 25
    It's justified to be paranoid when tempering by big governments ***really*** happen: http://arstechnica.com/tech-policy/2014/05/photos-of-an-nsa-upgrade-factory-show-cisco-router-getting-implant/. I wouldn't even consider it paranoia anymore. It's more like looking both ways before crossing the street to avoid getting hit by a car. Before cars were common yes that would be paranoia. These days it's just good sense. – slebetman Dec 07 '15 at 02:18
  • 3
    I would like to note that you don't need to have done anything to bring attention to yourself for your equipment to be tampered with. There are a number of bot-style attacks that depends on a huge number of distributed agents that the blackhats have been using for years that government agents have also started using. – slebetman Dec 07 '15 at 02:21
  • 2
    Delay in shipping is a minor issue. The place of production being Taiwan or China almost guarantees something funny is embedded in the controller's logic. The reason this isn't a major panic issue for you is that most of the time these are bypass features for disk encryption which can only be exploited locally, not some magical superbug that can be exploited across the network (though there are some that will try to overwrite your UEFI keys to conduct a super "Evil Maid" attack on installation). In some ways we're back in the 1600's: you can only trust your family. – zxq9 Dec 07 '15 at 03:54
  • 8
    What'll really bake your noodle is when you realise that tampering time was already included in the previous delivery schedule, and the delay is simply due to bad weather or unexpected aircraft maintenanace, or something... – HorusKol Dec 08 '15 at 01:44

5 Answers5

41

If you don't want to be at risk, in the future get a third party to purchase stuff like this in cash, from a store not near your house or work.

You should see if you can download firmware for the drive from the manufacturer's site. Update the firmware on the drive, or at least check its signature.

Remember, it is near Christmas and shipping is likely to take longer than normal.

Neil McGuigan
  • 3,379
  • 1
  • 16
  • 20
  • 3
    From a store near work or home? Surely you should get the bus to another town and buy things with cash there. Don't forget to use a different store each time. – Jeremy French Dec 07 '15 at 11:13
  • 8
    @JeremyFrench and don't wear your usual clothes. – Gusdor Dec 07 '15 at 11:23
  • 7
    It actually says "Not near" :) – Neil McGuigan Dec 07 '15 at 17:25
  • 3
    @Gusdor Make sure you wear a Groucho Marx mask to avoid suspicion. – Schilcote Dec 07 '15 at 17:46
  • It should be noted that once a firmware has been tampered with, updating it or checking its signature is no guarantee of safety. The modified firmware can easily appear to update and/or give the correct signature, whilst still remaining tampered with. If you have reason to believe you have a modified firmware, the best recourse is to discard the item and buy another. That's not to say it isn't worth doing those things - just be aware that you are only benefiting in the cases where the malware isn't intelligent enough to protect itself in that way. – Jon Bentley Dec 08 '15 at 17:03
19

The risk of malware arriving on newly purchased computer equipment is very real. However, I believe you have much more reason to fear the original manufacturing practices than what goes on during shipment.

Consider that covertly intercepting, opening and resealing equipment is a high costs, high risks endeavour. It is also highly illegal. Assuming you live in the United States, federal statute 18 USC Section 1702 makes it illegal to knowingly open a correspondence addressed to someone else. While there is an exception for opening mail by mistake, I think the acts your fear would be very hard to argue away as a mistake (but IANAL).

However, there are countless examples of malware being factory-installed. Most recently, Dell shipped computers with a pre-installed self-signed root certificate, together with its unencrypted private key. This breaks all PKI for all recent Dell customers:

http://arstechnica.com/security/2015/11/dell-does-superfish-ships-pcs-with-self-signed-root-certificates/

This was done only a few weeks after Lenovo was caught doing the same thing. And there are countless other examples. Here's another: http://www.zdnet.com/article/malware-found-on-new-hard-drives/

The Taipei Times is reporting that around 1,800 new 300GB and 500GB external hard drives manufactured by Maxtor shipped with malware on them. What makes this story even more interesting is that Taiwanese authorities suspected that Chinese authorities were involved.

In these cases, tampering would not be obvious. The drives would arrive factory sealed! Moreover, these are exactly the types of issues that can be (and indeed already are) argued away as mistakes. Plausible deniability and all that. If I was a surveillance-happy Government, this is how I would approach the problem (but, I'm not that paranoid).

In short, if you are worried (and you clearly are), perhaps use a Linux machine (perhaps booted from a live DVD) to deeply format your drive before using it. Hey, maybe this would make a fun Raspberry PI project.

afourney
  • 419
  • 3
  • 11
  • 1
    Actually, this has the makings of a good answer. Can you elaborate on why the manufacturing process is worse? A good way to fix link only answers is to paraphrase and elaborate on the article with your own thoughts and expertise. – Ohnana Dec 07 '15 at 17:36
  • 2
    The author asks: "is (it) being tampered with/malware installed on it? " -- not likely, but it may still have malware. And: "Is there anything I can do before/when I install the OS in order to check for tampering?" Probably not. It's best to wipe it from a sacrificial machine, or one that's likely to be immune or immutable. – afourney Dec 08 '15 at 02:46
  • 1
    *perhaps use a Linux machine (perhaps booted from a live DVD) to deeply format your drive before using it* This may be ineffective for multiple reasons. First & foremost, most surveillance software would be in the firmware, not on the disk itself (which is what you would be formatting). Second, in the case of SSD drives, they do not have a direct logical to physical block correspondence like their predecessors; the whole logical storage layer is "emulated" by the firmware, and the SSD's firmware constantly rearranges and reshuffles what blocks are actually being written to (to prolong life). – Ruslan Dec 08 '15 at 09:18
  • 1
    “Consider that covertly intercepting, opening and resealing equipment is […] highly illegal.” — No, but it's the _government_ doing it, so it's totally okay! – Blacklight Shining Dec 08 '15 at 12:42
13

No worries, it's probably just at the "load station":

The method, called “interdiction,” is one of the most successful operations conducted by the NSA’s Office of Tailored Access Operations (TAO), which specializes in infiltrating computers, wrote the publication, citing a top-secret document.

”If a target person, agency or company orders a new computer or related accessories, for example, TAO can divert the shipping delivery to its own secret workshops,” Der Spiegel wrote.

The workshops, called “load stations,” install malware or hardware components that give the NSA access to the computer, it wrote.

Source: Jeremy Kirk, PCWorld, "Report: NSA intercepts computer deliveries to plant spyware", 2013-12-30

Community
  • 1
guest7173
  • 137
  • 2
  • 12
    This answer would be better if you were to summarize the material from the link or quote some of it into the answer. – Neil Smithline Dec 07 '15 at 02:13
  • The article title, which is part of the URL, is a reasonable summary. It would have been better to format it like [Report: NSA intercepts computer deliveries to plant spyware - PCWorld](http://www.pcworld.com/article/2083300/report-nsa-intercepts-computer-deliveries-to-plant-spyware.html), though. – Peter Cordes Dec 07 '15 at 04:52
  • 4
    @PeterCordes That is not a summary. To prevent link rot we encourage all users to put the most relevant parts of an article into the answer itself, not just a headline or a one-line blurb from the article. If the link goes bad, what other information could this answer have besides a vague "Report: NSA intercepts computer deliveries to plant spyware" with a dead link to back it up? – yuritsuki Dec 07 '15 at 06:26
  • 3
    Four different users [arguing](http://meta.stackoverflow.com/questions/251514/how-should-accepted-link-only-answers-be-handled/251624#251624) and 10 upvotes but no one can be bothered to just [add in a quote](http://security.stackexchange.com/posts/107443/edit)? – Lilienthal Dec 07 '15 at 14:58
  • @Lilienthal It is the job of the answerer to provide a complete Answer. Answers are not communal because of the reputation and voting mechanisms of the site. – schroeder Dec 07 '15 at 16:17
  • 2
    @schroeder True, but then it should just be downvoted until it's useful. Debating what needs to be done to fix it instead of fixing it just seems pointless to me. – Lilienthal Dec 07 '15 at 16:28
4

Oh, come on man; there's virtually zero chance that the NSA/CIA or FBI have interdicted your SSD to plant malware on it. Not realistic.

I mean, why do that when the NSA can just use QUANTUMINSERT to detect when you browse to a web server on the Internet, spoof a response from the server to create a Man-on-the-Side attack, and drop some malicious code (maybe a nice zero-day for your browser?) into the http traffic headed to your PC? ;)

What's that? You use a VPN every time you access the Internet? Or you only visit https websites? You always use TOR? Oh, you should be fine, then. (Not.)

Quasi-serious takeaway: if you use the computer the SSD is going into to access the Internet there are many, many easier & more efficient ways for a very-advanced attacker to get into your systems that physically intercepting & fooling with an SSD. Not that physical interdiction is impossible in any case, as you noted. Just that that's (probably) only efficient for three-letter agencies to do kind of a last resort, for targets who largely or completely stay away from connecting to the public Internet. If an individual user's machine does connect to the Internet... a high-resource cyberattacker probably calls that situation "target practice".

mostlyinformed
  • 2,715
  • 16
  • 38
  • 1
    -1 because not everyone on this site lives in the USA. In many countries, this is a very real threat. – Prinsig Dec 08 '15 at 11:24
  • You have misunderstood the link you provided regarding VPN/TLS/Tor/SSH/etc. While it is more complex than simply saying "yes you should be fine", there is nothing in there that suggests any of those protocols are fundamentally broken, just that people are trying to develop attacks (and attacking insecure endpoints is efficient). – guest Nov 19 '17 at 06:25
  • Additionally, TCP hijacking attacks (QUANTUMINSERT etc) and such are only so useful. If you are using something like Tor, they cannot use that attack against you, only against an exit node, and they are not able to tell which exit you are using. Same with a 0day, they need to know who you are (or at least a small website they know you visit). With those limitations, interdiction often _is_ the most effective and simplest way to compromise a network. – guest Nov 19 '17 at 06:28
0

Chances are , unless you're buying from a sketchy vendor, you're safe. However, if you're still paranoid (which I wouldn't really blame you for being, especially today), the best you can do is format the drives according to DoD wipe standards. Without the "destroy everything" part of course.

I repurpose systems all the time, and the first thing I do before I plug them into my network is verify they're wiped and if they're not, I wipe them.

AceHigh
  • 9
  • 2
  • 25
    malware goes in the drive's firmware now, which can't be formatted – Neil McGuigan Dec 06 '15 at 19:46
  • @Neil Valid point. Honestly though, if you're buying from a location or vendor where that's a concern, you have to shell out the money to purchase from a more trustworthy source. – AceHigh Dec 06 '15 at 19:50
  • 1
    Wiping an SSD is difficult because sectors get remapped to distribute write operations approximately evenly across the drive. – Bob Brown Dec 06 '15 at 20:47
  • 6
    @AceHigh The asker is concerned about whether a *third party* could inject malware *in transit*, not whether there was likely to be malware already installed on the device. – user253751 Dec 07 '15 at 01:18
  • 7
    @BobBrown: The goal isn't to make sure none of the old data is left on flash chips, merely to make sure that the firmware won't ever send it out in response to a SATA sector read request. If the firmware is malicious, you can't trust anything. As long as the firmware is trustworthy, a `security erase unit` or having the drive TRIM (i.e. discard the mappings) for the entire size of the disk will work. – Peter Cordes Dec 07 '15 at 04:49
  • @BobBrown Even if remapping occurs, the process should make sure that data which aren't supposed to be here won't ever show up. – glglgl Dec 08 '15 at 09:45