16

We are told that the roots of trust in the PKI are the handful of Certificate Authorities that issue root certificates and sign other certificates and ensure at least some extent of trust to be maintained on the internet.

These root certificates come pre-installed on most modern operating systems. This provokes the thought that it is not the root CA that we're trusting, but the entity/entities that provide us that root CA, which may be the manufacturer, the operating system developer, or even the seller that sold the device.

To explain my point, I provide this hypothetical example. Let's say that Julian Assange, while hiding in the Ecuadorian embassy, decides to buy a new Thinkpad on a famous e-commerce website. Now famous e-commerce website, like countless other American organizations, collaborates with the NSA on data sharing. The NSA learns of Assange buying a new laptop, and decides to "bug" that laptop with a fake root CA (and a bugged TPM). The package is delivered in brand new condition, and Assange begins to use his laptop.

It turns out that the Ecuadorian embassy's network was 'pwned' by the NSA long ago. Assange's network traffic was going through NSA's systems for quite a while, but the saving grace was that the traffic was at least encrypted. Now, with the fake root CA, the NSA is successfully able to mount a Man in the Middle attack, being able to see the traffic in plaintext, with perhaps the exception of PGP encrypted e-mails.

Even if Assange tries to download new Root Certificates to ensure being on the safe side, the traffic is intercepted by the NSA, and fake certificates are inserted.

Now, you might reasonably argue that the aforementioned 3-letter-agency (and its equivalents everywhere) do not have enough funds, reasons, or legal authority to target most of us, but this might be a realistic scenario for many of the activists, or perhaps very lucrative targets such as data centers/companies that might end up buying a system bugged with fake root CA.

My question is, what are some guidelines that individuals and organizations can follow to ensure they don't become a target of such an attack?

Additionally, are there any books, research papers, etc, that discuss this threat model in detail?

kenlukas
  • 835
  • 6
  • 18
Jaskaran Veer Singh
  • 169
  • 1
  • 5
  • This attack is very detectable. The Turing Incompleteness Theorem hates the CIA's guts. – Joshua May 01 '22 at 04:23
  • 8
    Some laptop vendors have already shipped their machines with bad root CAs installed. Examples: [Lenovo](https://arstechnica.com/information-technology/2015/02/lenovo-pcs-ship-with-man-in-the-middle-adware-that-breaks-https-connections/) , [Dell 1](https://www.computerworld.com/article/3007981/what-you-need-to-know-about-dells-root-certificate-security-debacle.html), [Dell 2](https://www.computerworld.com/article/3008521/a-second-dangerous-dell-root-certificate-discovered.html) – Jonathan May 01 '22 at 08:02
  • Just a note, not all trusted root CAs are pre-installed on Windows. They may be pulled-in dynamically as needed. This [article](https://mssec.wordpress.com/2013/01/31/which-root-cas-do-you-really-trust/) explains in detail or check the [Microsoft Trusted Root Program](https://docs.microsoft.com/en-us/security/trusted-root/participants-list) for the full list of certs trusted on windows. – JimmyJames May 02 '22 at 19:44

5 Answers5

18

My question is, what are some guidelines that individuals and organizations can follow to ensure they don't become a target of such an attack?

The attack in the hypothetical example that you describe relies on a fraudulent certificate having been installed on the system before the system was delivered to the victim.

To mitigate an attack of this nature, it's best to not trust someone else to install the operating system. Instead, wipe the hard drive clean, and install an OS that you trust on the system from scratch, using an ISO from a distributor that you trust. And, proceed with the installation only after you have verified the distributor's signature on the ISO.

mti2935
  • 19,868
  • 2
  • 45
  • 64
  • 14
    It also relies on the victim not checking the fingerprints of the certs - only the very paranoid do that. But if the victim uses the OS as installed then the perpetrator could far more easily install a key logger / other malware, or a backdoor into the crypto signature checker. For that reason high risk targets don't use vendor installed OS's (and check their hw provenance). So this seems an unlikely route of attack. – abligh May 01 '22 at 04:20
  • 2
    @abligh: Exactly, checking the fingerprints is the root of trust. That is what I am saying in my answer. – mentallurg May 01 '22 at 19:04
  • 2
    They can go one level deeper and bug the hardware with a BIOS rootkit and a hidden radio transceiver – user253751 May 02 '22 at 10:39
  • The caveat here being that if you are running a standard version of windows, it will install trusted root CAs silently as you are visiting web sites. – JimmyJames May 02 '22 at 20:20
12

My question is, what are some guidelines that individuals and organizations can follow to ensure they don't become a target of such an attack?

One way to avoid being the target is to not do anything that would spike the interest of intelligence agencies. It won't prevent you from being caught in the collateral damage of the agencies targeting somebody around you though...

More seriously, for an individual, there is no easy way to detect or thwart such an attack, as the resources of the attacker far outmatch your own. An intelligence agency won't just add a root CA to computer if they have a chance to tamper with your hardware. That would have too easy to detect/mitigate. They will likely install some hardware backdoor and/or persistent malware.

You could reinstall the operating system, but this wouldn't prevent advanced firmware-resident malware from reinfecting you. You could check the certificate fingerprints, but the malware would simply hide the fingerprint of the malicious certificates and instead display the fingerprint of the real certificate. The cost of detecting and removing any hardware backdoors is prohibitively high.

An individual's best bet against such an adversary is to not get compromised hardware in the first place. Instead of ordering the laptop online (which makes it very convenient for a TLA to intercept and modify), purchase it from a brick and mortar store in cash. Additionally, make sure the store is some distance away from where you live (far away enough that the adversary cannot easily predict you will go there).

nobody
  • 11,251
  • 1
  • 41
  • 60
11

The root CA list is not hardware-based (in the general case, see about the TPM below). It comes as a built-in feature of your operating system.

Other software (e.g. browsers, mail clients, etc...) may either use the OS provided list or have their own.

These lists are once in a while updated by the software vendors with whatever security update process they have in place.

In general, you trust the vendors of your software and the root CAs.

Why they are at all trustworthy - well, they are trustworthy to an extent. See here.

People with computer security related work are highly unlikely to use the preinstalled software on their new computer.

What they do is to install an OS with an acceptable security track record and they check the installation media first (by its fingerprint or signature).

(Of course, this is not the whole story, but only a good outline.)

In regard to the TPM module:

For the average Assange residing in the average Ecuadorian embassy,the TPM module in their computer is a security risk in itself, just like any unauditable blackbox related to the information security. They do everything they can to remove, disable or at least exclude the TPM module from their chain of trust.

fraxinus
  • 3,425
  • 5
  • 20
  • 1
    The Trusted Platform Module is all about Microsoft et al being able to trust that your computer is running the software _they_ want it to run, not the software that _you_ want it to run. Everyone should disable the TPM. – studog May 02 '22 at 18:39
  • 1
    This is what my average Assange is all about. – fraxinus May 02 '22 at 19:34
  • 2
    @studog the government puts up road signs not to ensure that you can drive where _you_ want, but so you can drive where _they_ want. Everyone should stop paying attention to road signs. – Jon May 03 '22 at 10:24
  • @Jon Exactly, use a navigation solution from a vendor you trust and paid, so you can take control over your own route. – ThaJay May 03 '22 at 10:58
7

TLDR: Check fingerprints of certificates on your device.

All certificates, not only root ones, have fingerprints. These fingerprints are publicly known. If you have any doubts about certificates on your particular device, you can compare their fingerprints with known values. For instance, you can use several other devices and from each one access several resources where information about particular certificates is published. Also you can contact some friends who can do it for you. And so on. Technically it is impossible to break all channels and replace real data with desired fingerprints of the fake certificates.

Thus, you will know the fingerprint of the correct certificate. Then compare it to the fingerprint of certificate on your device. If it does not match, this will mean that certificate on your device is fake.

Besides, fake certificates make sense only in one case, when somebody fully controls connection between your device and the Internet. If you can connect to the Internet via networks that are not controlled by the attacker, your browser will obtain the real certificates from the target web sites. Your browser will complain that their certificates are not trusted, because they differ from what is installed on your device. Latest then you will check certificates on your device and certificates on the target web sites, and you will see that actually certificates on your devices are fakes.

mentallurg
  • 8,536
  • 4
  • 26
  • 41
  • I'm not familiar with a system that caches websites' certificates locally and refuses to accept other certificates than the ones cached. The exception is HPKP, but that only applies to websites that use it, and it has been deprecated anyway. – Dessa Simpson May 01 '22 at 16:21
  • @DessaSimpson: It has nothing to do with caches. When any operating system is installed (Windows, Linux, MacOS, iOS, Android), it contains a set of certificates of root CAs. The most applications do use namely these preinstalled certificates as **root of trust**. When an application checks a certificate of some web site or generally some remote resource, it checks who has issued its certificate. Then the issuer of their certificate, ans so on. The upper certificate in the chain to be **trusted** must be preinstalled in the OS. – mentallurg May 01 '22 at 18:53
  • @DessaSimpson: ... There some applications that use not preinstalled root CA certificates in the OS, but use their own trust stores, like Java. But also in case of such applications, when you manually install some root CA certificate, you first check their fingerprint to be sure the certificate really belongs to the given root CA. – mentallurg May 01 '22 at 18:56
  • @DessaSimpson: ... Thus, in all cases **the root of trust** is the fingerprint of the certificate of the root CA. You check the fingerprint --> then you know this certificate really belongs to the given root CA --> then you trust to certificates issued by this CA --> then you trust particular web resources that present certificates issued by CA that you trust to. – mentallurg May 01 '22 at 18:58
  • The last paragraph does not seem quite correct. The would-be eavesdropper only needs to **add** a new trusted root cert, they do not need to replace all of them. So regular certificates will be recognised and trusted without error, while fake certificates matching the fake root cert will be recognised as well. – jcaron May 02 '22 at 11:08
  • @jcaron: Correct. I assume that if there is more than one certificate for the same CA for the same period of time it can be easily noticed in the list of certificates. Where as when there is a single certificate (the real one replaced with a forged one), it is harder to notice that it is forged, because it needs thorough comparison of fingerprints. – mentallurg May 02 '22 at 17:07
  • @mentallurg With regard to Windows, not all root CAs are pre-installed. Windows will dynamically add certificates as needed. If you are running Windows, you can verify this yourself. Open certmgr.msc and look in trusted root CAs for 'Hongkong Post". You probably won't have it but if you do, remove it. The open Edge or Chrome (but not Firefox) and navigate to https://www.hongkongpost.hk/. Refresh your CAs and it will be added to your trusted root CAs. – JimmyJames May 02 '22 at 19:38
  • Actually with regard to the last paragraph, if I'm not mistaken, the attacker doesn't need full control over your connection, they just need DNS to point you to their servers. It's similar to the [Brazilian bank hack](https://www.wired.com/2017/04/hackers-hijacked-banks-entire-online-operation/) worked. The main difference there was that they issued certs from Let's Encrypt for their hosts which was already a trusted CA. – JimmyJames May 02 '22 at 20:12
  • @JimmyJames: To me it is a part of controlling the connection. But if we use different wording, we can consider it as a further factor. – mentallurg May 02 '22 at 20:44
  • @mentallurg When I see "controlling the connection", I think of thing like how employers set up proxies for their employees to be able to introspect their traffic. In the example I gave above, the client machines were simply accessing the public internet through their ISP as normal. – JimmyJames May 02 '22 at 20:49
  • @JimmyJames: By controlling connection I mean actions that affect the whole infrastructure used for traffic exchange: From logical routing to the delivery of physical signals. – mentallurg May 02 '22 at 20:58
6

What you describe is a supply chain attack. And it is something relatively hard to protect from.

what are some guidelines that individuals and organizations can follow to ensure they don't become a target of such an attack?

The easiest way to avoid being targeted is to avoid being detected as the target. So, if you were Julian Assange, don't order the computer as "Julian Assange", and don't ask for it to be delivered to the Ecuadorian embassy.

Even better, don't order it, but go to a shop (or have someone trusted go in your place) and buy a random ThinkPad of those they have on display. If your attacker doesn't know which computer you are going to buy (or even which commerce!), they cannot bug your computer. They would need to bug all the computers of the shop. Moreover, someone else buying one of those could be noticeable.¹ If you are an important enough target, we can imagine even creating a fake shop just to sell a single compromised computer, but the complexity is much higher than compromising just "the computer for Julian Assange".

Basically for the same reason, there is a story that Trump likes to eat at McDonald's -among other things- to avoid being poisoned, since nobody knows he's going there, or which burger he's going to eat.

If you are a company or government trying to avoid this (e.g. if the Kremlin wanted to buy American computers), they would use a number of intermediaries to obscure the real buyer.

Moreover, companies would probably not use the preinstalled OS, but its own image (for other reasons, but actually helping with this). An end user could do the same, by installing a new OS from a trusted source (in fact, a compromised OS or browser could be more useful than merely a compromised CA store). Which moves the target from having a trusted software preinstalled to getting a copy of non-compromised software. If you already somehow have a trusted machine, you can use that to bootstrap (such as figuring the right fingerprints, and calculating it with a non-compromised tools).

If you need to install a tool with no prior toolset that can be trusted not to have been compromised. Even if you manually check fingerprints, you cannot be sure that the software that is calculating such fingerprint isn't lying to you.

¹ They could simply add duplicate CA certificates, so that innocent customers would not get certificate errors when using a network not compromised by the Agency, but it's not desirable for them that a Greenwald notices that shop X is selling compromised computers.

Ángel
  • 17,578
  • 3
  • 25
  • 60