Paranoid After Purchase !

[routerguy]

Hey All,

I recently purchased one of those generic Chinese fanless PCs/appliances from AliExpress after watching all of those awesome reviews by Patrick on YouTube. I’m making mine into a Pfsense router (for home use) and I’m currently in the process of getting it all setup. Being somewhat security conscious, I’ve recently developed a little paranoia about the fact it’s a no-name device from China. Knowing this, I bought my unit barebones and loaded my own copy of Pfsense. However, I do realize that it’s possible that there could be compromised hardware such as the BIOS (reference: Bloomberg - Are you a robot? ). I’d like to Flash the BIOS, but from what I've read that’s usually not possible and/or is not a surefire way to remove malicious code (if any). So, the only thing that I can think of that might put my fears at ease is to just packet capture (via WireShark) the WAN port for a few days while it’s connected to the internet to see if there are any suspicious “calls to home” or anything like that.

Am I just being ridiculous, haha? Do any of you have any suggestions on how to do a security audit of a device like this? Has anyone even heard of these devices having hardware hacks/viruses?

Here is the one I purchased (I got the i5 version):
https://www.aliexpress.us/item/3256804345487559.html

 

[Patrick]

If it makes you feel better, Bloomberg's stories have been fairly thoroughly debunked by folks like Tim Cook, Andy Jassay, and more. There is still a risk, but Bloomberg's original article has zero cited sources that have said that Bloomberg was correct.

https://www.servethehome.com/investigating-implausible-bloomberg-supermicro-stories/4/

In its second article, I did the follow-up interview with the source, and you can see what that source thought of Bloomberg's reporting.

https://www.servethehome.com/yossi-appleboum-disagrees-bloomberg-is-positioning-his-research-against-supermicro/

Personally, I still think this line of Bloomberg stories was paid for by a hedge fund and should be investigated as such by the SEC.

Then again, could there be a security issue with these, possibly. These packages could even be intercepted during shipping as was noted in the second piece.

 

[routerguy]

Hey @Patrick ,

Thanks for chiming in and offering up those articles. It does ease my fears a bit after pointing out the fact that there wasn’t much in the way of supporting evidence. I suppose anything is possible, but maybe unlikely on low-level consumer hardware like this. I guess what would the they hope to attain from an individual consumer like me exactly? My files, my encrypted web traffic?

Oh well, I’ll probably finish up my packet capture and call it a day. I guess was just curious if there were others out there who were a little anxious like me about adopting a unit like this into their network. I take it by the lack of replies, not many have the same concerns .

 

[Stephan]

The good news is, and to quote former US president GWB, "if you're the target of state sponsored IT terrism", because you touched the Snowden cache, or run an embassy, you already know.

If you're still paranoid, see a doctor. Kidding... get an accurate scale and borrow an x-ray machine. Buy two devices, you one and a female friend from the other side of the country the other. Weigh both PCBs with just the chips, no heatsink etc. There should only be a marginal difference. The scale needs to resolve milligrams. And then that's the coarse measure. X-ray both machines and compare photos. Extra stuff will show up. Extra circuitry in cables etc. will also show up, even with an IR camera in the 500 EUR range or better.

Much more important to stay private though is to store your stuff on premises and not in the cloud. Because the cloud is just other people's computers. And they are VERY bad at keeping secrets.

 

[routerguy]

Hey @Stephan

Haha, since I can’t tell 100% if you’re being sarcastic, here is my response if you were being serious

• I can get a scale and access to an x-ray machine through a friend’s work and I could look for differences that way. However, this assumes that I can source a non-tampered unit. This method also assumes that the nature of the hack is strictly hardware based. What if the hack was in the BIOS firmware? If that's the case, then I would probably need a way to extract the BIOS and compare that to a known non-tampered version.
• I’m not sure what an IR camera would reveal. Isn’t that just for detecting and measuring thermal energy?
• I completely agree with your comments about the cloud and that’s why I do store my files locally.

I feel like the big take away, is that there really isn’t a good way to know as the average consumer if your hardware/firmware has been compromised. I just thought maybe there was something easy I could do (like packet capture) to detect obvious bad behavior and wanted to know if anyone else here had any other methods I could try. I understand if the hack is clever enough, it’s not something that’s going to be easily detectable. I guess it all comes down blind trust since as Patrick pointed out, vendors don’t exactly have 100% control in their supply chain.

 

[oneplane]

For the average consumer and business there really isn't likely going to be any difference in origin security when buying an Aliexpress special vs. a Cisco, juniper, SuperMicro, Dell, Smoothwall, Fortigate etc. They are all made in China, probably using the same component vendors, the same PCB sources, the same fabs, the same P&P machines etc. If they were going to be mass-exploited, that would make so much noise that we'd have heard about it by now. That leaves targeted exploitation, and unless you have a threat model where you are a very interesting target, nobody is going to spend the resources doing that.

That said, if you are afraid the hardware is doing something bad, your only real alternative is getting something that is completely made locally, and that will be so much more expensive than say, your house, that it is not realistic to aim for that.

Even if you did get something different, your ISP is probably still using Huawei ACS and CRS systems ;-) So whatever you do on 'your' end is only a small part of the puzzle.

 

[routerguy]

Oh man, that gets even more rabbit hole when you mentioned the ISP .

Regardless, I think I'm talked off the ledge now, so I'll stop worrying so much and enjoy my purchase.

Thanks!

 

[Stephan]

@routerguy My response was half tongue in cheek... there is precedent with persistence coming from UEFI modules. Get a SOIC8 clip and dump the BIOS with machine off, then you will know. And likely find nothing. Remember SSDs have also been a source of persistence. Printers... IR cameras will reveal heat generated e.g. in USB cables which have extra electronics hidden inside. Purely passive cables have no electronics.

The Pegasus malware for Apple phones was a bit different. They sold it to so many people and it worked so well and silently, that ordinary "system critics" also got it installed thanks to the local junta. The lesson here is to not use any major platform like Apple or Android, and also to not use any 4G baseband, because those little critters all have a secret life of their own.

If you are worried about your platform being subverted, get an old Sun Ultrasparc and use that.

@oneplane Some stuff is Made in Taiwan. But who knows where the PCBs come from... with embedded extra chip. I agree with the noise statement though. Cost is multi million easy, for such a job. A three letter agency will do it, if you are worth it.

 

[unwind-protect]

I don't see the risk/benefit ratio working out in favor of infecting such things.

Every time you put your malware out there you risk exposure to security researchers, which kinda of ruins your engineering efforts. Such random devices are unlikely to be used at any juicy targets. So overall I'd say the risk is not particularly high.