Post may be updated with new relevant information.
β π Share on Telegram, Social Media
(click image below to watch latest on (π§ Tor Friendly) Bitchute)
(Click Above Cover Image To Play Latest Video) [ π§ Tor Browser Friendly ]
[ Watch On Peertube ] [ π§ Tor Browser Friendly ]
Thanks Latest Coffee Member Faros.
Also thanks to PL, T., G.
SUMMARY
Covers various (historical + present) backdoors found in hardware (including this week's latest Asus motherboard UEFI firmware backdoor:"CosmicStrand").
Important for both indivduals, gov, and small businesses to be familiar with the risk.
It doesn't mean all 'backdoors' (ex: test accounts) are put there for ill intentions. Large networks require remote access, and server management.
It's nothing new.
Intel AMT Briefing
Many are still unaware (most) computers come with πΎ Intel Management Engine, and many, AMT (active management tech), a proprietary, remote access backdoor (has legitimate purposes, but by definition, acts as backdoor).
There are legitimate advertised purposes, while functions mirror that of a hardware backdoor implant.
Computers with ME, can't hold power without it: removal by design is very difficult (if not impossible - depending on hardware), remote access hides from PC owner's purview). If you attempt to remove it completely, your PC will not power on for long.
HAP Bit
'HAP bit' (see me_cleaner), once set, partially 'neuters' Intel ME. Reportedly a solution for agencies who needed to meet the bar for a "high assurance platform" (HAP bit does not work for all models).
'Normal' customers are generally left with no choice in newer Intel with AMT / vPro model computers.
Newer computers are completely dependent on Intel ME co-processor. Remote communication OOB (Out-of-band), being most concerning.
Why so few options for Intel models without? It's worth asking.
Others might not be aware of servers (ie: cloud rental) having πΎ IPMI BMC hardware with remote OOB (out-of-band) access: in truth, this should be expected for large server mgmt - make sure you trust your providers. But it's still not common knowledge to the average person, so I mention it.
What about πΎ Computrace? Familiar? Aware of Lojack? Computrace is another 'backdoor' styled security feature, covered in the video. It looks, acts, and feels like a backdoor for those performing system analysis (as the video shows).
Learn about the above and more, in today's latest video.
(support original content: options - sharing, reposting links to content is the best way)
Could there be additional persistent undocumented features inside ISP routers?
You could like the idea of a simple, single board computer for routing at home, and at the office.
Avoid ISP routers - many problems over time, new innovations can add attack surface. Find another router (router advice towards bottom).
INFO: ISP's in USA since 2017 have been legally allowed to sell customer data / identifiers "without explicit consent." Other countries may vary in their data protection, but (in my option), we should assume abuse of this exists in the data broker industry.
(not all ISP's reported to do this)
TIP: encryption helps prevent (potential) malicious redirection of personal devices.
DETAILS / MITIGATION EXAMPLE
Blocking hardware related backdoors locally (from local OS) won't likely result in a plausible solution.
RING LAYERS AND SCOPE
The rings represent layers of privilege. Kernel, at the center (below), has access to everything outside of it. Repeating per ring.
Take Intel Hardware Example Here...
INTEL MGMT ENGINE RING LAYER (-3)
Additional rings add privileges that otherwise wouldn't have existed, for ME, at Ring -3.
Meaning it has privileges over everything outside of it.
Intel ME runs at highest privileges, completely outside oversight (ie: Windows, Linux).
Learn more on rings on Intel hardware, here.
[and see: Intel MGMT Engine Post]
MITIGATION
In some cases we may be able to mitigate, through a series of creative choices (where possible).
Use information you have on backdoor pathways / communication to mitigate on LAN.
One mentions in this example (see video): AMT requiring either built in Intel AMT capable ethernet, and / or Intel WiFi with OOB / TCP / IP stack. Otherwise an AMT capable device.
Alternative connection methods can become one of those mitigations.
Another option (depending on the backdoor location, access) would be reflashing (where applicable).
Firmware
More Intel AMT options collected for the community, see: This Post.
Router Advice
I have been asked "what router to get"? Routers play a key role in home / business security. Devices will be guided, ("routed") by your router. They can (also) be redirected (maliciously) by a router.
Choose carefully.
On the hardware end: if you aren't DIY, and want something "ready to go", see hardware reviews, search relevant vulnerabilities.
Sometimes a backdoor is not necessarily placed intentionally. It could be as small an operation as the single rogue employee, or a number of outside actor/s between you, and manufacturer.
Also: Watch out for counterfeit routers.
ex: July 2022: Arrest in scheme to sell Cisco Counterfeit routers - Florida Story
"Cisco Partners Sell Fake Routers To Military" Read Story Here
2 projects in the FOSS Commuity are Open-WRT firmware and PF Sense (FreeBSD based). Both provide controls for networking (read reviews; do a bit of vulnerability searching on hardware).
TIP: reputable hardware vendors, with strong FOSS community backing are your safest bet when looking at mass manufactured hardware.
(see if they have a forum; look for reviews inside FOSS community)
Or, you can flash one yourself. Either a single board computer, or one supporting
Open-WRT firmware / PF Sense (see below for offer here)
OPTION: SUPPORTER PIHOLE DNS SERVER WIFI ROUTER "EXTRA" IMG
To those interested in ready to use Raspberry Pi router img (turning it into a more privacy respecting router), offering "Supporter img" Pihole + Unbound DNS Server + WiFi Router (img for RPI).
Shared an earlier copy publicly (with everyone) to celebrate meeting follower goals (may do so again for next follower goal [be sure to follow here: it's free]).
Those who donated (over any period of time) 5 coffees can download custom Pihole privacy router free anytime. Also available to anyone donating via "extras" section.
Yet another way to support 100% independent content here, offering something unique in return as a thanks for your gesture of support.
(img also offered to monthly members of a few months. See details: here)
FEATURES:
Web based administration (optional: turn on / off inside boxshell)
Firewalling of IntelME/AMT related ports for all WiFi clients (networkwide)
Custom menushell to manage various privacy services / settings
Custom settings set on first login (get started quickly)
fresh keys generated for each router
Unbound DNS Server
Pihole Adblocking
WiFi accesspoint
router network identifier changes (can be controlled in boxshell)
and more not mentioned
related: Working on improvements to router related img. Sometimes shared with followers as a "surprise", or a "thank you" to regular supporters.
π» COMPUTER π SOLUTIONS
β SOLUTION: Coreboot based Linux laptops (US BASED SERVICE) -- service helps support independent content creation here. π¨ contact if you have a question on this service.
If somewhere else in the world, I have listed other options / companies offering such service below.
Now offering (limited availability) Coreboot BIOS Laptops with Intel Management Engine neutered / flashed (US Only at this time) in the "commissions" section.
Come with Linux preinstalled on new encrypted storage (optional), and perfect for Tails / Whonix machines.
Flashing Coreboot / Disable IntelME options avert many potential (mentioned) problems in stock BIOS firmware (ex: Superfish).
π¬ Email (Info / Questions)
Share suggestions, by comment, or email.
Have Backdoor Experiences On Hardware / Software?