I often refer to Purism as a company that sits on a three-legged stool of freedom, privacy and security. I’ve even written posts in the past about how those concepts all fit together. While Purism focuses on all of these categories at the same time, we have an incredibly diverse customer base from many different walks of life and often our customers care more about one of the categories than the others. This means that sometimes we offer features or advancements that appeal only to a segment of our overall customer base.
For instance, customers who prioritize freedom might buy a Librem laptop because of the FSF endorsement of PureOS, the coreboot firmware, or our careful selection of hardware that can run on free software drivers. Customers who prioritize privacy might buy a Librem laptop because of the hardware kill switches or our commitment to privacy in our Social Purpose Corporation charter. Customers who prioritize security might pick us for our hardware kill switches, the fact we disable and neutralize the Management Engine by default, because of our PureBoot tamper-evident firmware, how we protect our supply chain, or because of how well our hardware runs QubesOS.
In this post I’m going to elaborate on a service we’ve offered for quite some time, but haven’t publicized much, that will be of particular interest to security-focused customers–our anti-interdiction service. This is a custom add-on service we have provided in the past to high-risk customers who are especially concerned about detecting any tampering with their hardware during shipment. Up until now you had to request this service explicitly to get details but starting today we are listing it as an additional upgrade you can add to any laptop order.
The word interdiction in our context refers to a laptop being intercepted between the time it leaves our fulfillment center and the time you receive and open the box. The goal of the attacker is to implant malicious hardware or software, often to give them a remote backdoor into the system, without the recipient knowing. While this may seem far-fetched, and it’s certainly not something every Purism customer needs to worry about, there is precedent for these concerns for certain high-risk customers. While the most famous example might be the NSA interdiction of network hardware as part of the Snowden revelations, there are similar concerns for other governments as well.
Of course you don’t have to be targeted by a nation state to be at risk of interdiction. Hardware kill switches don’t just protect you from a nation state that might snoop on your webcam and microphone, but also a random hacker or a vengeful ex who might install a Remote Access Trojan on your system to snoop on and extort you. Likewise, anyone along the shipping route from a customs official to a delivery person or even someone at the destination like a malicious neighbor or vindictive ex might be motivated to install spyware on your system.
The goal with our anti-interdiction services isn’t to make it impossible for any adversary regardless of their capabilities from interdicting your laptop, and we don’t claim to prevent interdiction. What we offer instead is a way to detect interdiction–a set of measures custom-tailored to you and your threat that should make the job of interdicting your laptop without your knowledge much more difficult and your laptop much safer than with the normal shipping process. While some of the individual measures have countermeasures, the idea is that in aggregate (and customized for each individual) these measures become increasingly more difficult to defeat. A customs official who isn’t looking to implant anything may not care about arousing suspicion–they may just cut through tamper-evident seals–but someone who wants to modify your laptop does care about leaving a trace. For them, failure to defeat all of the measures risks alerting you to the tampering.
Because the anti-interdiction services aim to detect tampering, not prevent tampering, we don’t offer a refund if someone does tamper with your laptop in shipment since that’s something outside of our control. If a shipment is tampered with, however, the anti-interdiction process will help us determine what was tampered with and we can work with you to bring the laptop back to a from-the-factory state.
Our anti-interdiction process started relatively simply at first and continues to evolve and improve over time. As I mentioned, we customize the process for each customer based on their risk and their own capabilities, and this service ends up requiring a lot of back-and-forth between us and a customer as we pick which measures we’ll use and which we won’t. Some options include:
While the above measures are focused on detecting hardware tampering, now that we offer the PureBoot Bundle which configures a laptop and Librem Key with our tamper-evident PureBoot firmware at the factory, we now add some advanced software-based tamper-detection to anti-interdiction including:
It would be great to offer this kind of protection to each order, but as you can see these anti-interdiction measures require a lot of customization and additional work at our fulfillment center as well as a lot of back-and-forth coordination with each customer so it’s not feasible to make it the default at this point. For the customers who face these kinds of threats the extra protection, effort and cost is worth it. Even if you don’t face threats at these levels, you may still be interested in the PureBoot Bundle which offers some of the protection without the additional effort and cost of full anti-interdiction services.
To add anti-interdiction to your laptop order, select PureBoot Bundle Anti-Interdiction for your firmware option when you customize your Librem 13 or Librem 15 order. As we get feedback from customers and the state of the art with tamper detection improves, we will continue to adjust and add new measures to our anti-interdiction service. If you have ideas on how to enhance our anti-interdiction measures even further please let us know!