Date: Mon, 11 Nov 2024 21:36:10 +0000 From: s3nsor To: misc@openbsd.org Subject: A story about OpenBSD being compromised As a public service, I feel I should share my experiences over the past month or so. I live on the United States, in the middle of the country in a moderately sized city. Six months ago I purchased a new Lenovo E16 Gen 1 laptop from Micro Center. On the first boot, I booted OpenBSD media and over wrote the disk with random data. Then I installed OpenBSD 7.5 with full disk encryption using a key disk. After installing the OS, I locked down the UEFI settings, disabling Bluetooth, disabling always on USB, UEFI rollback etc. I configured a boot password and systems admin password for the UEFI. I downloaded syspatch and firmware packages over Tor using TAILS on a Puri.sm laptop with read-only coreboot. After installing syspatches and firmware, the E16 was air gapped. The E16 was never connected to a network of any kind. All network interfaces were configured to be down. Pf was configured to drop all packets. Base package, X11, and man pages were installed. I was running X by default. I setup a VM in its own routing domain and configured SSH access into the routing domain in pf. I installed the compiler for coding on the VM. All my code is kept on the VM. No other packages were installed. A month ago, I was at Starbucks waiting to pick up my son for dinner. I had my laptop plugged into the A/C outlet to charge the battery. An older Jewish gentleman came and asked me to plug his laptop into the outlet for him. I obliged, but disconnected my power adapter. To which he said in a disappointing tone “your plug fell out”. I said “yup”. The next time I was waiting at the Starbucks, two days later, another older Jewish man came and asked to plug in. I again disconnected my power adapter before plugging his in. A week goes by. One day at the Starbucks, I'm facing the other direction to avoid glare while I was working. And I'd plugged my power adapter into the A b/c there was no one in the coffee shop but me and the baristas. After a few hours of being engrossed in my work, I look up from my work to find an older Jewish man had plugged into the same outlet as me. I'm specifically calling these 3 gentleman as Jewish b/c I think it's an important detail. During the past month, I begin to notice suspicious characters at coffee shops I frequent. Military types using two laptops simultaneously. People I've never seen around before, etc. Finally, Tuesday of last week, there was a college aged Asian woman at my usual Starbucks. Probably Chinese, but I can't be sure. I 'm a regular and I've never seen her before. She was on a cellphone, not scrolling like normal people, but doing a lot of typing. I think nothing of it at the time. Thursday, at the same Starbucks, the young Asian woman is there again. I think nothing of it, until a husky older gentleman comes in and asked to sit at her table and plug into the power outlet which she is plugged into. After the gentleman sits and begins using his phone, the Asian woman jumps up and leaves abruptly. On this day, I was not plugged into the power outlet, I was running off battery. Coincidentally, almost simultaneously with the Asian woman leaving, I needed another session on my VM, so I run the command to connect and the xterm window disappears. I open another xterm, run the command and it disappears. I do it a third time. I disappears. It's then I realize this is exactly the behavior you get when pledge/unveil are violated. So I know at that instant, my machine is compromised. I wiped the data from the hard drive. I think perhaps updating the UEFI would be a good way of eliminating a possible root kit. I download the latest UEFI update ISO from Lenovo (over Tor). I reset the UEFI to factory defaults, and attempt to boot to the upgrade CD after disabling secure boot. The machine refuses to boot the CD. This makes me believe the UEFI is in fact rooted, because I've booted from to a CD image on the machine once before. Here's how I think the compromise went down. Attackers initially used A/C power to connect to IME. With a connection to IME, I speculate they were able to drive either Bluetooth, Wi-Fi, or both. With better connectivity, I speculate they rooted the UEFI. From there, they were able to gain some kind of access to processes on the OS. Which is why my command to connect to my VM instance failed, taking xterm with it. Why am I sharing this story? Particularly, b/c it's largely anecdotal and based on my observations and not data. Frankly, I'm frustrated. I'm an honest man. I live a quiet life. I'm not a criminal or a spy. And yet I feel as though I've been targeted by adversaries with apparent nation state capabilities. Why? There are no answers. Beyond my frustration, I feel deeply violated.I run OpenBSD b/c it has the best manual pages, and I care about privacy. The code I'm working on is unimportant, except to me to help me cope with the chaos of the world around me. By violating my privacy they're stealing my peace of mind, and it's wrong. And I can't stop them. I'm sharing hoping others can learn from my misfortune, and in their learning I hope it makes my adversaries' jobs harder going forward.