0

I've always been worried about malicious hardware or firmware in off-the-shelf computer equipment (e.g. the malware in particular Lenovo computers that reinstalled itself from the Windows Platform Binary Table), so I try to support projects like Coreboot. That's not always an option unfortunately. But I wonder if there is any wisdom in buying products that have been certified for classified government use. If I see the President or very high-level military staff using a particular laptop or smartphone model, does that mean that model has been thoroughly inspected for malicious firmware? Or does that convey no useful information because hardware approved for classified use is extensively customized for more security?

If I'm right: is there a list of up-to-date approved hardware anywhere online for the public to see?

lightspectra
  • 75
  • 3
  • I don't think you can get those classified items : you may need to acquire special licensed/rights to get them. Just take bullet proof vest as example. – mootmoot Jul 29 '16 at 14:50
  • 1
    I'm far from being an expert, but I guess it wouldn't work very well. AFAIK, the military is able to say that a given hardware is secure because they can somehow check that no one tampered with it at any point of the whole supply chain. Now imagine a shop selling "military-grade" hardware. How can you check that the seller didn't alter the hardware? What about the cleaning crew (they could replace the boxes with identical boxes containing tampered hardware)?Also, see: http://arstechnica.com/tech-policy/2014/05/photos-of-an-nsa-upgrade-factory-show-cisco-router-getting-implant/ – A. Darwin Jul 29 '16 at 14:53
  • It is more technical specific than you think about those classified items. For a long time, it is known that monitor display can leak signal (TEMPEST attack) that allow remote device to capture and replay the screen display. So extra shielding/mitigation device is used. FYI, even a curious cat inquiry for those stuff is enough to put you under NSA surveillance alert. Although criminal cartel with money to spend may get their hand on classified items, but fisherman is everywhere. Stick to your typical mass market device . – mootmoot Jul 29 '16 at 15:12
  • Hardware is not the weak link in the information security chain. – Xander Jul 29 '16 at 15:21
  • @A.Darwin In that case, they advertise it specifically as a COTS device. – forest Jul 30 '18 at 03:05

1 Answers1

0

Government (at least the USG) uses different approaches to hardware and software. For example FIPS: "FIPS is a U.S. government computer security standard used to accredit cryptographic modules" EAL: "Evaluation Assurance Level (EAL1 through EAL7) of an IT product or system is a numerical grade assigned following the completion of a Common Criteria security evaluation, ... The EAL level does not measure the security of the system itself, it simply states at what level the system was tested." and other standards. Since you're looking for hardware, I would research FIPS Accredited, and or EAL (vendor search here)

munkeyoto
  • 8,702
  • 17
  • 31