I recently bought a new laptop.
If you read the news you must've noticed Vault 6 and Vault 7 leaks (from Wikileaks), which contain rootkits which sit on your Hard Drive Firmware, MBR and other hidden partitions. Since it's out in the open not only state actors should be able to make such kind of hard to get rid of malware.
How do I check the integrity (checksums or similar) and secure the firmware on my hardware components (Hard Drive, Motherboard, SSD, USB Hub etc etc)?
Verifying the absence of something is much harder than verifying the presence of something.
This statement holds true in many things, information security included.
One central aspect of information security is your threat model, aka. "What are you trying to defend yourself from?" Since you specifically mentioned Vault 6 and Vault 7, I am going to assume that your threat model is a Three-Letter-Agency (or MI\d, if you fancy so).
With such a threat, you again have to make a choice. Do you think you are personally being targeted, or do you worry about mass surveillance?
In the eyes of the TLA's, you're a nobody. You're John Smith, completely unremarkable. You may assume that institutions like the NSA, CIA or ţ͟͡͝h̵̛͢͡é̕ ̷̷̕͡O̴̶n̷e͜͡ ̧̨̛͟w̡h͟͠͞͏͟o̵̷̵͘͟ ̵̵͢͟͞W̵̛a̷҉̨t̵͢ć̷̴̶͢h̢̛͢͟e̵̴̛͢͟s̡̛͜͡ have infinite budgets to insert custom hardware into every single laptop being sold, but such a thing would not really be feasible from their perspective.
Why so? Because contrary to popular belief, these agencies don't particularly care who you voted for, what YouTube videos you watch or if you download pirated music. These agencies care about threats to their nations, or about information that could further their nation's interest.
Unless you fall into one of those targets, all the information these agencies collect about you is information they can easily gather and process.
This likely includes whom you talk to, what websites you go to, and a bunch of things more that none of us is aware. Why so? Because these kinds of information can easily be gathered at a single point: A TelCo company, an ISP, etc.
No need to put a chip in every single smartphone sold, if all you had to do was putting some machines into Room 641A. Much cheaper, much more effective.
Furthermore, imagine if a TLA had a keylogger installed in every single computer ever sold. The amount of data the TLA would have to process is so immense, that any meaningful and relevant information there was to be gathered would immediately be lost in the immense noise generated by millions and millions of users typing away at their keyboard.
So as a result, I would not really be worried about it. Most of the web is moving to HTTPS-only anyways, so the widespread adoption of HTTPS in recent years has helped a lot.
Oh boy, the hand you have been dealt doesn't look good. I don't know why you are targeted - perhaps you are a journalist in a repressive regime - but if you personally are on the list of a Three-Letter-Agency, then things look really really bad.
First of all, a TLA is far more likely to invest a considerable amount of money into watching you than they are to watch John Smith from the last section. This means that you will have to act as if you were John Smith.
For instance, don't buy a laptop on Amazon and have it shipped to your home address. It could be intercepted, have some rootkit implanted and then have it shipped to you in 2+ business days.
Instead, buy a laptop in a large electronics store away from your home address. These stores get quite the amount of hardware, and inserting backdoors into every laptop sold within 100 km of your home residence is a task that asks for quite a considerable amount of financial investment - and even then it's not certain that you - their target - will even buy one of them.
The same goes for individual components, as far as they are user-interchangable. You can buy your own SSD, HDD, optical drive, etc. somewhere in the middle of nowhere. The chance that this specific piece of hardware is backdoored is rather unlikely.
Of course, this isn't the whole story. OpSec is a huge field and I am barely scratching the surface.
Basically an impossible task. You would have to have the hardware to dump the firmware of your device, and then have the means to analyze every single instruction in this firmware. Furthermore, you would have to check the schematics of the hardware, and then analyze every chip on the hardware to ensure that there isn't some hidden logic in one of them.
The reason why it's not so simple as just checking the hashsum of the firmware is because you have nothing to compare it to. You can check if the firmware you dumped is the same as the firmware offered for download by the vendor - but how do you know that that firmware also isn't backdoored?
Even if you had the source code, how can you be sure that the compiler used to compile that source code didn't insert a backdoor? How can you be sure that the disassembler you used to view it didn't silently remove the backdoor? How can you be sure that the text editor you used to look at the source code didn't silently hide the backdoor?
It may sound like tinfoil hat talk, but we're talking about targeted attacks by a Three-Letter-Agency. Tinfoil hats are the only appropriate headgear to wear.
WASD input from a match of CS:GO are likely not interesting to you. So you need some kind of filter to see what you are interested in, and what you are not interested in.
–
Aug 12 '19 at 13:50
Assuming you want to check the integrity i.e. that the device firmware has not been tampered with after you purchased it:
Dump the firmware of the device after you have bought it. This depends on the device. For BIOS chips an SPI reader is usually enough, some harddrives and USB devices use similar chips for storing (parts of) their firmware. SSDs and USB drives store their firmware in most cases on the NAND flash. You would need to read the NAND directly, which usually requires desoldering, or try JTAG. I'm not aware of any public commands that can dump the firmware (only upload it), maybe you can find some by reverse engineering. Be aware that some firmware will change naturally over time and writes to the chip itself like changed config, attached devices ... So don't worry too much at first when the checksum does not match the previous one. You would need to take a closer look.
For "securing" the firmware you could try to write protect the chips (WP Pin)
