Overcoming man-in-the-middle attacks focused on the path from the initial supplier to the end-user, as well as other trust issues, regarding 96 Boards units

Hello,

I’m very new to 96 Boards. I was advised to look into these products by an individual who posted to a Raspberry Pi forum topic I started. The Pi topic was in respect of establishing “secure computing” for business purposes (see the forum topic posts here).

I’m looking for a “Raspberry Pi”-type computer, because of the security advantages I perceive to be present in Pi computers. After learning about the closed-source blobs in the Pi firmware and/or OS, and being advised about the beneficial open-source nature of your products, I gradually started thinking that a 96 Boards product might be better.

The thing that is stopping me, is trust. Some of the trust I have in the Rasp Pi products is due to their wide use, and their likely easy availability from physical stores. I’m not sure whether the same holds true with the 96 Boards products.

It being likely possible to pick randomly one Rasp Pi unit from amongst others on a physical shelf whilst visiting a physical store, and whilst at all times making sure the unit doesn’t get replaced with another hoax kind of unit, according to my thoughts, helps to overcome the MITM attacks described in this topic’s title. See more about these thoughts published here.

I’m wondering whether perhaps I can physically visit the “home” of 96 Boards in Cambridge, and get one of their units “straight from source”, and so to some extent overcome such MITM attacks. Does anyone know whether this is possible?

But even if I did that, how can I arrive at some level of confidence where I’m confident that the hardware and software likely has no backdoors and/or other kinds of “maltech”? Could anyone perhaps help me to figure out how I might arrive at such confidence? I suppose I can download photos of how the units look, and do some visual comparison to make sure what I have looks like what it should be. But 96 Boards seems relatively unknown, and so could their units perhaps use obscure chips that have backdoors, that simply wouldn’t be present if “well-known” and commonly-used chips were used? What about trusting 96 Boards themselves? What if they are an outfit front for the government intelligence services, and are placing backdoors in their products (see the Crypto AG scandal on Wikipedia)?

Please don’t take any offence regarding these comments. I’m just trying to reach that confidence level that will enable me not to have security concerns over these products, and I’m sure people will understand the legitimacy of general users trying to do the same.

Thanks,

Mark F

You are presenting a lot of misconceptions about what 96boards is.

First of all, 96boards is NOT a hardware manufacture. 96boards is a set of SPECIFICATIONS, for which different manufacturers can build their own boards. The idea here is to ensure compatibility between boards made by different manufacturers in a common application.

For example, if someone builds a mezzanine board working with one SBC, and sells it to someone using a different SBC, then you can have a fairly high degree of confidence that the mezzanine board will be compatible, signal wise.

So if you want to build confidence in the board, you do NOT need to be confident in 96boards as a secure manufacturer, but rather you have to be confident in the specific board you are selecting and its manufacturer. For instance, the dragonboard 410c and 820c are manufactured and distributed by Arrow Electronics. I personally have a high degree of confidence in Arrow as a manufacturer and distributor.

On the other hand, all of the “Hikey” boards (I believe that only the 970 is still in production) are products of Huawei, which is a vendor now on a lot of blacklists due to suspicion of spying for the PRC. While I’m not going to say anything about my views on that situation, it may be enough to taint a lot of people’s views against those boards.

However, there are some points that could push even those two manufacturers towards the other end of the spectrum. For instance, qualcomm bootloaders are closed source, whereas the hikey boards can boot on open source bootloaders (though they also provide closed source bootloaders). Are you more confident in the security of qualcomm bootloaders than the potential for secret hardware doing who knows what?

If you want to know about the hardware on each of the boards, for the most part, schematics are provided. If you want to be confident in the security of the software, build it from source.

You want to compare 96boards to raspberry pi? Its hard. Totally different user base. You’ll find more professional users on 96boards, and more children on raspberry pi (which is expected given their childhood education focus). 96boards has standardized layouts and interfaces, which provides you with confidence that the next new board will still be compatible. While despite having stuck with a fairly consistent layout and interface for a few iterations, raspberry pi does not – could be totally different next time around.

On raspberry pi, you also can’t even have confidence that a peripheral that is compatible with a genuine raspberry pi will work when plugged into a knockoff like a rockpi4. This is very different with 96boards, which ensures that boards from different vendors WILL be compatible.

Anyway, I don’t buy the whole fear of ordering something online bit. You don’t need to go to a physical store to know you’re getting the genuine article. Order a board from Arrow, and it comes from their warehouse (and they are the manufacturer) to your door by UPS or Fedex. If there are knockoffs in their warehouse, then a store is even MORE likely to be tainted.

1 Like

Hello doitright,

Thanks for correcting the misconceptions in the original post.

Thanks also for the information on what a person might want to consider, security-wise, when making purchases of computer systems. Quite useful.

Regarding your last paragraph, about knowing you’re getting the genuine article when ordering online, could you perhaps elaborate a little. What exactly is it that makes you confident that such a delivery from Arrow is the genuine article? Is it that you believe the UPS and Fedex delivery services can’t be compromised with MITM attacks?

Thanks,

Mark F

Suspecting that a delivery path like that would be compromised in a manner that would allow someone to substitute a specific and uncommon product with a convincing knockoff is ludicrous and paranoid. Consider what it would take to accomplish that! They would have to know the package contents in advance of the delivery, arrange to obtain a convincing knockoff, arrange to be in a position to intercept it, and switch it out. You’re at greater risk of being hit by a meteor in the next 5 minutes.

2 Likes

Well I appreciate your thoughts, even if I don’t agree with all of them. It’s often good to get contrasting views.

The manufacturers of the Purism product are actually taking such threats seriously, and they don’t seem to think it’s that far-fetched; see here.

Government intelligence services work full-time at their jobs as stable entities. Leaving aside any ethical qualms, if I were leading their services, I would probably get staff to build knock-off products for every product available apart from those that are exceedingly rare, just in case any one of them were ever needed. And that’s just the government entities.

Knowing package contents in advance could be easy. It might be done through interception of emails, phone calls, people working on the inside for you, etc.

Compromising the UPS and Fedex delivery services might be more tricky. But as for the standard delivery services, I can easily believe they could be compromised.

Looking at this in more detail, as already touched upon, I don’t know so much about 96 Boards, their services/products, and the manufacturers that fulfil their design specs. One of the major issues of concern is that an adversary could overwrite previous firmware with compromised firmware. Such compromises perhaps wouldn’t so much constitute knock-off products. I don’t know how you deal with firmware. Have you ever considered reinstalling firmware with a USB programmer (just in case)? I’m slightly worried that “in-built” firmware updating systems aren’t capable of removing pre-existing malware… and that instead the chips probably ought to be wiped, or that fresh chips should perhaps be used, at least in some cases.

Anyway, it’s good to get a clash of opinion (at least in this case).

Thanks,

Mark F.

I’m really not wanting to go down this rabbit hole. Nothing useful or good will come of it.

If you are worried about somebody installing untested software on the device, just reinstall it yourself. Most boards have a recovery process that will overwrite everything. For example; https://www.96boards.org/documentation/consumer/dragonboard/dragonboard820c/installation/board-recovery.md.html

2 Likes