Hector Martin

So @bunniestudios & Limor @adafruit, is this bullshit?https://twitter.com/dragosr/status/1001114342958317568 …

Given where his parents are coming from, @dragosr's concerns are legitimate: https://en.wikipedia.org/wiki/The_Thing_(listening_device) … but can be disproven.

Again, compromise is certain (extra consoles on ttyAMA0, new systemd slices that sandbox users and leave some system components unconfigurable, nfs mounts on machines with no net hardware, funny kernel modules you can’t touch, and oh so much more fun), just need to explain how.

“Trivial” heh. See earlier posts about flash controllers. This is how advanced malware spreads. IT guy takes his favourite memory stick with his OS install and puts it a compromised machine to reinstall. Instead now it becomes the way every new computer in the company gets owned.

So... use something else? Dump the filesystem over the network? XMODEM it out the serial port? There are endless ways to gather evidence safely; it's nigh impossible to "cover everything" for the malware. No implant, no matter how sophisticated, magically counters everything.

If there are as many indicators of compromise as you claim (and it's not just you misinterpreting totally normal stuff), then the malware is shoddy and clearly not designed for stealth. So show us some of them.

FWIW: if I were a three-letter agency designing a Raspberry Pi implant, it would live in the VideoCore firmware blob that rules the system from the shadows and be completely invisible to Linux. And I wouldn't be leaving behind "systemd slices that sandbox users".

and yet paradoxically, this attacker seems to have dispensed with stealth altogether here. I have so many IOCs it’s not funny, so I get the impression this is more about stopping extraction of the samples I do have.