75
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
this post was submitted on 02 Jan 2025
75 points (98.7% liked)
technology
23730 readers
327 users here now
On the road to fully automated luxury gay space communism.
Spreading Linux propaganda since 2020
- Ways to run Microsoft/Adobe and more on Linux
- The Ultimate FOSS Guide For Android
- Great libre software on Windows
- Hey you, the lib still using Chrome. Read this post!
Rules:
- 1. Obviously abide by the sitewide code of conduct. Bigotry will be met with an immediate ban
- 2. This community is about technology. Offtopic is permitted as long as it is kept in the comment sections
- 3. Although this is not /c/libre, FOSS related posting is tolerated, and even welcome in the case of effort posts
- 4. We believe technology should be liberating. As such, avoid promoting proprietary and/or bourgeois technology
- 5. Explanatory posts to correct the potential mistakes a comrade made in a post of their own are allowed, as long as they remain respectful
- 6. No crypto (Bitcoin, NFT, etc.) speculation, unless it is purely informative and not too cringe
- 7. Absolutely no tech bro shit. If you have a good opinion of Silicon Valley billionaires please manifest yourself so we can ban you.
founded 4 years ago
MODERATORS
I'm not ready to buy into all of the hype, however, the scary thing about such a supply-chain hack is that it could potentially be deep in the firmware or even the hardware itself. I have a couple of TP-Link devices flashed with OpenWRT, but even that wouldn't necessarily be enough to stop a really dedicated bad actor. If TP-Link or some state actor working with them wanted to, they could certainly still have hidden hardware tweaks that would let them brick the device with a well-crafted packet or the like. Taking it over for some botnet or spying purpose would be harder but not out of the question. Bottom line, if you can't trust the hardware itself, you can't trust anything happening on the hardware either.
I think the problem here is that an entirely US based supply chain doesn't solve this problem, which is the justification being made for potentially banning these devices. We would require a massive overhaul of the electronics manufacturing process to eliminate all chance for these sorts of hypothetical backdoors.
Well, an entirely US supply-chain means that the US gets to potentially backdoor the devices, not China, and that sort of argument does well these days :)
And honestly the "telemetry" that most vendors already send back with our full knowledge is barely a step away from this anyway.
True, but where are you going to find trustworthy hardware? The US is at least as likely to backdoor hardware as China.
I've got a TP-Link router, and my main gripe is that it doesn't do NAT hairpinning, which limits the value of a VPN to my home network.
I'm not convinced either way. But do you know how much notoriety would come out of proving a massive malware campaign in a major, worldwide brand!? I have a hard time believing the talented, security-minded people checking these devices out have all missed something, every single time. It would take one proven example to tank the entire brand and then it's not even a viable malware distributor, much less profitable...