Hardware trust assessment (screen+cable to use with nitroPC)

Hello,

I have an unusual request, not about the nitroproduct I’m interrested in (nitroPC) but an accessory I 'll have to get with it, the screen.

I have a problem taxing something as trusted hardware, especially since I became aware that this was an issue: https://theintercept.com/2019/01/24/computer-supply-chain-attacks/ and other related hardware tempering. I have no idea how to provide myself with trusted hardware because none of the companies I checked seem to care, let alone prevent hardware from being compromised. Does not help I’m not familiar with the technology, so I do not know of the possibilities or their dificulty of implementation, I know that bugged cables were an issue and this seems possible: ‘‘in theory the monitor can take data from the video signal and send it to an external attacker’’ (support told me this in an attempt to help before redirecting me here, but apparently it would be an attack that would be difficult to carry out).

I Would tend to think software attacks aren’t an issue since it’s a screen and a way for power to get to the screen, but been unfamiliar with the technology, I cannot exclude it.

Would this be safe? HD MI Mini LCD Controller Board+14" B140HAN01 1920x1080 EDP IPS LCD Screen 601285622606 | eBay (or look for: HD MI Mini LCD Controller Board+14" B140HAN01 1920x1080 EDP IPS LCD Screen on ebay) if I’m wright and software isn’t an issue?

Does anyone have a way to have a certified spyware free portable monitor? (It has to be portable since I’m bound to travel)

I am aware this is out of subject, but I’m gratefull for all the help I can get since the safest sollution I found, so far was to diy a monitor, and possibly the cable. It’s not a possibility for me at this point. If there is nothing one can safely assume spyware free, is it at least outside the realm of possibles to inject malware to a monitor and make it attack the nitroPC?

Hey @IUsername,

as a disclaimer: Nitrokey as a company does for good reasons not whitelist 3rd party products, because this would imply taking responsibility for 3rd party products, which is in general very maintenance intensive and implies various risks.

This being said, consider the following to be from a random internet guy:

  • there is no blueprint on how-to-avoid-being-harmed-by-supply-chain-attacks, especially buying non-assembled components will only marginally improve security, as even the components assembled there are surely supplied by tenths (hundreds) of (sub)suppliers.
  • software attacks can in theory surely start from a screen, check the hdmi standard, it’s full of back-channels, usb3.1 compatibility and other
  • “certified spyware free monitor” nope, sorry none I am aware of, but personally I would recommend visiting some electronics mall of your choice and buy a screen there (with cash) this at least avoids that some package with your name on it could be intercepted (even though this would require “someone” with a frightening amount of power and money)

consider this post an opinion!

best

@daringer

How much reducing the surface of attack would benefit? (no speaker fonction for ex…)

If you know, what would be the smallest possible attack that could compromise the entirety of the data the computer produces? (to know if it’s easy to do during manufacturing and the only possible deffense is to stand among the masses like you propose, assuming it’s too demanding to attack this many machines and only the most desirable portions of population to ‘‘interdict’’ are attacked in masses and live a significant portion of the general people alone, hard to know for sure)

Where do you think the NSA gets it’s monitors? They must try to protect it from the Chinese somehow and since it’s their monitors, they won’t bug it. At least we get rid of one of the two (Chinese gov.).

Thanks for your answer it helps in my dilemma. I’m not certain yet, but perhaps I’ll switch and buy the nitroPad instead. Given how much time I spend on a computer it could be a bit tough for ergonomics though.

1 Like