2. Infection is still possible in plenty of unencrypted/unauthenticated software residing in the machine, such as BIOS, network firmware and potential backdoors such as Intel's AMT/ME.
+3. The USB stick itself is not a static device: it's has a built-in processor for wear-levelling that could be exploited to present to your computer a compromised kernel or initramfs ([BadUSB attacks](https://links.fluxo.info/tags/badusb)).
+
### Additional mitigations
3. For physical attempts to tamper with your bare metal, you might try to protect and monitor your perimeter.
-4. From inside threats such as preloaded backdoors in the hardware, the best you can do is to look for open hardware and try to build stuff yourself :P
+4. From inside threats such as preloaded backdoors in the hardware, the best you can do is to look for laboratory audits and build and use open hardware.
- Check your boot using something like [anti-evil-maid](http://theinvisiblethings.blogspot.com.br/2011/09/anti-evil-maid.html) ([repository](https://github.com/QubesOS/qubes-antievilmaid)), [smartmonster](https://git.fluxo.info/smartmonster) ([original repository](https://github.com/ioerror/smartmonster)) or [chkboot](https://wiki.archlinux.org/index.php/Dm-crypt/Specialties#chkboot).
projects / bootless.git / commitdiff