Home

The Problem with Purism

Purism is a software development and hardware development company. They specialize in making open source hardware and software. They claim they are a security company as well. However, all of their computers run on Linux and their phone has an unlocked bootloader. This is a giant security hole as anyone with root access can completely reflash the bootloader with a bootkit. All the user has to do is install a malicious package, they don't even have to run it. Because of how debian's dpkg works, .deb files can write to any file in the entire filesystem, including the kernel. So much for secure. Another way security can be compromised is with a shell command creating a malicious execuable called apt changing the $PATH in .profile to point to this malicious file. This means that whenever a update is preformed, the malicious executable is executed instead of the legitimate apt executable, providing the malicious executable with root access as apt is ran as root.