11

Recently I got into an exchange with someone on social media about the security of Linux versus OSX and Windows. I stated that it is possible (and probable) that someone could code a low level back door ( or whatever pesky malware they desire), and put it into the open source Linux code they downloaded, as well as add all of the proprietary software that Ubuntu has; compile it to an iso and label it as “UbuNtU”. This new iso would install an OS that would look and feel like the real ubuntu, however it would have a back door that nobody could see. This would require a faked checksum as well, but that is somewhat besides the point because it can be faked too. (also the user might be just given a usb from a trusted source with the fake iso). My question is straightforward, could somebody create a fake Ubuntu with a back door by compiling the open source software into an iso and labeling it as “UbUnTu”. I would also like to add that this can be done with OSX and Windows however it would be much more difficult due to that fact that neither of these are open source!

I strongly believe that open source software is more vulnerable to hackers point blank!

Improve this question
20
  • 25
    There is nothing about open-source software that makes it "easier to hack". On the contrary, having more people look at your code means it's more likely that someone will identify an issue.
    – user163495
    Commented Aug 19, 2021 at 11:48
  • 19
    "This would require a faked checksum as well, but that is somewhat besides the point because it can be faked too." - Really? How?
    – marcelm
    Commented Aug 19, 2021 at 18:43
  • 10
    "however [faking OSX and Windows images] would be much more difficult due to that fact that neither of these are open source" -- that is not at all true.
    – Alex Reinking
    Commented Aug 19, 2021 at 19:19
  • 25
    What is the relevance of the differently capitalised name (UbuNtu, UbUnTu, etc.?). If you're going to create a malicious ISO, why would you want its appearance to deviate in any way from the original?
    – Jon Bentley
    Commented Aug 19, 2021 at 19:40
  • 11
    Your question is: "Can I put malware on a CD?" I mean, yeah, duh. Obviously. "Ubuntu" has nothing to do with the answer. You can create a fake malicious anything.
    – Boann
    Commented Aug 20, 2021 at 13:03

7 Answers 7

Reset to default
66

If an OS is open source or not is not the important factor if someone could build a malicious installer image.

Recent versions of Windows use a technique that bases on WIM images which can be generated from existing Windows installations just like a backup software creates an image. Therefore it is pretty easy to generate a malicious Windows image, just capture an existing Windows installation that has been prepared with malware.

The same is true for Linux based OS like Ubuntu.

Therefore no matter what OS you install it is important only to use installer respectively ISO images that are directly downloaded from a trusted source using a secure channel like HTTPS, usually directly from the manufacturer or alternatively if you can verify the authenticity e.g. using a GPG signature.

Improve this answer
11
  • 29
    It's pretty easy to inject drivers into a WIM image. If you can inject drivers, it'd be easy to inject anything. Is this easier than mangling an ubuntu image? It's probably about the same difficulty actually.
    – user10489
    Commented Aug 19, 2021 at 1:37
  • 16
    On a side note, Microsoft has recently removed a lot of installation image downloads from their website, so despite having a valid key you might have to resort to shady sources to get your DVD image. One could argue this makes Windows actually more susceptible to such an attack.
    – AndreKR
    Commented Aug 19, 2021 at 14:14
  • 1
    @AndreKR There is (was) a perfectly legal tool by Microsoft for creating installation media that will download and create either an ISO or an installation flash drive of W10 in several different versions.
    – mishan
    Commented Aug 19, 2021 at 19:37
  • 3
    @AndreKR So, the reason there are no openly advertised ISO locations for download is that there is this tool that automates that process that is the "official way" of getting ISO and creating installation media. If you just google you will get to the several support pages that will navigate you to it. Sadly, any support by Microsoft is a bloated jungle that is unreasonably hard to navigate full of outdated information, redundant information written slightly differently, and pages that are just boilerplate and absolutely useless.
    – mishan
    Commented Aug 19, 2021 at 19:46
  • 1
    @mishan If you click for example Windows 7 on that website, you'll get... well, I'm not sure, maybe there is a link somewhere there, but I don't see it.
    – AndreKR
    Commented Aug 19, 2021 at 23:24
31

First of all:

This would require a faked checksum as well, but that is somewhat besides the point because it can be faked too.

What do you mean by faked? If the user checks the checksum against the one provided on the distribution's official page, the attempt is instantly foiled because the checksum will be different. There's no way around that (of course except for finding a hash collision but... good luck with that).

Moving on, as most answers already stated, the attack you describe is certainly very feasible and has been done! But it has been done regardless of whether the software is open-source or closed-source. I mean, if you believe otherwise, go ahead and download/install a Windows ISO from a site other than Microsoft's and see how safe you feel. Not to mention the countless examples of malware-infested pirated software which is proprietary.

In fact, I can make a pretty good counterpoint: open-source software is free so there's no need to pirate it or download it from shady sources. Meanwhile, proprietary software is often pirated meaning it has much higher potential to cause malware infections.

To summarise, it may be marginally easier to patch an Ubuntu ISO than a Windows ISO. But it'll be thousands of times easier to infect someone with the pirated Windows ISO than the Ubuntu one, because anyone can download Ubuntu for free so they have no reason to trust you.

Improve this answer
10
  • 1
    " If the user checks the checksum against the one provided on the distribution's official page, the attempt is instantly foiled because the checksum will be different. There's no way around that" - how do you know you're definitely on the distribution's official page?
    – Jon Bentley
    Commented Aug 19, 2021 at 19:45
  • 8
    @JonBentley Like anything else, you have to trust something initially, and then 'bootstrap' trust about other things. Ideally, you'd already know the official page/site for a given distribution (and then trust that it hasn't been hacked). Practically, you can check multiple sources of info and verify that they agree, e.g. about the official page of a distribution, and maybe also check that no one is reporting that the page/site has been hacked; HTTPS (TLS/SSL) helps too! But this is all imperfect to some degree.
    – Kenny Evitt
    Commented Aug 19, 2021 at 21:43
  • 5
    @JonBentley HTTPS proves that a cert authority has verified that whoever is serving the site is the owner of the domain. DNSSEC will have verified that the domain records are intact. As long as the domain name is correct, you should be fine. If infrastructure hosting the site is compromised, you have bigger things to worry about because then even the official ISO is likely compromised. Of course, the above could fail under certain circumstances, but all of that is out of scope of this question anyway because it goes for any website at all and is not relevant to system ISOs specifically.
    – user9123
    Commented Aug 19, 2021 at 21:58
  • 1
    I'm not sure if it's part of the OP's confusion but a cryptographic hash is used to verify a distro, not a checksum. As explained in the accepted answer here, A hash is much more resistant to malicious 'fakes' i.e., collisions.
    – JimmyJames
    Commented Aug 20, 2021 at 15:41
  • 2
    I don't know how you use these terms but from what I understand to be the general usage, checksums are hashes (which are any functions that convert arbitrary data into fixed size numbers/bitstrings), they are not however cryptographic hashes which are hashes which provide first and second preimage resistance and collision resistance. Of course only cryptographic hashes are to be used in this scenario.
    – Manish Adhikari
    Commented Aug 23, 2021 at 16:52
8

I strongly believe that open source software is more vulnerable to hackers point blank!

Windows is a closed source software, yet there exists Windows XP Gold and Vision Ultimate which are unofficial ISOs of Windows that contain pre-installed software, tweaks, etc. So it's possible to make a fake ISO even if the software is not open source.

I can't add a link because it's piracy but these can be found easily on Internet.

Improve this answer
1

I'd say this is mostly answered, but I'll also add that Ubuntu now supports SecureBoot as well. You wouldn't be able to modify certain parts of the kernel at minimum without the computer refusing to run it.

Of course, there's plenty that can still be done in userland, but there is some security in place.

I am unsure how the hypothetical ISO would end up on anyone's computer, though, since I imagine most people download it from the official sources.

Improve this answer
1

As many others have already pointed out, your inclination to believe that open source software is more easily hacked/exploited is completely unwarranted. The point of this answer is just to share a personal story of mine that speaks to this, forcefully so, in my opinion:

Many many years ago (back when Windows NT was standard issue in enterprise deployments) i felt compelled to subvert a particular installation by modifying the console/desktop logon process so as to capture user's logon credentials. As you may imagine, i have no access to anything like Microsoft's source code, yet it took me less than an afternoon to find the relevant module (i still remember it was called WINGINA.DLL; no idea if it's still around in current versions, as i have long since let go of Windows completely), then to identify the very few functions that had to be modified, and to fit the required code (x86 assembly, obviously) into several nooks & crannies that these executables tend to have unoccuppied. It worked beautifully.

Now suppose i wanted to fix, for myself, one of the many flaws that Microsoft's products have (and i don't mean only security flaws). For the vast majority of cases, that would be very hard (next to impossible, really) without source code.

So the lack of an open source is a tremendous hindrance to amelliorating a product; not so much when it comes to covertly turning it into malware.

Improve this answer
0

You are missing the point here. The main difficulty of this attack is not in making it possible to create a malicious ISO, it is in convincing a victim to use it.

That has been done over and over again to all kinds of software. Why do you think tech support scam by and large uses "we are Microsoft tech support" disguise? And how well do you suppose that works? (spoiler: very well)

"Click that link" "authenticate this action" are ultimately social engineering attacks, and the software used being open source is not really making it much easier to make it look convincing. As already stated in the answers, faking hash is quite a hard task but also too much effort given people very commonly wouldn't check it and a harder part would be to convince someone to download from your mirror and not some of the official ones. Chain of trust is a thing; it is not terribly hard to compromise locally but everything security-related is based upon it. Main protection mechanism in FOSS is basically that in order to cause significant damage, one would need to build up a lot of reputation first AND somehow fly under the radar of people reading the code.

The main reason many open source bits of software are potentially more vulnerable than their closed-source counterparts is just not enough scrutiny. Too much software, too many updates - it is feasible to sneak in some vulnerable code with malicious intent.

TL;DR: If you can convince people that you are a trusted source of software and they should run it, the rest is a piece of cake.

Improve this answer
-1

Sure, malicious code could be injected into packages in the ISO - the same way malicious code is often injected into Windows and MacOS media that people download from unofficial sources. There is no difference here between Ubuntu, Windows and MacOS.

ISO files are often mirrored so its likely that your ISO image is not downloading directly from the vendor's website. Thats why they will provide you with MD5/SHA/GnuPG checksums on the Ubuntu/MS/Apple website. You use the checksum to validate that the ISO image you downloaded is the ISO the vendor made. This effectively means you have an authoritative method to validate your ISO.

Checksums are usually provided by all before mentioned vendors on downloads.

Your belief that open-source is more vulnerable to hackers is both true and false... but mostly false. You think "i can see your code, so I can hack you" - which is completely wrong. Peer reviewed code is significantly more secure.

The fundamental things that secure you on the internet (VPN, SSL/TLS, etc) is predominantly based on open-source. (Else it would be based on trusting a company that's unwilling to show you whats behind the curtain).

Your argument is like saying a car with 6 wheels will always go faster than a 4 wheel car. If your basing this observation on traction alone - then its possibly correct, but there are significantly more variables involved in a car that determines its top speed.

I recommend you read "The Cathedral and the Bazaar" - which compares the mindset of open and closed source. Its a few years old, but should give you some insight.

Improve this answer
14
  • 5
    "Peer reviewed code is significantly more secure." - that statement is true. But it is not true that OSS is always peer reviewed or that the peer reviews have a high quality and therefore OSS has a better quality. Just because the source is open does not magically create experts which have time and knowledge and nothing else to do than reviewing the code. There were enough disasters in the past which showed a lack of good review or any review at all in open source, even for critical software components like OpenSSL. It does not mean that OSS is worse, but it also does not mean it is better.
    – Steffen Ullrich
    Commented Aug 19, 2021 at 8:52
  • 4
    Was The Cathedral and the Bazaar really about open vs closed source? IIRC it was more like two kinds of open source. But it was a long time ago that I read it.
    – Stack Exchange Supports Israel
    Commented Aug 19, 2021 at 14:24
  • @SteffenUllrich - totally agree. The statement was to show that saying OS is more insecure simply because the code is visible creates a false-dichotomy and there are significant other factors that should be taken into account.
    – Frank Jackson
    Commented Aug 19, 2021 at 23:46
  • @user253751 - I may have to re-ready it myself 20 years later. I always felt that the essay gave a good indication of the open vs closed source benefits/penalties. but the essay is based on open source. So you are correct. It might not be the best reference material - happy to remove it from my response.
    – Frank Jackson
    Commented Aug 19, 2021 at 23:54
  • @user253751 Per wikipedia: "The essay's central thesis is Raymond's proposition that "given enough eyeballs, all bugs are shallow" (which he terms Linus's law): the more widely available the source code is for public testing, scrutiny, and experimentation, the more rapidly all forms of bugs will be discovered. In contrast, Raymond claims that an inordinate amount of time and energy must be spent hunting for bugs in the Cathedral model, since the working version of the code is available only to a few developers."
    – JimmyJames
    Commented Aug 20, 2021 at 15:50

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .