The developers behind a popular desktop Linux distribution recently revealed that their site had been hacked. For several hours the link leading to one or more of the distribution’s direct downloads in fact lead to a compromised version of the distro with a backdoor installed. If users downloaded the distribution during that period, they may have installed an operating system that was wide open to an attacker. The attacker responsible, who goes by the name of Peace, claimed that he has control over several hundred machines running Mint.
Although the details of the attack are not completely clear at the time of writing, it appears that the attackers focused on the distribution’s WordPress site. They compromised the site and edited one of the links on its download page so that it pointed to a malware-infected version of the distribution ISO hosted on the attacker’s own servers. They also edited the checksum so that any user attempting to validate the data they’d downloaded would be told they were in the clear.
I’m not singling out Mint for criticism here, although they could certainly benefit from a thorough security audit of their site. This sort of attack could be made against any distribution. The attack, however, does provide an excellent example of why checksums may not be adequate as a mechanism for verifying downloads.
Some have criticized Mint for using MD5 checksums, rather than “more secure” SSH256 checksums, but that isn’t really the issue here. While it is theoretically possible to generate an MD5 hash collision if you’re creating a pair of files from scratch, it isn’t practically feasible for a pre-existing file like an ISO.
The real lesson to be learned here is that using checksums at all isn’t a great idea, no matter how robust they are. For the most part, when we download a Linux distribution, we grab the checksum from the same site as the download link. If the download link has been maliciously altered, only a dim attacker would fail to also alter the checksum sitting on the page beside the link.
As Micah Lee puts it:
“It’s also important to note that comparing the checksum of a file you downloaded with what you see on the website you downloaded it from isn’t secure either, even if you are using SHA256. If a hacker can hack the website to modify the download link, they can modify the checksum at the same time to match their malicious download.”
If a site doesn’t offer secure HTTPS connections, it wouldn’t even be necessary for an attacker to compromise the site itself. A man-in-the-middle attack that altered the relevant data as it travelled unencrypted across the web would do the job nicely.
Storing checksums with the files themselves would make life marginally more difficult, since attackers would have to compromise the file server rather than just the WordPress installation running the site, but that’s not such an outlandish idea — file servers are a natural target.
One alternative suggested by Lee is to use public key cryptography rather than checksums. If an ISO or file is digitally signed with a secure private key, and can be verified with the accompanying key, users will be significantly safer. That process would be somewhat more difficult to manage than checksums on the user end, but the security benefits are clear. It seems that the Mint distribution did offer OpenPGP signatures, but it wasn’t publicized or documented, which is about as useful as not using the more secure method at all.