SoylentNews

An Anonymous Coward writes:

The ClockworkPi, a SBC-project run out of China, has finally shipped their long-awaited DevTerm computers. ClockworkPi was previously known for their GameBoy-like emulation computers called the GameShell. After repeated delays in shipping and production, which the devs claimed was the fault of the Coronavirus Pandemic, the first of the DevTerm have been shipped. The DevTerm is a Single-Board Computer project designed to be a fully-functioning portable computer inspired by the design of the TRS-80 Model 100.

Since DevTerms are now arriving, they can finally be audited. One user has discovered an incredible blunder by this self-promoting computer manufacuture: Their custom apt repository has had the private PGP key published since at least September 2021!

User BlayTation on their forum has been conducting a through review of the device (specifically, the DevTerm A04) which you can read here [clockworkpi.com].

As BlayTation continued to audit the machine, he began to have issues with several programs producing Kernel errors. According to his posts, he decided to audit the apt repo for the custom-built kernel (Armbian-based).

What he discovered was that the Private Key has been posted to the apt repository (github hosted) for as long as the apt repo has existed.

BlayTation reports the major blunder on their forum here [clockworkpi.com].

"You should know that Private key isn’t private is a completely valid and extremely concerning issue. apt is completely compromised because it appears @guu doesn’t understand PGP signatures. The entire repo can not be used safely or securely until a new private key is generated, actually kept private, and the packages are resigned." -- BlayTation

BlayTation went on to prove twice that the key was compromised by making fake messages using the private key. One of the lead developers, Guu (aka Cuu), chimed in:

"I know what you mean and your concern

I don’t know if there is anyone will receive my message through a PGP signed msg

and for the total opensource project , people can/should setup their own apt repo if they care/know this sec issue
if not
I think they probably won’t send/recv message through PGP keys

and next time if you try to communicate with people here or in real life

don’t be the full mouth of shit
pal"
-- Guu

Clearly this self-marketed hobby computer project is run by individuals who don't understand basic cryptography and everyone who has purchased one of these computers has clearly financed some high-quality Chinese scamware. If you have purchased the DevTerm, or are using their previous product, The GameShell, stop using the product immediately as your entire system may be compromised.

ClockworkPi was previously made aware of these problems. On an issue report [github.com] for the apt repository (which is the only issue report filed) dated September 27, 2021, user bbqsrc simply says "This might be a mistake" to which lead developer guu replies:

"ok
The start idea is to let other people can sign their deb with the CPI key like I am doing
but I am not very familiar with deb, if someone try to make a PR with his custom deb to here, will it be ok if he uses his own key to sign the deb?"
-- Guu

After bbqsrc corrects him, another developer comes in, user reidrankin and says

"To your specific concern -- which is admirable -- there's nothing that requires that people use signed .deb packages if they don't want to, or keeping them from making their own keys and using those instead."
-- reidrankin

BlayTation concluded his bug-report thread by saying:

"You really don’t understand what you’ve done, do you? It is now unsafe to use your apt repo, and you have compromised the security of everyone who is using it. This isn’t just a mistake, this is a critical error that will haunt your project for the rest of your days. On a scale from 1 to 10, the severity is a 10. You don’t know what you’re doing, and have self-compromised the integrity of your apt repo."
--BlayTation

Quite a big problem for the little start up, isn't it?

Original Submission