| He's talking about display monitors AKA the screens which can be exploited via the i2c bus over the graphical interface (e.g. HDMI). The GP is 100% correct, if you can't trust your keyboard, mouse, and the monitor the "secure computer" concept in this case is problematic, while it does reduce the attack surface somewhat it just focuses the attention of the adversary onto a different vector. If we take their "cleaning man/evil maid" scenario then while implanting the computer might not be possible, implanting the keyboard, mouse or screen would be very possible, and in fact somewhat easier than implanting a regular computer with decent security measures such as an encrypted drive. Add a USB storage device with a micro-controller to the keyboard and you own the computer once it's connected, a monitor today comes with a CPU powerful enough to run custom code which can be used to exfiltrate data as well. Additionally both the keyboard and the monitor could potentially be used to exploit software flaws on the software running on the ORWL unit also. The concept is interesting however this is mostly "security theater" any adversary which would be sophisticated enough to require taking these measures would likely be able to circumvent them, and for the rest these measures don't really do anything; if you use this for day to day operations or on-net activity you'll get pwned via the network; if you keep secrets on this thing worthy of sending some one into your home to implant your PC then they'll implant something else which is connected to it. Oddly enough the only "high tier" adversary that this might thwart would be law enforcement since their computer forensic SOP would pretty much melt down when encountering something which is tamper resistant. But hey, you gotta start somewhere. |