what happens with a faked repository

[jsvidyad]

Hello,

My question is about a certain scenario: Say I have connected to an unknown wireless or wired network using my ubuntu laptop. The DNS server ip addresses for this network have been set(by the owner of the network or by a malicious hacker) to point to a fake, malicious DNS server set up by that person. Now, I try to update my ubuntu system using the commands
sudo apt-get update
sudo apt-get dist-upgrade
sudo apt-get dselect-upgrade

Now, the fake DNS server directs one of the repositories(say us.archive.ubuntu.com or packages.medibuntu.org or some other repo) to a false, malicious ip address set up by that person where he has set up a fake, malicious repository. The upgrade process reports to me that there are software upgrades(updates) for my ubuntu system and I give my assent to install those upgrades(updates). So, the fake, malicious upgrades(updates) are installed on my ubuntu system and the malicious guy/hacker has managed to install malware/spyware/viruses on my ubuntu system. Is such a scenario possible?

[SeijiSensei]

Yes, it's possible but highly unlikely.

If you're worried about this, pick a different repository server. I use one located at a nearby university. There are hundreds of options.

[cwsnyder]

Said malicious hacker would have to not just control the DNS, the repository would also have to fake the 'signatures' of the repositories and packages, which I believe have an AES two-part encryption.

[SeijiSensei]

You're right. I forgot entirely about package signing. I believe an effective compromise would require gaining access to Canonical's private key that is used to sign the packages. There was an event like this in 2008 when someone breached Fedora's signing server. While RedHat didn't believe the passphrase was compromised, they judiciously changed it anyway.

[Hungry Man]

PGP would prevent this. They would need the private keys from the repository to sign their payloads, otherwise they'd send it over and the update would fail.

Of course, certificates get stolen all the time, which is why I've said before that updates should be handled over HTTPS to prevent MITM attacks where the signatures have been stolen.

[cwsnyder]

@Hungry Man: I'm not sure how you would set up for an https:// connection to a local repository on a LAN. SSH, yes, but for https:// you would almost have to have a web server.

[Hungry Man]

Right now updates are handled through HTTP. All of the repos on the list are HTTP sites.

[rookcifer]

Yes, it's possible but highly unlikely.

No, it's not possible. The attacker would not have Ubuntu's repository signing key and the "update" would fail.

[cwsnyder]

Right now updates are handled through HTTP. All of the repos on the list are HTTP sites.

Actually that isn't quite correct. Some mirrors are ftp sites for both downloads and updates.

[jsvidyad]

Hello,

From what I understand, you are saying that the scenario I mentioned won't happen because the fake packages won't have the correct signatures, right? If the signatures don't match, what happens? Does apt give me a warning or something? Or does it give an error message and exit?