Should Ventoy users be concerned? What remediations could users take?

This issue was previously brought up on this forum a month ago under the Privacy category, but it never led to any productive discussion or advice. I hope it’s appropriate for me to ask about it under the Questions category since I’m concerned and would love to get some input and advice from others. For those who are missing the context, I’ll try to summarize it to the best of my ability as I understand it. Excuse me for not elaborating on many technical details as I’m not a super technical person, but I’ll include all the sources for anyone who wants to read more:

Motivated by worries caused by the XZ backdoor incident, someone took a closer look at the Ventoy project and shared their potentially concerning findings on Reddit. To my understanding, this could be summarized as them discovering more proprietary “blobs” than open source code as well as some supposedly poor security practices, something that people discuss further in the comments. Redditors encouraged OP to create a GitHub issue so the discussion can continue on the appropriate platform and the main developer (longpanda) could respond. Both on Reddit and GitHub, some have cautioned others to avoid Ventoy until this is resolved.

So far it has been over 7 months since the creation of the issue and there hasn’t been a peep from the developer, even though longpanda appears to have remained active on the forum. Among a sea of people expressing concern, some users argue that everyone is overreacting and they just need to calm down, but none of them have elaborated on why these issues shouldn’t be concerning. Until someone digs deeper or longpanda resolves the issue, concerned Ventoy users have been stuck waiting for a clear answer or path forward.

Personally, I feel that 1 month would already be a very long time to allow these concerns to go unanswered. Call me paranoid, but 7 months without even acknowledging this issue is suspicious to me. I would question if something happened to longpanda, but as pointed out earlier, they seem to be online and must’ve chosen to not respond to this issue. Before anyone claims I’m trying to spread FUD, I’m not claiming Ventoy is malicious. For all we know longpanda could just be so busy that they haven’t had the time to address this popular issue that undermines the trustworthiness of the entire project for over half a year…

That being said, I’d love some advice on what proactive remediation steps concerned Ventoy users could take in preparation for the possibility that Ventoy is malware. Personally, I’ve been using Ventoy to try out different Linux distributions and have used it to install the current Windows 10 OS I’m running now. I haven’t disabled secure boot which means I have also enrolled their key and hash and I’m not sure if that would grant them greater access to my device?

My first thought was to just re-install my OS from a trustworthy ISO, but I realize that infected firmware may also be a possibility. I can’t afford to replace this laptop, especially if it’s just on the grounds of a suspicion. So aside from throwing away my hardware, is there anything users could do if they suspect they may have a bootkit or otherwise have a compromised OS or firmware?

Ventoy is also known to break Linux distributions when installing.

I just bought some new USB drives when I decided to try ISOs instead of using ventoy.

Hi, I haven’t followed the ventoy situation so I cannot comment on that. From my understanding Ventoy had 1 issue I did not like. To install windows, you needed to disable secure boot. You could not start ventory because of secure boot, you could not start windows from ventoy because of secure boot chain of trust. Ventoy also have hook into windows 10 and 11 to bypass certain screen and allow install without secure boot (which is probably normally disabled), so yes it can probably modify the booted medium. You end up with a non secure boot installation of windows, which I did not like.

For many years I have been using IODD instead, it does a similar job to ventoy boot, but with a hardware device. The device can emulate virtual cd drive and virtual fixed and removable hard disk. You don’t need to modify your medias at all, no selinux, isolinux, different file system, gpt or msdos. If the iso is build to work on the system, it’s gonna work.

In the end it’s just shifted trust, cause it’s also a small company from china. It a physical hardware that could also have hidden blob. It could also in theory fiddle with booted medias or disk. At least I does support secure boot from virtual cds as well as emulated disk. At this point, I do not have the capacity to know if the device is modifying content. So far, all the cds installation medium from linux with a built-in integrity check passed without error.

http://iodd.kr - HTTP ONLY !
https://www.iodd.shop/Accueil - french website in https

I could be wrong but if they were doing something like this, I believe that at the very least someone’s machine would have been bricked, which as far as I’m aware never happened to anyone using ventoy. Reinstall if you’re worried.

What? I’ve never seen such in the OS forums I visit. Got a reference?

I think there are some motherboards and ISO combinations which don’t work well with Ventoy for some users. I’ve seen cases where a user installing a distro fails via Ventoy, but other users have had success.

This is something else, but I prefer Rufus than Ventoy due to compatibility issues.

I heard microsoft accidently put the ventoy key in somr laptops secure boot.

so anyone can now boot anything on those laptops

I am still feeling suspicious towards Ventoy as with OP’s concerns.

I recently bought a large-ish USB but I still cant bring myself to use Ventoy. It is such a shame because it looks fun and easy to download and try Distros with.

Are there really no viable forks?

I recently moved all my files from ventoy usb to a ssd usb not ventoy. And using balena etcher which is open source to burn isos.

Recently my ventoy usb takes forever to load on win pc on linux just works

Maybe? But then again, if a group of people are capable of developing covert firmware-level malware, it’d be fair to assume that they’re proficient developers who would’ve proactively addressed this risk. This is even more realistic if people anticipate that an APT could be behind it, much like what people suspect happened in the XZ incident.

One could point out that the amount of Ventoy users must be a tiny drop in the world population and we might assume that it’s far too insignificant for an APT to be investing resources in. At the same time, perhaps (in this hypothetical) the firmware-level malware is being distributed in many ways and Ventoy is just one of many Trojans.

There have been no replies since the last comment on the GitHub issue 2 weeks ago. It seems like we may never get an answer to this. If I were in your shoes, I’d consider sticking with other more reputable OS flashing software. It’s inconvenient but the risk of such a low-level device compromise isn’t worth it in my opinion, but it ultimately comes down to how comfortable you feel running it and how much of an inconvenience it would be for you to avoid Ventoy.

The beauty of Ventoy is to just allow the dumping of .iso files into the allocated directory and there wouldn’t be a need to reflash the USB for each distro you want to try.