Saturday, December 31, 2005

Laptop security

Recently, what with Christmas being seen as an ideal time for theft, I've been in meetings concerning the security of computer hardware, most notably laptops and projectors. Apparently I work in the second-worst location in the UK for thefts from schools.

As some of these meetings were sprung upon me without warning, I wasn't able to think them through as much as I'd like to have. As a result, I've been double-checking my advice to the schools to see if I can come up with any better ideas.

Current advice from the police includes chemical marking of property, securing the building, displaying signs and implementing CCTV (although the later is not really pushed as a solution, more a deterrent).

According to the second-hand feedback I've been hearing from the schools, the local police are having a tough time; schools are having lots of laptops and projectors stolen, the thieves are filing off the serial numbers and then the police are unable to confirm who the property belongs to. There are even stories of the stolen property having to be returned to the thief after a while as they are unable to prove that it's not theirs.

CCTV is proving all-but useless as the thieves are always ready and cover all identifying parts of their body or clothing. Chemical marks are easily discovered with UV lamps and removed even if it means damage to the property. There's also a growing black market in projector bulbs as these are not serialised and are therefore almost impossible to trace back to a source, as well as being an easily removeable, high-value commodity.

All this lead me to thinking about laptop security. Currently, the only physical way of securing laptops are so-called "kensington locks", small standardised holes in the chassis of laptops into which locks can be placed and also easily removed, sometimes without any damage at all to the laptop.

So if you can't prevent them being stolen, is there something else you could do? Each computer processor has a unique serial number burned into the silicon of the chip itself. However, there is usually no way to read this number from the chip as most manufacturers disable the option by default and also the thief can easily disbale the same option. This means that not only is it time-consuming to actually read this number from a laptop on purchase, it's easily disabled too. Although if the laptop is physically recovered the number could be checked, there's no way to read this number remotely.

Lots of software packages exist to "phone home". That is, every time the machine is connected to the internet, the software sends a small packet describing it's location/phone number/other identifying pieces of information to a central server. If the laptop is ever reported stolen, this information is passed to police so the thief is "caught" as soon as they go online.

The major flaw here is that a thief is going to be aware of such tricks and any professional would probably blank the hard drive upon receipt or even replace the entire drive unit and then install a clean version of the operating system. Software piracy would not be a big deal to a laptop thief.

Additionally, any hardware means of doing the same would also be detected and removed/circumvented. Or would it?

Why doesn't someone add to standard laptop chipsets a "call-home" modem/network card? Most laptops have built in modems/network cards nowadays and they would be the devices that actually physically connect to the Internet eventually (I'm assuming that any stolen laptop in use today would most probably go on the Internet at some time in it's life, which is not an unreasonable assumption).

Obviously, the modem/network card would have to call-home without the thief knowing. Let's assume, therefore, that the software driver for the modem/network card comes in two types - on the one hand, it will identify itself as a standard modem/network card, as supported by internal Windows drivers or the same drivers as a non-call-home device. In doing so, it will not give away it's purpose. However, the driver originally supplied with the hardware would also include an option to send a series of innocent-looking AT commands or even packets to localhost. This packets would set a hardware password, and maybe other information such as an IP address or email address, which would be stored inside the chipset firmware itself.

Once the password is set, every time the device connects to the Internet (which is fairly easy for the hardware itself to detect and intervene without software assistance), the device is "activated". From then on, if the device driver does not send the password by the series of special packets/AT commands, the hardware itself would inject packets with the intent on sending a call-home packet/email to a central server.

This central server would most probably be setup by the hardware manufacturer, but it could also be set by the customer themselves to be an email address of their own. Whenever a standard non-password driver is used for the device (such as you would get by a reinstallation of the operating system), it would attempt to send this packet/email, which would include such details as the phone number called or the external IP address or even a short history of phone numbers dialled.

However, even with the "correct" password-driven drivers installed you would HAVE to know the password in order for the device to activate normally (or even activate at all) without sending such call-home information. If the thief was wise enough to know that this laptop contained such hardware, they might try to install the specialised drivers. However, without the password that is etched into the chipset firmware by the manufacturer/owner there is no way the thief could disable the call-home functionality or change the password. This won't have stopped him stealing the laptop but it will seriously limit it's resale value, a laptop without Internet access is severely limited in it's capabilities.

You could even add functionality to the "secure" drivers (the ones that ordinary customers will have pre-installed for them) that the device won't initialise the modem/network unless it receives the correct password from the user. This would prevent the thief from just using the pre-installed drivers, effectively forcing you to "log on" to the modem/network card before you can use it.

With such controls in untouchable silicon on the device that controls the modem, network card, wireless card, etc. a thief would be left with a crippled laptop, unable to go online for fear of being caught.

Even wiping the entire disk would do nothing, the specialised drivers would be gone so the chipset would "know" that it was being used on a machine that may have been stolen and wiped. If the device runs on a standardised driver (e.g. a plain 56k AT command set or an NE2000-compatible network card), then a thief reinstalling the system would be unaware that by using the standard Windows driver they are advertising to the chipset that the system has been stolen. Only the NE2000 driver which also sends the correct password (most probably obtained from the user at boot-time) would be able to circumvent the call-home functionality.

The original owner would, of course, be perfectly capable of reinstalling their operating system as they know the password to the device and be in possession of the drivers to send the password to the device. Even if the original owner sold the laptop, the person they legitimately pass the laptop onto could still use non-secure drivers. The laptop could handshake with the central server to see if it has been reported stolen before sending such a packet or, at worst, send an email to an address whenever it connects. This might even be a good audit tool for companies to see just how much the laptops gets used.

Combine this with the fact that the concept is cross-platform and operating system independent (so long as two drivers exist: a standard one that can use the hardware normally and a specialised driver to send the special commands to the device upon initialisation) and you have a pretty foolproof system. You could ask for the password on boot (most corporate laptops have boot-time passwords anyway and the functionality could be implemented in the BIOS rather than the OS drivers), on login or on use of the device. Inexperienced theives would be caught the second they used the laptop online, experienced ones would be deterred or at least know that the value of a laptop with such a system would be severely limited.

Just an idea I had ticking away in the back of my mind.

No comments: