[ISN] The secret life of your own laptop

From: InfoSec News (isnat_private)
Date: Mon Feb 25 2002 - 23:16:48 PST

  • Next message: InfoSec News: "[ISN] MS warns of 'critical' flaws"

    Forwarded from: William Knowles <wkat_private>
    Andrew Brown
    25 February 2002
    It would be quite easy to make a car that no one would find it
    worthwhile to steal: just ensure that a secret code had to be entered
    into the immobiliser every time it was refuelled; and that if the code
    was wrongly entered or forgotten, the car could only be restarted by
    replacing the whole engine. It sounds absurd, and would certainly
    diminish the second-hand market in any brand that adopted it.
    Yet many IBM laptops are protected in a very similar way. They contain
    a secret password which, if it is forgotten or lost, simply cannot be
    replaced. Without the password, the whole computer is an inert lump of
    plastic. The hard disk, too, can be protected in a similar way; if
    that has been done, it doesn't help to remove the hard disk and put it
    into another machine to analyse. Without the original password, the
    hard disk cannot be read, even in a different machine.
    It is an awe-inspiring deterrent to thievery and very valuable as a
    means of guarding corporate data. If MI5 or the army used systems like
    that, it would matter less how many drunken operatives left their
    laptops in bars. No one could ever get the information out of them. If
    al-Qa'ida had used IBM laptops, it could have left them all over Kabul
    and its work would have remained locked on a hard disk  rather than
    being decoded, as it was, by some journalists who bought a second-hand
    PC there that the organisation had used to write letters and e-mails.
    But cast-iron security has some ghastly consequences in the civilian
    world. There are four passwords that can be set on an IBM ThinkPad,
    and the most insidious one can sit there for years, undetected. This
    is the BIOS supervisor password, which controls access to the most
    basic features of the computer.
    The program stored in a computer's BIOS is really its spinal cord: it
    tells the central processor about all the other parts: the screen, the
    keyboard, and even the memory. Without it, the machine is paralysed.  
    Typically, the BIOS is stored in a "flash" memory chip, which can be
    reprogrammed as needed if the computer is upgraded  provided, of
    course, that you have the superviser password, which is itself stored,
    encrypted, on the chip.
    Normally, you need to upgrade the BIOS program only when upgrading the
    operating system, because a computer loaded with Windows 98 when it
    was bought will need a BIOS upgrade to make the power-management
    features work under Windows 2000 or XP. But if you do start the BIOS
    upgrade and haven't got the code, your valuable computer will be
    transformed within seconds into a hunk of worthless plastic that will
    never work again without expensive surgery, and from which the data
    may never again be extracted. You finish the upgrade and the machine
    restarts; then you're asked for the BIOS password. The equivalent in a
    car would be a code that had to be entered only when the car was
    started for the first time after an oil change.
    It is one of the unforgettable sensations that computer ownership has
    to offer: one moment you're tapping away at a piece of routine
    maintenance, and the next you find your stomach has taken up
    Technologically, the position is simple. If the machine is out of
    warranty, you're screwed. IBM quotes a figure of "at least 1,000" to
    replace the motherboard [with the BIOS]. If your machine is still
    under warranty, says Mike Wallace, the manager responsible for
    ThinkPads in the UK, an IBM dealer can repair it within a week. But
    after that, the simplest thing is simply to buy a new and more modern
    If a disgruntled employee were to put such a password on his company's
    laptop, and then forget it, his employers would have a real problem.  
    It's like changing the combination of a company safe. Yet it need not
    always be an irresponsible action. Arguably, you should protect your
    own machine in this way (if you can); otherwise any hostile party who
    gets hold of it first can lock you out of your own machine.
    The first appearance of these cryptographic fortresses is in large
    companies: Shell, for example, has more than 90,000 laptops and
    desktops in 1,000 offices around the world. They are all Compaqs now,
    or soon will be; and all are protected not only with passwords but
    smart cards, so you can't use them without opening both a hardware and
    a software lock - and these cards can all be centrally reprogrammed,
    like hotel-room key cards, to ensure that access can be tightly
    controlled and monitored on a day-to-day basis.
    Some of the latest IBM machines have an even more terrifying form of
    security: a small, built-in camera for face recognition. If the laptop
    doesn't like your face, you can't use it at all. There is a way to
    bypass this, involving two more passwords, making a total of six or
    more for the one laptop. But we are definitely heading toward a future
    in which you don't ever want to forget your laptop password. It
    doesn't matter to large companies, which can at last manage a huge and
    mobile collection of laptops as if they were all physically present in
    the IT department, with someone watching them all the time. Schools,
    too, would find this sort of security much more effective than
    physical locks.
    But it's a taste of the future. More and more hardware will be
    protected in this way. As everything becomes lighter and more modular,
    and drives and batteries can be swapped almost as easily as
    mobile-phone covers, so manufacturers will provide more and more
    clever embedded cryptography to protect your property. Mobile phones
    can now be disabled over the network once reported stolen, and it's
    easy to see that this could be done with wireless-enabled laptops,
    too. Within 10 years, it should be easy enough to fix cars so that all
    the embedded computers they rely on are protected with a password. The
    fantasy with which this article started, of a car that no one would
    bother to steal, would become a reality.
    Once everyone is used to such ideas, society will adjust. It will be
    understood that you no more sell a computer or a car without its
    passwords than you now sell a house without its keys. But we are still
    a long way from there, and the transition period is going to be full
    of nasty shocks for people who buy second-hand protected goods.
    The web is full of sites on how to clear laptop passwords, but they
    don't work reliably on all machines. The protection on Toshiba
    machines is fairly easy to defeat; IBM ThinkPads are the hardest; Dell
    and Hewlett Packard sit somewhere in the middle, to judge by the price
    list at Password Crackers Incorporated, a company in Maryland that
    sells replacement password chips for most laptops for $30-100
    (20-70). These chips have to be soldered on to the motherboard by a
    skilled technician in a proper workshop, and if the hard disk has a
    password set as well, the old chip must be sent back to Password
    Crackers to have that password extracted for another $50 (35).
    This is not at the moment a very big business, according to Bob Weiss,
    the company's president, because most people who find their new laptop
    has locked them out simply give up in despair. But he expects it to
    grow steadily over the next 10 years. And - speaking as someone who
    has been locked out of an IBM ThinkPad bought secondhand - it's hard
    to argue with him.
    Andrew Brown is author of 'The Darwin Wars' and is currently writing a
    book about unravelling the genome of the nematode worm
    "Communications without intelligence is noise;  Intelligence
    without communications is irrelevant." Gen Alfred. M. Gray, USMC
    C4I.org - Computer Security, & Intelligence - http://www.c4i.org
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Tue Feb 26 2002 - 02:54:14 PST