The secret life of your own laptop

[InfoSec News <isn () c4i org>]

Forwarded from: William Knowles <wk () c4i org>

http://news.independent.co.uk/digital/features/story.jsp?story=139444

Andrew Brown
25 February 2002

It would be quite easy to make a car that no one would find it
worthwhile to steal: just ensure that a secret code had to be entered
into the immobiliser every time it was refuelled; and that if the code
was wrongly entered or forgotten, the car could only be restarted by
replacing the whole engine. It sounds absurd, and would certainly
diminish the second-hand market in any brand that adopted it.

Yet many IBM laptops are protected in a very similar way. They contain
a secret password which, if it is forgotten or lost, simply cannot be
replaced. Without the password, the whole computer is an inert lump of
plastic. The hard disk, too, can be protected in a similar way; if
that has been done, it doesn't help to remove the hard disk and put it
into another machine to analyse. Without the original password, the
hard disk cannot be read, even in a different machine.

It is an awe-inspiring deterrent to thievery and very valuable as a
means of guarding corporate data. If MI5 or the army used systems like
that, it would matter less how many drunken operatives left their
laptops in bars. No one could ever get the information out of them. If
al-Qa'ida had used IBM laptops, it could have left them all over Kabul
and its work would have remained locked on a hard disk – rather than
being decoded, as it was, by some journalists who bought a second-hand
PC there that the organisation had used to write letters and e-mails.

But cast-iron security has some ghastly consequences in the civilian
world. There are four passwords that can be set on an IBM ThinkPad,
and the most insidious one can sit there for years, undetected. This
is the BIOS supervisor password, which controls access to the most
basic features of the computer.

The program stored in a computer's BIOS is really its spinal cord: it
tells the central processor about all the other parts: the screen, the
keyboard, and even the memory. Without it, the machine is paralysed.  
Typically, the BIOS is stored in a "flash" memory chip, which can be
reprogrammed as needed if the computer is upgraded – provided, of
course, that you have the superviser password, which is itself stored,
encrypted, on the chip.

Normally, you need to upgrade the BIOS program only when upgrading the
operating system, because a computer loaded with Windows 98 when it
was bought will need a BIOS upgrade to make the power-management
features work under Windows 2000 or XP. But if you do start the BIOS
upgrade and haven't got the code, your valuable computer will be
transformed within seconds into a hunk of worthless plastic that will
never work again without expensive surgery, and from which the data
may never again be extracted. You finish the upgrade and the machine
restarts; then you're asked for the BIOS password. The equivalent in a
car would be a code that had to be entered only when the car was
started for the first time after an oil change.

It is one of the unforgettable sensations that computer ownership has
to offer: one moment you're tapping away at a piece of routine
maintenance, and the next you find your stomach has taken up
ski-jumping.

Technologically, the position is simple. If the machine is out of
warranty, you're screwed. IBM quotes a figure of "at least £1,000" to
replace the motherboard [with the BIOS]. If your machine is still
under warranty, says Mike Wallace, the manager responsible for
ThinkPads in the UK, an IBM dealer can repair it within a week. But
after that, the simplest thing is simply to buy a new and more modern
machine.

If a disgruntled employee were to put such a password on his company's
laptop, and then forget it, his employers would have a real problem.  
It's like changing the combination of a company safe. Yet it need not
always be an irresponsible action. Arguably, you should protect your
own machine in this way (if you can); otherwise any hostile party who
gets hold of it first can lock you out of your own machine.

The first appearance of these cryptographic fortresses is in large
companies: Shell, for example, has more than 90,000 laptops and
desktops in 1,000 offices around the world. They are all Compaqs now,
or soon will be; and all are protected not only with passwords but
smart cards, so you can't use them without opening both a hardware and
a software lock - and these cards can all be centrally reprogrammed,
like hotel-room key cards, to ensure that access can be tightly
controlled and monitored on a day-to-day basis.

Some of the latest IBM machines have an even more terrifying form of
security: a small, built-in camera for face recognition. If the laptop
doesn't like your face, you can't use it at all. There is a way to
bypass this, involving two more passwords, making a total of six or
more for the one laptop. But we are definitely heading toward a future
in which you don't ever want to forget your laptop password. It
doesn't matter to large companies, which can at last manage a huge and
mobile collection of laptops as if they were all physically present in
the IT department, with someone watching them all the time. Schools,
too, would find this sort of security much more effective than
physical locks.

But it's a taste of the future. More and more hardware will be
protected in this way. As everything becomes lighter and more modular,
and drives and batteries can be swapped almost as easily as
mobile-phone covers, so manufacturers will provide more and more
clever embedded cryptography to protect your property. Mobile phones
can now be disabled over the network once reported stolen, and it's
easy to see that this could be done with wireless-enabled laptops,
too. Within 10 years, it should be easy enough to fix cars so that all
the embedded computers they rely on are protected with a password. The
fantasy with which this article started, of a car that no one would
bother to steal, would become a reality.

Once everyone is used to such ideas, society will adjust. It will be
understood that you no more sell a computer or a car without its
passwords than you now sell a house without its keys. But we are still
a long way from there, and the transition period is going to be full
of nasty shocks for people who buy second-hand protected goods.

The web is full of sites on how to clear laptop passwords, but they
don't work reliably on all machines. The protection on Toshiba
machines is fairly easy to defeat; IBM ThinkPads are the hardest; Dell
and Hewlett Packard sit somewhere in the middle, to judge by the price
list at Password Crackers Incorporated, a company in Maryland that
sells replacement password chips for most laptops for $30-100
(£20-70). These chips have to be soldered on to the motherboard by a
skilled technician in a proper workshop, and if the hard disk has a
password set as well, the old chip must be sent back to Password
Crackers to have that password extracted for another $50 (£35).

This is not at the moment a very big business, according to Bob Weiss,
the company's president, because most people who find their new laptop
has locked them out simply give up in despair. But he expects it to
grow steadily over the next 10 years. And - speaking as someone who
has been locked out of an IBM ThinkPad bought secondhand - it's hard
to argue with him.

Andrew Brown is author of 'The Darwin Wars' and is currently writing a
book about unravelling the genome of the nematode worm


 
*==============================================================*
"Communications without intelligence is noise;  Intelligence
without communications is irrelevant." Gen Alfred. M. Gray, USMC
================================================================
C4I.org - Computer Security, & Intelligence - http://www.c4i.org
*==============================================================*



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.