Schneier on Security
A blog covering security and security technology.
« Friday Squid Blogging: 8 Gig USB Squid Flash Drive |
| Anti-Stab Knife »
June 29, 2009
Protecting Against the Snatched Laptop Data Theft
Almost two years ago, I wrote about my strategy for encrypting my laptop. One of the things I said was:
There are still two scenarios you aren't secure against, though. You're not secure against someone snatching your laptop out of your hands as you're typing away at the local coffee shop. And you're not secure against the authorities telling you to decrypt your data for them.
Here's a free program that defends against that first threat: it locks the computer unless a key is pressed every n seconds.
Honestly, this would be too annoying for me to use, but you're welcome to try it.
Posted on June 29, 2009 at 6:51 AM
• 45 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
External motors on ships have a secuity cable that one attaches to your wrist. If you fall overboard and the cable gets disconected the motor stops.
If one had a program that watches for disconnecting usb devices (small memory sticks for example) or bluetooth connections it would be much more user friendly.
Wouldn't a smart card strapped to your belt or wrist solve this problem? Once the smart card is removed (read: pulled out), the PC is locked.
Is bitlocker out of the question?
If somebody snatches your laptop they're very likely to close the lid to make running away easier, in which case regular password protection would work.
As I have posted a number of times before it is not just the "hot snatch" of a laptop or TSA/etc telling you to decrypt.
If the laptop/device is put into one of many types of standby mode then the encryption key is effectivly available.
You realy need to check that the products you buy with "Hot Snatch" protection features realy do actively shut the device down fully and compleatly as well as securly deleating memory otherwise you may leave a window open depending on the sophistication of the "snatcher" and other factors.
Also not just that it has the features but they are enabled, you would be surprised how many "usability issues" result in the most important aspects of security being turned off for user conveniance.
However that being said if you have the sort of data that might prove problematical either financialy or reputation wise if it leaked what the heck are you doing using it on a laptop in a public place...
If you have that sort of data you should have two machines one for working only with the data the other a netbook etc for browsing and email etc.
I've got a little script I wrote somewhere that locks the screen when a particular bluetooth device was no longer detected. Set it up to look for your phone, and if somebody does snatch the laptop then as soon as it's ~10 meters away the screen locks on the thief.
Many notebooks have integrated cameras. One could create a software which locks the computer if the user disappears from the camera for more than a few seconds. But in most cases locking when the notebook gets closed should be enough as running with an open notebook is annoying.
The most critical point is the locking itself. It should remove the key from RAM, so probably only hibernate is an effective lock on laptops with wholedisk encryption.
I don't think it really matters. In case the laptop locked while snatching it, the attacker could return to his vehicle, boot his own laptop, connect it through firewire to the snatched one and overwrite the windows authentication library in memory ( as described here http://www.friendsglobal.com/papers/... )
For years I've had a small device that I carry discreetly on my person; it broadcasts to a USB dongle that automatically locks the computer if I step (or it is snatched and carried away) more than about 8-10 feet from the system. If the USB dongle is removed the system is also locked, of course.
@Tim W.: Not if it self-destructs. ;)
That assumes that a) the laptop has windows and b) the laptop has firewire or other DMA enabled device externally accessible and is enabled to allow it (ie firewire needs a driver on linux iirc)
Once you start getting to the point where you need custom hardware (ie a custom pci express card or opening the laptop and jacking into the mini-pci slot the wireless is plugged into it starts to look like a lot more trouble to theives (I'm not saying they wont since if the data is important enough to hijack the laptop while in use then this is a fairly low hurdle, but you start adding more and more variables into the mix any of which could stop the theft in its tracks...)
The most effective solutions are posted by Graham Cox and B. Real.
The problems with physical links are:
* ability of thieves to cut the link like they do with some purse straps
* you might be injured by the link jerk or by the fall when pulled when the link is pulled
I suggested something like this when Bruce posted a story about a forensic kit that included a USB program that jiggled the mouse to prevent the screen saver from activating.
What's the problem with simply attaching the laptop to yourself with a cable so that they can't snatch it without pulling your arm off?
"What's the problem with simply attaching the laptop to yourself with a cable so that they can't snatch it without pulling your arm off?"
Because then the laptop thieves will escalate to pulling the arms off of their victims.
Not only will you be disarmed, but then the laptop thief will also be able to bypass any fingerprint reader (assuming that your hands are attached to your arms, which are no longer in your possession).
Does locking the laptop though give you the piece of mind that your data is secure? Surely ensuring the data has been removed from the device is a better option? There are tools out there that do that like our BackStopp solution?
We even have a "deads man handle" should they enter the wrong password. Once the device is dead, depending on connections we can report the death of the data!!!
I can't locate the article right now but I recall reading (some months ago) about a couple of researchers who were able to plug in a cd/usb/etc. with some custom software and retreive a fairly intact chump of RAM from before the system was shutdown since DRAM does not immediately loose all it's state when powered off. They pulled a coherent enough dump to get passwords after quite some time powered off (15 minutes or so I believe). More than enough time to snatch, power off, power on , and dump. Anyone else remember this research?
I prefer good crypto over an erase function which does not get triggered by advanced attackers.
@W about cameras...
Perhaps there is a reason to have "face recognition software" on our PCs along with an ability to recognize changes to one's face due to motion and emotion so a cardboard cutout can't fake it out.
"They pulled a coherent enough dump to get passwords after quite some time powered off (15 minutes or so I believe). More than enough time to snatch, power off, power on , and dump. Anyone else remember this research?"
I believe I have read that, but if I remember correctly they had to freeze the memory to minus something degrees celcius to be able to that. So probably the attacker will have some trouble keeping it cool while reading the data of the memory ;-)
What sort of neighborhood coffee shops do you all compute in where laptops are stolen from you while you're typing? This discussion reminds me of a picture in National Geographic a decade or two ago of a soldier guarding a food shipment with his rifle chained around his waist.
It seems to me the laptop snatcher is not after the data. The odds would indicate to me the thief is rather just after the laptop itself. It would seem to me that using BitLocker or TrueCrypt volume encryption, in combination with the Bluetooth-out-of-range machine lockup/reboot trick and a BIOS password would protect the data sufficiently from a laptop thief. If you're being targeted because of the data you're carrying, then you probably shouldn't be carrying the data on a laptop in a coffeeshop.
That script of yours sounds really interesting, would you be willing to share it?
Nobody has mentioned a GPS lock. BEHEMOTH used to 'notice' when it was moved while 'locked', and would call local authorities and say "I am a bicycle and I have been stolen"
Although I guess this wouldn't prevent your laptop from being snatched while you're working on a train or bus.
Well this may not protect the TSA from accessing your files, but it would be nice to get a photo of the person doing the searching:
And if they take your laptop for whatever reason you would be able to track where it goes, as the Gadget Track software gets the location of the device via wi-fi networks.
What a coincidence! I will be starting a company called EmployeeTrak tomorrow; which is to say, for the irony impaired, that software which can spy on a thief can also spy on an owner.
Here is another "terrorist" found with weed killer, fire lighters, tennis balls....
At this rate... what would someone found with a cup of crude oil, fire lighters, and a bottle with a rag plug be called?
"Lewington, 43, was arrested at Lowestoft station in Suffolk last year after abusing a female train conductor. He was found to be carrying the component parts of two "viable improvised incendiary devices", the court was told.
Later searches of his home revealed a notebook entitled Waffen SS UK Members' Handbook, containing drawings of electronics and chemical mixtures.
Brian Altman QC, prosecuting, said: "The effect of these finds is to prove that this man, who had strong if not fanatical rightwing leanings and opinions, was on the cusp of embarking on a campaign of terrorism against those he considered non-British."
Lewington, who lived with his parents in Tilehurst, Reading, Berkshire, is accused of preparing for terrorism by having bomb parts in a public place.
He also faces two charges of having articles for terrorism including weedkiller, firelighters and three tennis balls, plus two charges of having documents for terrorism and another of collecting information for terrorism.
Two further counts allege he possessed an explosive device "with intent to endanger life" and that he had explosives, namely weedkiller."
I immediately thought of a proximity device (whether BlueTooth or otherwise) that is somewhat non-obvious to a potential thief but the following questions come to mind: (1) What exactly is supposed to happen if the laptop and the proximity device cease communication? (2) Does the laptop begin executing a scorched-earth self-destruct sequence and how would you stop such a process if the proximity device malfunctioned?
It would be even more interesting if a self-destruct sequence could jack up the BIOS so that the lapper would be completely useless to the thief as well... but not so funny if a black-hat passerby could trigger your laptop's self-destruct sequence while you're using it.
Did you mean to post your comment in this thread? It seems quite out of place in a laptop theft discussion.
I wrote a python app that runs in the background and shuts down my laptop if it loses the bluetooth connection with my phone. Range is about 10m indoors, have not tested outside.
"... broadcasts to a USB dongle that automatically locks the computer if I step (or it is snatched and carried away) more than about 8-10 feet from the system."
Does it lock when the dongle gets more than 20ns away, round-trip?
Or do it they do it the cheap way, based on signal power?
"Because then the laptop thieves will escalate to pulling the arms off of their victims."
after bypassing the fingerprint reader they sell the hand (finger by finger) to a hitman or other organised crime. police has to fight a new black market. if you "lose" a finger, you become a risk for national security.
the stolen arm is also interesting for cyborg-research;)
IBM has announced a feauture for certain models of its Thinkpad to support "Constant Secure Remote Disable", where you can send a text to disable a stolen laptop.
This is covered in Engadget below:
There's an application for Linux, called 'blueproximity', that will execute a program of your choice (say "shut down the computer", or "lock the system", or whathaveyou) once a specific bluetooth device gets out of range. You can use this with your cell phone.
As a concept, it's pretty good; but when I tried it out a few years back, the implementation wasn't entirely perfect -- sometimes it would lock my system when I was still working on it. I guess detecting bluetooth devices isn't foolproof.
In case you care: http://blueproximity.sourceforge.net
What happens when the attacker takes your laptop and your bluetooth phone?
@ wouter verhelst,
"sometimes it would lock my system when I was still working on it. I guess detecting bluetooth devices isn't foolproof.
One of the problems with Bluetooth is that it is a Low Power Radio device working in the Industrial Scientific and Medical (ISM) unlicensed spectrum around 2.5GHz.
Unfortunatly so do microwave ovens, car alarms, garage openers, WiFi, baby alarms, CCTV, etc, etc, etc.
Owning both a Spectrum Analyser and Wideband IQ Test Receiver, and ocasionaly having to do development work close to the ISM band I'm constantly amazed that anything actually works in it any longer...
Any proximity device based in 2.5Gig ISM band is going to have a few problems to put it mildly...
Actually I think the occasional Kensington Lock around your wrist/leg/table probably counters the act of snatching much more directly. Without disturbing your relaxing sip of coffee every 30 seconds or putting you under the stress of observing a ticking clock all the time.
Or the above blueproximity idea would suffice to have some dead-man switch without looking like special agent Fox transporting the passwords to Fort Knox.
But remember, the original problem was the snatch, not the encryption.
Not to derail the discussion, but the best defense against this is of course not to have any sensitive data on your device. I happen to live in a high-wireless area, plus have a 3G card, and have switched almost entirely over to using a Redfly (celiocorp.com) Windows Mobile terminal device as a mobile dumb terminal.
It pairs with my phone and has no data or storage on it at all - just provides a larger screen/keyboard. From there I generally use RDP or LogMeIn and do all my work on remote systems. All a snatch and grab is going to get the thief is a (still usable) brick once he gets out of Bluetooth range.
I know there are a million objections here, and one then also has to worry about wireless security (if not encrypting the remote session) and lack of wireless. But really, for a mobile professional in an urban environment I feel overall this is a better strategy.
Regarding the idea of having a smart card which must be inserted: good in theory, but with two practical problems. One, what if you forget your card that day? (It is for this reason we have not yet begun using our smart cards this way at work.) And two, just because it's tied to your belt does not mean someone can't grab it, yank, and run. For this reason my method of countering the threat is two-fold. I regularly do cardio work, and I lift weights. That way, if someone steals my stuff, I can chase him down and beat the hell out of him.
Hmnn, only Idea I could have is making the laptop cold shutdown automatically if the cap is closed (which at least is possible with ubuntu and should most certainly in windows) and have an encrypted drive for the precious information.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.