Schneier on Security
A blog covering security and security technology.
« Marine Worms with Glowing Bombs |
| Friday Squid Blogging: Squid Police »
August 28, 2009
The Security Risks of Accepting Free Laptops
The U.S. Federal Bureau of Investigation is trying to figure out who is sending laptop computers to state governors across the U.S., including West Virginia Governor Joe Mahchin and Wyoming Governor Dave Freudenthal. Some state officials are worried that they may contain malicious software.
Posted on August 28, 2009 at 12:27 PM
• 48 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Forget malicious software - how about malicious hardware? The deeper down you go, the stronger your access. Running legitimate software on malicious hardware results in compromise every time.
Vermont, West Virginia, Wyoming. I see a pattern, but they left out Virginia, Washington, and Wisconsin.
If it were a malware distribution, why not go the cheaper way and simply send CDs like these guys?
They are not trying hard enough. I am sure you can get someone to pay you for infected laptops!
Notion of malicious hardware has me thinking, even if nothing obviously out of sorts is found, what sort of attacks might be possible using stock hardware with known vulnerabilities?
Might just be an aggressive lobbyist, which is also usually a malicious ploy that only benefits the lobbyist, and the recipient of the gift, bleeding the rest of us dry.
Infected CDs are too likely to be thrown out or treated with suspicion. You really want to infect, send out infected "free gift" thumb drives. Have some 2GB thumb drives printed up with some tech magazine's logo on it, install autorun malware, put it in an envelope with a phony "try our magazine free for 6 months, here's our free gift to you whether you decide to accept our offer or not."
People can't pass up a neat toy for free.
Turn off autorun, people. First thing when you get a new machine. Install TweakUI and shut it all down.
I would have to agree with the first commenter, definitely check the hardware. Software would be too easy to format away, someone investing the cost of 5 laptops would want better odds.
@JRR: "Turn off autorun, people. First thing when you get a new machine. Install TweakUI and shut it all down."
I think things like autorun should be off by default. Cars don't have the airbags off by default.
Then again, personal computers and O/S get sold more for usability than security. One more reason for governments and organizations to use their massive purchasing power to provide incentive for security. Of course, the "lowest bidder" logic contradicts this.
Were the laptops running Linux? ;)
Given an opportunity like this, I would use it as sort of a honeypot. Process some bogus information and see if it can be traced to a perpetrator.
I remember a story of a couple that had trouble with their home being robbed when they were out of town. So they planned a trip as usual, then hid in the home and caught the thief in the act. Not as simple with a laptop, but probably doable.
Sounds like a lot of fun, but probably not as much fun as doing a comprehensive assembly-level review of all of the code in firmware :)
And don't just check the hardware for its malevolent computing potential: I can think of several forms of bio- or chemical-malice that could easily be disguised as a rather plump 'electrolytic capacitor' on a laptop's motherboard.
The article is light on detail, but it sounds like the laptops came directly from HP. See the top of page 2.
Perhaps this is just a poorly executed attempt at stealing some laptops? Somehow get them fraudulently delivered to the state and pick them up before it's figured out. That's an old one...
Sounds like a lot of people are attributing a very sinister motive to something that is likely some sort of scam or hack. Maybe someone hacked the ordering system for HP or has been managing to intercept previous orders with state controllers just paying the invoice without questioning it. I would be looking for purchases being billed to mayors of larger cities .
That is a pretty simple explanation, but why governors? And what's up with the geography?
Or maybe someone civic-minded just looks at the legislation being passed these days, and suspects that the highest levels of government might not have ever seen a computer before, and wanted to help enlighten them.
I wouldn't assume these were nefarious. I would just send them back. No need to involve the police. This sounds to me like a huge waste of resources for what will turnout to be some individual or company trying to help out the government.
God forbid they find malicious hardware on these things. The idiots in government will end up with $500 laptops that the taxpayers pay $5000 for.
I'm moderately impressed that these bureaucrats realized *before* they hooked them up that they hadn't ordered them.
Harry, remembering that Westminster had a standing (daily?weekly?) order for a gross of "good wax candles" that wasn't cancelled till the 1990s. Those who received the candles knew that they were building up, but those who managed orders somehow had lost that one.
@David, the article mentioned 3 states by name, Wyoming (50th), West Virginia (27th), Vermont (49th) which occur alphabetically last but are also small in population leading me to believe that the governors office and IT support actually may talk to each other and question the purchase of something sent to the governors office. I would think that it would be much more likely to be questioned in a smaller organization (like the governor of a state of 500,000) than in a larger organization. Either this, or it is easier to re-route a delivery sent to a large organization. I would look at both the courier that delivered the laptops and the original vendor that the machines were shipped to (if not shipped directly from HP).
As this is always about financial gain, I think it's more likely that a company operating in those states is the cause.
I would imagine lobbyists, investigative journalists, or companies with large contracts at stake would consider this kind of intelligence gathering very lucrative.
Bruce - can you pull some strings and get one?
Considering your previous posts, putting it on Ebay would be hilarious :-)
Are these governors sure they hadn't just lost the laptops at some earlier point in time with all of their states' resident's info on them, and then someone found the laptop and gave it back?
It already happens. It's called Dell, HP, Sony, Toshiba, etc.
In my language, "some sort of scam or hack" _is_ sinister. That's like saying "a lot of people are attributing a sinister motive to what is probably just some sort of armed robbery" or "you're attributing some sort of sinister motive to what was probably just a random mugging."
If you mean they're assuming more cleverness, that's one thing, but scams are sinister, as are that sort of hack. (This isn't MIT inflating a weather balloon on the field at the Harvard-Yale game.)
I'm willing to entertain the idea that it's a trojan horse, it's a small leap, but possible. ID theft was involved in purchasing the computers directly from HP, and they were sent to the governors' offices. All governors named were Democrats save for the Vermont Republican.
If it was a simple scam, you'd have to assume that the pickup was intended to happen at the distribution point. However, that leaves this question open: if pickup happens at the distribution point, why would the shipping addresses be chosen so they're guaranteed to raise flags?
Political operators pull these sorts of stunts all the time, but I'd be ready to discount the political question if there are found to be 40*5 other laptops missing in transit sent to other states.
Before reading the AP article, I was ready to suppose that the anomaly in this situation might be new governors who didn't yet understand that they're allowed to just accept favors whenever they're offered. When the context is politics and the question is gifts, who're you gonna naturally assume is involved?
I'd bet it's just teenagers playing in the online fraud arena for the first time and having a lark.
If they really are trying to introduce a compromised computer (hardware or software) they sure as heck won't be so foolish to make it every computer they send. You send out 50 laptops, 48 of which are perfectly clean and wholesome. The other two you send compromised machines to your targets of interest.
Do you think the FBI will inspect all of the laptops or do you think they will get bored and let a few slip through? If you are an attacker, you are betting they get bored.
It's the razor blade in the cotton candy trick.
@Harry: "I'm moderately impressed that these bureaucrats realized *before* they hooked them up that they hadn't ordered them."
Yup. Three government bureaucracies noticed ... that probably means that the other 47 have hooked up their laptops and compromised their networks :-(
On the optimistic side the other 47 may have such inefficient shipping departments that the nefarious devices are still waiting to be unpacked.
My use of scam or hack was to indicate that I believe that this situation resulting from someone trying to deprive the rightful owner of the laptops through some sort of fraud or deceit, or someone else trying to prove that they could obtain laptops under false premises.
I would not equate this sort of property theft to an "armed robbery" or some sort of sinister act.
I also have seen in the various accounts of this that some unnamed state officials are saying that this could have been an attempt to penetrate the state computer network. This explanation for the unexplained laptops appears to be a bit of a stretch when there are so many other ways of attacking a state network.
True. A lot of civil servants are doing it wrong, don't know any better, and don't care.
I can just imagine that they're all pre-loaded with (hidden) kiddie porn in the recovery partition.
It's always some hidden cost.
The Moon Is a Harsh Mistress. She's real bright though. Keep us Posted.
The recipients should just re-partition the hard drives and install Debian or Ubuntu or Red Hat. Any pre-installed malware ceases to exist when you make a new ext3 file system out of the disk space it occupied.
Apparently it involves some sort of identity theft. This story
indicates they were bought with credit cards opened in the name of the governor.
. . . or maybe Nicholas Negroponte is branching out: One Laptop Per Governor.
@Nostromo: I've heard of BIOS-level infections that aren't going to be gotten rid of just by reformatting the hard disks. I don't know if any are in actual use yet.
Just imagine – what if I was working for a local government agency and I had access to (or knew of) the laptop ordering process and I wanted one of my own? If I just ordered one then tried to steal it when it arrived I would probably get caught. If I ordered lots of laptops and had them delivered to lots of different places then perhaps my personal order would be lost in the general confusion.
Hackers, cyber-criminals and cyber-terrorists are not dumb usually (although their targets are often naive). Any incident that draws attention to itself is unlikely to be a genuine hack..
Actually, I'm pretty amazed that the first thing to cross the FBI's minds is malware. No mention of anthrax or explosives. So the terrorism scare IS on the way down?
My HP laptop came with Vista on it. Thats reason enough to give it away.
This is no surprise.
I am glad to see that people are not falling for such naive tricks.
I couldn't help but laugh at Bob's comment, but what Bruce is saying is 100% true...
Does anyone remember those fake Cisco routers that govt. contractors purchased last year? Big story that quickly went away, but while the devices worked it seemed that many of those helping with the investigation felt that there were some "value added features" incorporated into the hard wiring of the network devices.
What's the old addage? Once you've given up physical access controls, you've probably given up most everything else? I don't know how true that is, but my opinion is that if the machine comes you to compromised via the HW, you might not know about it until it's too late.
I can't help but think of another completely low-tech attack.
What if these devices are simply stolen notebooks? The political embarassment of accepting stolen property as a gift would be quite severe I should think, and it is hard to deny. A quick phonecall to a news reporter once the computers have been confirmed as in posession of the target should do the trick.
All the mentions of compromised hardware seem to be oriented on information theft, or things along those lines... IMO, it'd be much easier - and cheaper - to rejigger the battery and charging circuit to produce a nifty little toxic time bomb. Normally, there's quite a bit of effort made to ensure the batteries don't go boom, but what man can do, man can undo...
"Normally, there's quite a bit of effort made to ensure the batteries don't go boom, but what man can do, man can undo...
Batteries normaly don't go "boom" for a lot of reasons some of them chemical some physical, when they go wrong they tend to be more likley to catch fire.
Although you could probably stop up vents and short out fuses the basic design of the battery is not going to be that different.
Even if you could make them go "boom" how much damage are they going to do?
Then there is the minor question of how do you arrange for it to go "boom" when your target is actualy near it?
From the "boom" point of view I'd be a lot more worried about sombody putting a thin layer of plastic explosive behind the screen or some such, than trying to make the batery go "boom".
@Clive Robinson: Lithium ion batteries that "go boom" can do quite a lot of damage. In the early 90's my company showed us a safety video that demonstrated one of the batteries we used in our handheld devices, being cooked off under controlled conditions. The reaction was extremely violent. (One moment you've got a battery in a small electronic device behind a plexiglass shield;moments later there is nothing there but smoke and flaming debris and scorch marks all over the plexiglass). The best part was a very noticable mark in the plexiglass where the battery cap had hit it. A "cap and nail expulsion" is when the metal cap on the end of the cylinder, together with the innermost metal component (the nail) are fired out of the battery by the force of the explosion. If it happens to be expelled in the direction of your flesh, that is going to be a bad thing.
Lithium ion batteries are unsafe to charge with generic equipment. Consumer devices with rechargable li-ion batteries in them, have custom-designed charge circuits that are tailored for the specific properties of the batteries they use in that device. The charge circuit is critical to the safety of the device, because it has to accurately detect when the battery is fully charged. Thats one of the reasons why mobile phone manufacturers, etc. go to such lengths to prevent "counterfeiting" of their batteries--their charge circuits were designed and tested with the 1st-party batteries, but if you stick some random 3rd-party battery in there, there is the possiblity that the charge circuit will overcharge it and cause it to explode. Its not simply a scam to sell more 1st-party batteries at inflated prices, believe me.
I guess its true that most batteries that overheat or are charged incorrectly, will just catch fire and ruin the device they are a part of. But some types of battery (especially li-ion) under some conditions, can also explode, and you don't want to be anywhere near them when that happens!
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..