Hacker News new | past | comments | ask | show | jobs | submit login
How can I verify whether my new laptop has been tampered?
7 points by ds9 on Dec 31, 2013 | hide | past | favorite | 11 comments
According to the news, the US government has intercepted laptops during delivery and installed surveillance kits or trojans. For example: http://www.spiegel.de/international/world/the-nsa-uses-powerful-toolbox-in-effort-to-spy-on-global-networks-a-940969.html

My online activities may have attracted attention from USG (eg. looking at Al Jazeera, presstv and technical forums), and my new laptop, a Lenovo Thinkpad, was delayed a long time in customs. What should I look for to verify it has not been tampered?

Immediately upon receiving it, I replaced the default commercial-ware with Linux, so I am not concerned about the OS or applications. However, I'm wondering:

* how to tell whether it's been opened after the factory

* what parts can be opened "safely" meaning without breaking anything

* what to look for on the inside

* how to verify the BIOS is untampered




You can't really verify for sure. Well, unless they did something and goofed. You would need a team of experts to examine everything from the various firmwares and microcontrollers and microcode to the OEM "tamper-proof" labels, which can almost assuredly be counterfeited and placed by NSA.

It would be less work to just maintain multiple computers for separate, distinct tasks (eg. one for browsing Al Jazeera, one for PressTV, etc).

Oh, you'll also want separate Internet connections in highly diverse geographic locations (lots of plane tickets? no, those can be tied back. Tor? Nope, that's just pseudonymous. Multiple VPN connections? Who knows anymore.

Some additional thoughts:

1) Who's to say all Thinkpads (or whatever) aren't backdoored from the factory, perhaps without Lenovo's knowledge?

2) Perhaps buying your gear off of Craigslist from someone who is in a demographic highly unlikely to get the attention of NSA (eg. a white, blonde, college girl who doesn't follow politics, activism, or world news). See if she'll throw in some glitter nail polish.

See what I'm getting at? It's futile.


w̶h̶i̶t̶e̶,̶ ̶b̶l̶o̶n̶d̶e̶,̶ college g̶i̶r̶l̶ student who doesn't follow politics, activism, or world news


My suggestion is that you ask this question at security.stackexchange.com , also browse the website for similar questions already answered.

My answer: A laptop usually can trivially be taken apart completely and then put back together without any signs of the operation remaining, internally or externally. Same thing with smartphones. Checking BIOS integrity usually isn't possible without specialised physical tools.


Thank you! Found this so far: http://security.stackexchange.com/questions/7203/checking-if... - and it's not very encouraging. The answers there assume that the now-owner has access to a "clean" state of the machine to compare a later condition with - but the problem situation, and the reality for everyone today, is evaluating the condition when it's first received.


One tactic amongst several that might be part of a strategy:

Put it behind an open source router (using as open a router as possible, e.g. an older PC you can physically examine and whose BIOS you can flash).

Then use the laptop for a while on non-critical (but perhaps "interesting") activity and accounts, and monitor via your router whether it attempts to "phone home" or engage in other suspect communication.

----

Of course, log anything suspect, and if/when you determine something is going on, find a different and secure path via which to tell us about it!


Not sure this plausible. You'd need clarity to all the sourced parts and entire supply chain and logistical chain. Then complete oversight over the assembly and logistics. I'm guessing that backdoors are really inserted at the firmware level (in most cases) and therefore you'd need the ability to flash new firmware with valid signatures and checksums straight from the manufacturer but you'd probably want an independent audit of said firmware.


I agree that there is a theoretical scenario that all the production line are trojaned, or that Lenovo is cooperating with the customer's adversary at assembly time. However, my question was intended for what is more likely the practical situation today: that only a subset of computers get the treatment, and that it is applied after the factory, as per the recently liberated information.

Apparently I do need to look into the whole "verifying firmware" area. Maybe I'll try to compare checksums and other data with other owners of the same model and BIOS rev, on a suitable forum.


I'd expect that if a trojan were to be inserted that it will probably want access to all interfaces. I would take extra care at your hardrive interface, USB interface and Ethernet interface. I'd look for JTAG connectors on the boards to see if direct flashing is plausible. I'd also look for damage done from removing them.

Small point be social sourcing could generate a false positive unless you can verify said individuals interests.

Of course removing anything placed by warrant is possibly illegal irregardless of you position on it. {this isn't legal advice}

I'd also say this would take a significant amount of effort to validate and you're likely to find quasi poor information.


This article might be helpful for what you are looking for... http://www.wired.com/threatlevel/2013/12/better-data-securit...


Though it might not be as helpful in your case.


That's prospective, not retrospective, thanks tho :)




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: