
How can I verify whether my new laptop has been tampered? - ds9
According to the news, the US government has intercepted laptops during delivery and installed surveillance kits or trojans.  For example: http:&#x2F;&#x2F;www.spiegel.de&#x2F;international&#x2F;world&#x2F;the-nsa-uses-powerful-toolbox-in-effort-to-spy-on-global-networks-a-940969.html<p>My online activities may have attracted attention from USG (eg. looking at Al Jazeera, presstv and technical forums), and my new laptop, a Lenovo Thinkpad, was delayed a long time in customs.  What should I look for to verify it has not been tampered?<p>Immediately upon receiving it, I replaced the default commercial-ware with Linux, so I am not concerned about the OS or applications.  However, I&#x27;m wondering:<p>* how to tell whether it&#x27;s been opened after the factory<p>* what parts can be opened &quot;safely&quot; meaning without breaking anything<p>* what to look for on the inside<p>* how to verify the BIOS is untampered
======
runjake
You can't really verify for sure. Well, unless they did something and goofed.
You would need a team of experts to examine everything from the various
firmwares and microcontrollers and microcode to the OEM "tamper-proof" labels,
which can almost assuredly be counterfeited and placed by NSA.

It would be less work to just maintain multiple computers for separate,
distinct tasks (eg. one for browsing Al Jazeera, one for PressTV, etc).

Oh, you'll also want separate Internet connections in highly diverse
geographic locations (lots of plane tickets? no, those can be tied back. Tor?
Nope, that's just pseudonymous. Multiple VPN connections? Who knows anymore.

Some additional thoughts:

1) Who's to say all Thinkpads (or whatever) aren't backdoored from the
factory, perhaps without Lenovo's knowledge?

2) Perhaps buying your gear off of Craigslist from someone who is in a
demographic highly unlikely to get the attention of NSA (eg. a white, blonde,
college girl who doesn't follow politics, activism, or world news). See if
she'll throw in some glitter nail polish.

See what I'm getting at? It's futile.

~~~
Bjuukia
w̶h̶i̶t̶e̶,̶ ̶b̶l̶o̶n̶d̶e̶,̶ college g̶i̶r̶l̶ student who doesn't follow
politics, activism, or world news

------
flueedo
My suggestion is that you ask this question at security.stackexchange.com ,
also browse the website for similar questions already answered.

My answer: A laptop usually can trivially be taken apart completely and then
put back together without any signs of the operation remaining, internally or
externally. Same thing with smartphones. Checking BIOS integrity usually isn't
possible without specialised physical tools.

~~~
ds9
Thank you! Found this so far:
[http://security.stackexchange.com/questions/7203/checking-
if...](http://security.stackexchange.com/questions/7203/checking-if-notebook-
is-clean-of-hardware-spyware/7218) \- and it's not very encouraging. The
answers there assume that the now-owner has access to a "clean" state of the
machine to compare a later condition with - but the problem situation, and the
reality for everyone today, is evaluating the condition when it's first
received.

------
pasbesoin
One tactic amongst several that might be part of a strategy:

Put it behind an open source router (using as open a router as possible, e.g.
an older PC you can physically examine and whose BIOS you can flash).

Then use the laptop for a while on non-critical (but perhaps "interesting")
activity and accounts, and monitor via your router whether it attempts to
"phone home" or engage in other suspect communication.

\----

Of course, log anything suspect, and if/when you determine something is going
on, find a different and secure path via which to tell us about it!

------
grumps
Not sure this plausible. You'd need clarity to all the sourced parts and
entire supply chain and logistical chain. Then complete oversight over the
assembly and logistics. I'm guessing that backdoors are really inserted at the
firmware level (in most cases) and therefore you'd need the ability to flash
new firmware with valid signatures and checksums straight from the
manufacturer but you'd probably want an independent audit of said firmware.

~~~
ds9
I agree that there is a theoretical scenario that all the production line are
trojaned, or that Lenovo is cooperating with the customer's adversary at
assembly time. However, my question was intended for what is more likely the
practical situation today: that only a subset of computers get the treatment,
and that it is applied after the factory, as per the recently liberated
information.

Apparently I do need to look into the whole "verifying firmware" area. Maybe
I'll try to compare checksums and other data with other owners of the same
model and BIOS rev, on a suitable forum.

~~~
grumps
I'd expect that if a trojan were to be inserted that it will probably want
access to all interfaces. I would take extra care at your hardrive interface,
USB interface and Ethernet interface. I'd look for JTAG connectors on the
boards to see if direct flashing is plausible. I'd also look for damage done
from removing them.

Small point be social sourcing could generate a false positive unless you can
verify said individuals interests.

Of course removing anything placed by warrant is possibly illegal irregardless
of you position on it. {this isn't legal advice}

I'd also say this would take a significant amount of effort to validate and
you're likely to find quasi poor information.

------
dvdand
This article might be helpful for what you are looking for...
[http://www.wired.com/threatlevel/2013/12/better-data-
securit...](http://www.wired.com/threatlevel/2013/12/better-data-security-
nail-polish/)

~~~
dvdand
Though it might not be as helpful in your case.

