back to article You'll never guess what you can do once you steal a laptop, reflash the BIOS, and reboot it

If you can steal someone's laptop, leave it switched on in sleep mode, crack it open, hook up some electronics to alter settings in the BIOS firmware, restart it, and boot into a custom program... you can swipe crypto keys and other secrets from the system. When computers are restarted, the motherboard firmware can wipe the …

  1. Anonymous Coward
    Anonymous Coward

    Again,

    This is *old* news.

    Truecrypt mitigated this "attack" as does using a BIOS (BIOS!!, FFS it's all UEFI now) boot up password or BIOS setting password. And physically turning the machine off also dealt with this.

    Or is this some new kind attack based on these old principles?

  2. tip pc

    Re: Again,

    How many people turn their machine off?

    I’ve always put it in sleep or hibernate and now get nagged that I’ve not rebooted in a week and the machine goes ahead and reloads when I least expect it as per company policy.

    I don’t shutdown so I can restart where I left off the next day. Mac OS handles reloads by putting you back where you left off. It’s weird that windows can’t match that functionality.

  3. Anonymous Coward
    Anonymous Coward

    Re: Again,

    It does, with Hibernate, and has for decades or thereabouts (I used it least Win2000, but I'd heard of it before that).

  4. Oengus Silver badge

    Re: Again,

    How many people turn their machine off?

    I, personally, always shut down the PC when not in use. Yes it is a bit of a pain having to wait for the PC to boot but with SSDs that time is dramatically reduced.

  5. onefang

    Re: Again,

    "How many people turn their machine off?"

    I do. Or rather I don't use any sleep or hibernation modes in anything. On the other hand, I don't like laptops much, but I do use a couple that belong to others regularly, and I turn them off when I'm done.

    I'm wondering why they didn't tell Linux and BSD people about this, only Apple, Intel, and Microsoft? Even AMD was left out in the cold (pun intended). Of those couple of laptops I mentioned, one is Linux only, the other dual boots Linux and Windows.

  6. darklord

    Re: Again,

    always shut down as my laptop running win7 takes 10 mins to come out of hibernation or sleep mode, whereas from cold less than a minute

  7. big_D Silver badge
    Black Helicopters

    Re: Again,

    I was talking to a friend recently and he had the Federal Office for the Protection of the Constitution visit him. And in a general discussion, they gave some advice.

    Their advice was, if a computer gets compromised and it has UEFI, shred it. Don't bother trying to do a clean install, because you can never be 100% sure they haven't slipped something into the UEFI. You can't just throw out the old drives and put new ones in any more. Likewise, even updating the UEFI isn't a 100% guarantee.

    Similarly, he was advised that if you are visiting certain foreign countries, you shouldn't take a laptop or phone with you, or rather just a burner phone and laptop with no sensitive information on them and throw them in the bin when you return.

    And I thought I was paranoid!

  8. big_D Silver badge

    Re: Again,

    @AC

    No, Hibernate isn't the same as restoring a session after the OS restarts the PC to install updates. Yes, Hibernate, suspend to RAM etc. brings the PC back up to where it was when it was suspended / hibernated, but that doesn't help if the PC is rebooted.

  9. Fatman
    Linux

    Re: Again.. How many people turn their machine off?

    At my former employer - it was mandated that desktop machines be shut down at the end of the day.

    If it isn't powered up, then it can not be pwned during the overnight/weekend hours.

    This policy arose from an incident where an executive left his machine on, and it was infected with malware. Those behind the attack had the whole weekend to surf out or internal network. Cleaning up the mess was one of the reasons why we ditched Windows, and went to Linux. The other being a nastygram from the BSA that was quite costly.

  10. Mage Silver badge
    FAIL

    Re: Again,

    Madness.

    I shut down. It takes about minute to boot Linux. My old (2002) XP laptop boots in under a minute, or did last year (converting some PSP7 to photoshop format for The Gimp). Making a cuppa or even fetching chilled fizzy water takes longer than a cold boot even with mechanical HDD. Unless you have an "out of the box" Windows with every service on and a load of nonsense autorunning in Startup etc. I've pared a Win7 boot on HDD from 2min 45sec to 20 sec.

    I also unplug all chargers overnight. One of the highest fire risks. I can easily recharge any of my gadgets between early evening and bedtime.

    Linux CAN start off (and to a limited extent, Windows) where you were from a cold boot. I decided over 10 years ago that this was a bad idea. I can easily get back the documents, web pages and emails I was looking at. All those programs store state on exit (or periodically in case of a crash). Notepad++ on WINE on Linux opens all the documents. If you use native format instead of MS, the LibreOffice remembers your location.

    Use case for hibernation is when running out of battery suddenly and no time to save. Sleep MAYBE to carry from desk to desk?

    Sleep has always been insecure and also unreliable for peripherals, esp WiFi.

  11. onefang
    FAIL

    Re: Again,

    "Their advice was, if a computer gets compromised and it has UEFI, shred it."

    So much for being more secure.

  12. vtcodger Silver badge

    Re: Again.. How many people turn their machine off?

    Nothing wrong with powering off when not in use, but perhaps it'd be a good idea to unplug as well. There is something called -- as I recall -- Wake On LAN that allows "powered off" devices to be turned on remotely. Obviously, some hardware isn't as turned off as one might desire when one flips the power switch off. Who knows for sure what is actually running in there when the power is "off".

  13. This post has been deleted by its author

  14. Ochib

    Re: Again,

    "I, personally, always shut down the PC when not in use. Yes it is a bit of a pain having to wait for the PC to boot"

    Every morning it runs like this;

    1) Power Laptop up

    2) Get coffee

    3) Drink coffee

    4) After stage 2 and 3 the laptop is ready for me to logon

  15. Joeyjoejojrshabado

    Re: Again.. How many people turn their machine off?

    "The other being a nastygram from the BSA that was quite costly."

    The British Shakesphere Association are real bastards.

  16. LDS Silver badge

    "perhaps it'd be a good idea to unplug as well. "

    WoL can usually be disabled from the BIOS settings. As long as your company doesn't use it to apply patches or run backups. Anyway the RAM of a machine left running with different applications opened is usually far more interesting than the RAM of a machine just booted and no one logged on.

  17. Anonymous Coward
    Anonymous Coward

    "win7 takes 10 mins to come out of hibernation"

    If you have a lot of RAM, reading back the hibernation file may be longer than reading just the code to be run and initialize it. With enough cores, the processes than run in parallel, but reading from disk, especially non SSD ones, is still mostly a serial task.

  18. 's water music Silver badge
    Flame

    Re: Again,

    I shut down... ...I also unplug all chargers overnight. One of the highest fire risks.

    Use your opponent's strengths against her. When I am finished for the day I simply drive a large nail through the battery compartment of my laptop which consumes the whole assembly with fire and renders the laptop uncompromisable overnight.

  19. Voyna i Mor Silver badge

    Re: Again.. How many people turn their machine off?

    "The British Shakesphere Association are real bastards."

    Let me guess - you shouted "Francis Bacon" under their windows?

  20. ITS Retired

    Re: Again.. How many people turn their machine off?

    The Boy Scouts of America? I suppose some teenage antics can get out of hand.

  21. onefang

    Re: Again.. How many people turn their machine off?

    "The other being a nastygram from the BSA that was quite costly."

    "The British Shakesphere Association are real bastards."

    To sue, or not to sue?

  22. onefang

    Re: Again,

    "When I am finished for the day I simply drive a large nail through the battery compartment of my laptop which consumes the whole assembly with fire and renders the laptop uncompromisable overnight."

    As a bonus, no need to turn on the heater during cold nights. Takes a long time to boot in the morning though, walk to the nearest computer store, buy new laptop, walk to where ever your offsite backups are stored, bare metal restore, walk back home, reboot. Could get expensive, I hope you have a cheap source of suitable large nails.

  23. Fred Dibnah

    Shakesphere

    That explains the Globe Theatre.

  24. Solo Owl

    Re: Again,

    My main computer at home is set to turn itself on a few minutes before my phone is programmed to make a very loud noise that is intended to activate me. By the time I fininsh ablutions and find breakfast, the computer is ready and anxious to read mail and the papers. Even with the slowest boot time.

  25. matjaggard

    Re: Again,

    The problem for me is not boot time but remembering WTF I was doing before I left for the pub on Friday evening.

  26. Wzrd1

    Re: Again,

    We disable sleep and always have. Hibernate can be attacked using a different method.

    I either lock the machine and leave it running or shut it down. Either way, it comes home with me.

    Where someone stealing it is unlikely, as they have to get past the security robots, laser wielding sharks, elevators with dubiously reprogrammed controllers, the hallway of flamethrowers, followed by a liquid nitrogen moat. All, while the BOFH MKII watching and waiting.

  27. Wzrd1

    Re: Again,

    Their advice was, if a computer gets compromised and it has UEFI, shred it. Don't bother trying to do a clean install, because you can never be 100% sure they haven't slipped something into the UEFI. You can't just throw out the old drives and put new ones in any more. Likewise, even updating the UEFI isn't a 100% guarantee.

    Understanding the UEFI system, it's simple enough to reset to factory defaults, flash the BIOS to factory as well and wipe the hard drive. Have yet to have a system retain nastiness once I got my mitts on it.

    The script deletes all partitions, creates a single full drive partition, formats it, deletes that partition, resets BIOS to factory defaults, flashes the BIOS, resets it again, then creates new partitions, copies base files, reboots and does hash testing on the files, then goes on for installation.

    Even the NSA was impressed.

  28. Wzrd1

    Re: Again.. How many people turn their machine off?

    This policy arose from an incident where an executive left his machine on, and it was infected with malware. Those behind the attack had the whole weekend to surf out or internal network.

    We have 24/7 monitoring of the network and systems logs via two layers of monitoring. And a host based IPS system. And 24/7 on call staff to respond to any incident.

    The few times I saw a network pwned, it was due to a lack of a system administrator following policy and either not performing the proper baseline configuration or using found USB mass storage devices on the servers and due to the misconfiguration, autorun installed the malware.

    They received punishing paid overtime and were named company heroes for working all of that overtime to fix what they fouled up. Until they promptly reinfected everything, precisely the same way in which they did the first time. The DoD was not amused that time.

  29. Wzrd1

    Re: Again.. How many people turn their machine off?

    Wake on LAN has to be enabled in BIOS.

  30. JeffyPoooh Silver badge
    Pint

    Re: "win7 takes 10 mins to come out of hibernation"

    "If you have a lot of RAM..."

    Isn't that the silliest thing? That the OS mindlessly stores the entire RAM to disk. 16GB of RAM, fresh from cold boot, Hibernate = 16 GB file. Stoopid stoopid stoopid.

    Keep in mind that it's the OS, as in Operating System. Apparently it doesn't know which parts of the RAM are in actual use and which are not.

    More accurately, Microsoft can't be arsed to perform this function more efficiently. Lazy pigs.

    I expect that they'll figure it out eventually.

  31. JeffyPoooh Silver badge
    Pint

    Re: Again,

    'swm suggested, "...drive a large nail through the battery compartment..."

    Interestingly, the high energy density lithium primary (non-rechargeable) cells used in the latest avionics have to meet a TSO that precludes fire when a nail is driven though them.

    Fizz and bubble is okay, but not fire.

  32. Allan George Dyer Silver badge

    Re: Again,

    Don't you find that the liquid nitrogen makes the sharks sluggish? You have seen the memo making sharks compulsory in moats?

  33. Wayland Bronze badge

    Re: Again,

    Motherboards have been getting smarter over the years. In the past all they could really do was look for something to boot from. Now they have the capabilities to connect to the Internet with no drives connected.

  34. Wayland Bronze badge

    Re: Again.. How many people turn their machine off?

    "The other being a nastygram from the BSA that was quite costly."

    The British Shakesphere Association are real bastards.

    Birmingham Small Arms.

  35. jcitron

    Re: Again.. How many people turn their machine off?

    Wake on LAN is a BIOS setting actually. I turn mine off on my desktop and All-in-1. I neglected to turn it off once and got awakened by a system update so now it's the first setting I change on the power management page in the BIOS.

    I can see this being useful if the PC is in a corporate environment and the IT department pushes out system updates across the LAN, or needs to turn on servers remotely after a power down, but for genera home use it's not necessary.

    Good luck to the people that take my All-in-1. They'll be dreadfully disappointed because all that's on that is Xodo PDF viewer and PDFs of sheet music. It beats turning pages while playing the piano!

    My desktop gets turned off daily. It takes a less than 30 secs to boot, and few seconds to reload a browser after logging in. The browser I use, Opera, can be configured to reload last pages and tabs anyway so that's no biggy.

  36. Anonymous Coward
    Anonymous Coward

    I don't see how a firmware password can protect Macs when you can use a SOIC clip (older macs) or JTAG (newer macs) to interface with the UEFI chip directly and reflash the firmware, hex edit the SVS variable or even change a specific value to force the NVRAM to clear on next boot. Obviously requires a fair bit of knowledge rather then the average offload the stolen Mac on eBay scenario but still.

  37. Dan 55 Silver badge

    Perhaps it should read setting a FileVault password, which encrypts the hard disk.

  38. chivo243 Silver badge
    Headmaster

    Physical Access

    Physical Access = Game Over

    I hope this is self explanatory?!

  39. Crypto Monad

    Re: Physical Access

    "But encryption keys aren’t stored in the RAM when a machine hibernates or shuts down. So there’s no valuable info for an attacker to steal."

    Maybe not - but if they can reflash the firmware, they can put in a keylogger or whatever trojan nonsense they want.

    The missing laptop is "found", "handed in" to the hotel, returned to its owner, gets used again, and is p0wned forever more. This is the well-known Evil Maid attack.

  40. Christian Berger Silver badge

    Re: Physical Access

    "Maybe not - but if they can reflash the firmware, they can put in a keylogger or whatever trojan nonsense they want."

    Now "Secure" Boot proponents will tell you that "Secure" Boot saves you from that. However there is a simple workaround to that. Company notebooks typically are from a narrow range of devices easily obtained by any attacker:

    Just get the same model, install some form of software mimicking a system booting up then asking for a password and displaying a "wrong password" screen while sending the password off to you.

    Then you use some social engineering and secretly swap the laptops. Claim to be from another branch of the same company and leave your business card with your mobile phone number.

    Once the victim enters the password, you have it and can unlock the computer. Eventually the victim will suspect there having been a mixup and call you to swap them back.

  41. Voyna i Mor Silver badge
    Paris Hilton

    Re: Physical Access - This is the well-known Evil Maid attack.

    You missed the correct icon ---->

  42. deadlockvictim Silver badge

    Sociopathic

    Article» Whether or not it's easier than smacking the laptop owner with a two-by-four until they give up their login password is, well, an exercise left to our more sociopathic readers.

    They are *executives*.

    Think of Dilbert's boss and all of his bosses.

    Actually just think the c-suite in general.

    Think about your last payrise.

    What would the BOFH do?

  43. Giovani Tapini

    Re: Sociopathic

    [What would the BOFH do?]

    He would offer to carry the laptop and papers, while helpfully opening the lift door and allowing boss to get in first, unencumbered. BOFH forgot to mention the lift floor was in the process of being replaced... oops!

  44. onefang

    Re: Sociopathic

    "What would the BOFH do?"

    Similar to that bit you quoted - smacking the laptop owner with a clue-by-four until they learn better security practices.

  45. Little Mouse

    Sleep Mode - Biting users in the backside since it's inception.

  46. Alan J. Wylie Silver badge

    smacking the laptop owner with a two-by-four?

    Surely a $5 wrench?

  47. big_D Silver badge
    Boffin

    I'd use the King Dick, as recommended by John Cadogan. But you don't whack them about the head with it.

    For more useful advice on how to use the King Dick, watch John's YouTube channel, especially the Nut Fest Friday episodes, with his cock. Yesss!

  48. Alan Brown Silver badge

    "Surely a $5 wrench?"

    Rubber hoses leave fewer marks.

  49. Wzrd1

    "Surely a $5 wrench?"

    Nah, I like to leave a good impression. Ten pound sledgehammer. I'll have the password before the SOB runs out of knees.

  50. DrXym Silver badge

    So in summary

    If you happen to be running a device that runs a very specific BIOS, AND it was left in standby, AND it was encrypted, AND the device is easy to crack open (most ultrabooks aren't), AND it was stolen by technologically savvy hackers AND they have the exact custom firmware to flash that make and model, AND they know what they're looking for THEN you should be worried?

    I can think of easier modes of attack.

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2018