back to article You'll never guess what you can do once you steal a laptop, reflash the BIOS, and reboot it

If you can steal someone's laptop, leave it switched on in sleep mode, crack it open, hook up some electronics to alter settings in the BIOS firmware, restart it, and boot into a custom program... you can swipe crypto keys and other secrets from the system. When computers are restarted, the motherboard firmware can wipe the …

Page:

  1. Anonymous Coward
    Anonymous Coward

    Again,

    This is *old* news.

    Truecrypt mitigated this "attack" as does using a BIOS (BIOS!!, FFS it's all UEFI now) boot up password or BIOS setting password. And physically turning the machine off also dealt with this.

    Or is this some new kind attack based on these old principles?

    1. tip pc

      Re: Again,

      How many people turn their machine off?

      I’ve always put it in sleep or hibernate and now get nagged that I’ve not rebooted in a week and the machine goes ahead and reloads when I least expect it as per company policy.

      I don’t shutdown so I can restart where I left off the next day. Mac OS handles reloads by putting you back where you left off. It’s weird that windows can’t match that functionality.

      1. Anonymous Coward
        Anonymous Coward

        Re: Again,

        It does, with Hibernate, and has for decades or thereabouts (I used it least Win2000, but I'd heard of it before that).

        1. big_D Silver badge

          Re: Again,

          @AC

          No, Hibernate isn't the same as restoring a session after the OS restarts the PC to install updates. Yes, Hibernate, suspend to RAM etc. brings the PC back up to where it was when it was suspended / hibernated, but that doesn't help if the PC is rebooted.

      2. Oengus Silver badge

        Re: Again,

        How many people turn their machine off?

        I, personally, always shut down the PC when not in use. Yes it is a bit of a pain having to wait for the PC to boot but with SSDs that time is dramatically reduced.

        1. darklord

          Re: Again,

          always shut down as my laptop running win7 takes 10 mins to come out of hibernation or sleep mode, whereas from cold less than a minute

          1. Anonymous Coward
            Anonymous Coward

            "win7 takes 10 mins to come out of hibernation"

            If you have a lot of RAM, reading back the hibernation file may be longer than reading just the code to be run and initialize it. With enough cores, the processes than run in parallel, but reading from disk, especially non SSD ones, is still mostly a serial task.

            1. JeffyPoooh Silver badge
              Pint

              Re: "win7 takes 10 mins to come out of hibernation"

              "If you have a lot of RAM..."

              Isn't that the silliest thing? That the OS mindlessly stores the entire RAM to disk. 16GB of RAM, fresh from cold boot, Hibernate = 16 GB file. Stoopid stoopid stoopid.

              Keep in mind that it's the OS, as in Operating System. Apparently it doesn't know which parts of the RAM are in actual use and which are not.

              More accurately, Microsoft can't be arsed to perform this function more efficiently. Lazy pigs.

              I expect that they'll figure it out eventually.

        2. Fatman Silver badge
          Linux

          Re: Again.. How many people turn their machine off?

          At my former employer - it was mandated that desktop machines be shut down at the end of the day.

          If it isn't powered up, then it can not be pwned during the overnight/weekend hours.

          This policy arose from an incident where an executive left his machine on, and it was infected with malware. Those behind the attack had the whole weekend to surf out or internal network. Cleaning up the mess was one of the reasons why we ditched Windows, and went to Linux. The other being a nastygram from the BSA that was quite costly.

          1. vtcodger Silver badge

            Re: Again.. How many people turn their machine off?

            Nothing wrong with powering off when not in use, but perhaps it'd be a good idea to unplug as well. There is something called -- as I recall -- Wake On LAN that allows "powered off" devices to be turned on remotely. Obviously, some hardware isn't as turned off as one might desire when one flips the power switch off. Who knows for sure what is actually running in there when the power is "off".

            1. LDS Silver badge

              "perhaps it'd be a good idea to unplug as well. "

              WoL can usually be disabled from the BIOS settings. As long as your company doesn't use it to apply patches or run backups. Anyway the RAM of a machine left running with different applications opened is usually far more interesting than the RAM of a machine just booted and no one logged on.

            2. Wzrd1

              Re: Again.. How many people turn their machine off?

              Wake on LAN has to be enabled in BIOS.

            3. jcitron

              Re: Again.. How many people turn their machine off?

              Wake on LAN is a BIOS setting actually. I turn mine off on my desktop and All-in-1. I neglected to turn it off once and got awakened by a system update so now it's the first setting I change on the power management page in the BIOS.

              I can see this being useful if the PC is in a corporate environment and the IT department pushes out system updates across the LAN, or needs to turn on servers remotely after a power down, but for genera home use it's not necessary.

              Good luck to the people that take my All-in-1. They'll be dreadfully disappointed because all that's on that is Xodo PDF viewer and PDFs of sheet music. It beats turning pages while playing the piano!

              My desktop gets turned off daily. It takes a less than 30 secs to boot, and few seconds to reload a browser after logging in. The browser I use, Opera, can be configured to reload last pages and tabs anyway so that's no biggy.

          2. Joeyjoejojrshabado

            Re: Again.. How many people turn their machine off?

            "The other being a nastygram from the BSA that was quite costly."

            The British Shakesphere Association are real bastards.

            1. Voyna i Mor Silver badge

              Re: Again.. How many people turn their machine off?

              "The British Shakesphere Association are real bastards."

              Let me guess - you shouted "Francis Bacon" under their windows?

            2. ITS Retired

              Re: Again.. How many people turn their machine off?

              The Boy Scouts of America? I suppose some teenage antics can get out of hand.

            3. onefang Silver badge

              Re: Again.. How many people turn their machine off?

              "The other being a nastygram from the BSA that was quite costly."

              "The British Shakesphere Association are real bastards."

              To sue, or not to sue?

            4. Fred Dibnah

              Shakesphere

              That explains the Globe Theatre.

            5. Wayland Bronze badge

              Re: Again.. How many people turn their machine off?

              "The other being a nastygram from the BSA that was quite costly."

              The British Shakesphere Association are real bastards.

              Birmingham Small Arms.

          3. Wzrd1

            Re: Again.. How many people turn their machine off?

            This policy arose from an incident where an executive left his machine on, and it was infected with malware. Those behind the attack had the whole weekend to surf out or internal network.

            We have 24/7 monitoring of the network and systems logs via two layers of monitoring. And a host based IPS system. And 24/7 on call staff to respond to any incident.

            The few times I saw a network pwned, it was due to a lack of a system administrator following policy and either not performing the proper baseline configuration or using found USB mass storage devices on the servers and due to the misconfiguration, autorun installed the malware.

            They received punishing paid overtime and were named company heroes for working all of that overtime to fix what they fouled up. Until they promptly reinfected everything, precisely the same way in which they did the first time. The DoD was not amused that time.

        3. Ochib

          Re: Again,

          "I, personally, always shut down the PC when not in use. Yes it is a bit of a pain having to wait for the PC to boot"

          Every morning it runs like this;

          1) Power Laptop up

          2) Get coffee

          3) Drink coffee

          4) After stage 2 and 3 the laptop is ready for me to logon

          1. Solo Owl

            Re: Again,

            My main computer at home is set to turn itself on a few minutes before my phone is programmed to make a very loud noise that is intended to activate me. By the time I fininsh ablutions and find breakfast, the computer is ready and anxious to read mail and the papers. Even with the slowest boot time.

            1. matjaggard

              Re: Again,

              The problem for me is not boot time but remembering WTF I was doing before I left for the pub on Friday evening.

        4. Wzrd1

          Re: Again,

          We disable sleep and always have. Hibernate can be attacked using a different method.

          I either lock the machine and leave it running or shut it down. Either way, it comes home with me.

          Where someone stealing it is unlikely, as they have to get past the security robots, laser wielding sharks, elevators with dubiously reprogrammed controllers, the hallway of flamethrowers, followed by a liquid nitrogen moat. All, while the BOFH MKII watching and waiting.

          1. Allan George Dyer Silver badge

            Re: Again,

            Don't you find that the liquid nitrogen makes the sharks sluggish? You have seen the memo making sharks compulsory in moats?

      3. onefang Silver badge

        Re: Again,

        "How many people turn their machine off?"

        I do. Or rather I don't use any sleep or hibernation modes in anything. On the other hand, I don't like laptops much, but I do use a couple that belong to others regularly, and I turn them off when I'm done.

        I'm wondering why they didn't tell Linux and BSD people about this, only Apple, Intel, and Microsoft? Even AMD was left out in the cold (pun intended). Of those couple of laptops I mentioned, one is Linux only, the other dual boots Linux and Windows.

      4. Mage Silver badge
        FAIL

        Re: Again,

        Madness.

        I shut down. It takes about minute to boot Linux. My old (2002) XP laptop boots in under a minute, or did last year (converting some PSP7 to photoshop format for The Gimp). Making a cuppa or even fetching chilled fizzy water takes longer than a cold boot even with mechanical HDD. Unless you have an "out of the box" Windows with every service on and a load of nonsense autorunning in Startup etc. I've pared a Win7 boot on HDD from 2min 45sec to 20 sec.

        I also unplug all chargers overnight. One of the highest fire risks. I can easily recharge any of my gadgets between early evening and bedtime.

        Linux CAN start off (and to a limited extent, Windows) where you were from a cold boot. I decided over 10 years ago that this was a bad idea. I can easily get back the documents, web pages and emails I was looking at. All those programs store state on exit (or periodically in case of a crash). Notepad++ on WINE on Linux opens all the documents. If you use native format instead of MS, the LibreOffice remembers your location.

        Use case for hibernation is when running out of battery suddenly and no time to save. Sleep MAYBE to carry from desk to desk?

        Sleep has always been insecure and also unreliable for peripherals, esp WiFi.

        1. 's water music Silver badge
          Flame

          Re: Again,

          I shut down... ...I also unplug all chargers overnight. One of the highest fire risks.

          Use your opponent's strengths against her. When I am finished for the day I simply drive a large nail through the battery compartment of my laptop which consumes the whole assembly with fire and renders the laptop uncompromisable overnight.

          1. onefang Silver badge

            Re: Again,

            "When I am finished for the day I simply drive a large nail through the battery compartment of my laptop which consumes the whole assembly with fire and renders the laptop uncompromisable overnight."

            As a bonus, no need to turn on the heater during cold nights. Takes a long time to boot in the morning though, walk to the nearest computer store, buy new laptop, walk to where ever your offsite backups are stored, bare metal restore, walk back home, reboot. Could get expensive, I hope you have a cheap source of suitable large nails.

          2. JeffyPoooh Silver badge
            Pint

            Re: Again,

            'swm suggested, "...drive a large nail through the battery compartment..."

            Interestingly, the high energy density lithium primary (non-rechargeable) cells used in the latest avionics have to meet a TSO that precludes fire when a nail is driven though them.

            Fizz and bubble is okay, but not fire.

    2. big_D Silver badge
      Black Helicopters

      Re: Again,

      I was talking to a friend recently and he had the Federal Office for the Protection of the Constitution visit him. And in a general discussion, they gave some advice.

      Their advice was, if a computer gets compromised and it has UEFI, shred it. Don't bother trying to do a clean install, because you can never be 100% sure they haven't slipped something into the UEFI. You can't just throw out the old drives and put new ones in any more. Likewise, even updating the UEFI isn't a 100% guarantee.

      Similarly, he was advised that if you are visiting certain foreign countries, you shouldn't take a laptop or phone with you, or rather just a burner phone and laptop with no sensitive information on them and throw them in the bin when you return.

      And I thought I was paranoid!

      1. onefang Silver badge
        FAIL

        Re: Again,

        "Their advice was, if a computer gets compromised and it has UEFI, shred it."

        So much for being more secure.

        1. Wayland Bronze badge

          Re: Again,

          Motherboards have been getting smarter over the years. In the past all they could really do was look for something to boot from. Now they have the capabilities to connect to the Internet with no drives connected.

      2. Wzrd1

        Re: Again,

        Their advice was, if a computer gets compromised and it has UEFI, shred it. Don't bother trying to do a clean install, because you can never be 100% sure they haven't slipped something into the UEFI. You can't just throw out the old drives and put new ones in any more. Likewise, even updating the UEFI isn't a 100% guarantee.

        Understanding the UEFI system, it's simple enough to reset to factory defaults, flash the BIOS to factory as well and wipe the hard drive. Have yet to have a system retain nastiness once I got my mitts on it.

        The script deletes all partitions, creates a single full drive partition, formats it, deletes that partition, resets BIOS to factory defaults, flashes the BIOS, resets it again, then creates new partitions, copies base files, reboots and does hash testing on the files, then goes on for installation.

        Even the NSA was impressed.

    3. This post has been deleted by its author

  2. Anonymous Coward
    Anonymous Coward

    I don't see how a firmware password can protect Macs when you can use a SOIC clip (older macs) or JTAG (newer macs) to interface with the UEFI chip directly and reflash the firmware, hex edit the SVS variable or even change a specific value to force the NVRAM to clear on next boot. Obviously requires a fair bit of knowledge rather then the average offload the stolen Mac on eBay scenario but still.

    1. Dan 55 Silver badge

      Perhaps it should read setting a FileVault password, which encrypts the hard disk.

  3. chivo243 Silver badge
    Headmaster

    Physical Access

    Physical Access = Game Over

    I hope this is self explanatory?!

    1. Crypto Monad

      Re: Physical Access

      "But encryption keys aren’t stored in the RAM when a machine hibernates or shuts down. So there’s no valuable info for an attacker to steal."

      Maybe not - but if they can reflash the firmware, they can put in a keylogger or whatever trojan nonsense they want.

      The missing laptop is "found", "handed in" to the hotel, returned to its owner, gets used again, and is p0wned forever more. This is the well-known Evil Maid attack.

      1. Christian Berger Silver badge

        Re: Physical Access

        "Maybe not - but if they can reflash the firmware, they can put in a keylogger or whatever trojan nonsense they want."

        Now "Secure" Boot proponents will tell you that "Secure" Boot saves you from that. However there is a simple workaround to that. Company notebooks typically are from a narrow range of devices easily obtained by any attacker:

        Just get the same model, install some form of software mimicking a system booting up then asking for a password and displaying a "wrong password" screen while sending the password off to you.

        Then you use some social engineering and secretly swap the laptops. Claim to be from another branch of the same company and leave your business card with your mobile phone number.

        Once the victim enters the password, you have it and can unlock the computer. Eventually the victim will suspect there having been a mixup and call you to swap them back.

      2. Voyna i Mor Silver badge
        Paris Hilton

        Re: Physical Access - This is the well-known Evil Maid attack.

        You missed the correct icon ---->

  4. deadlockvictim Silver badge

    Sociopathic

    Article» Whether or not it's easier than smacking the laptop owner with a two-by-four until they give up their login password is, well, an exercise left to our more sociopathic readers.

    They are *executives*.

    Think of Dilbert's boss and all of his bosses.

    Actually just think the c-suite in general.

    Think about your last payrise.

    What would the BOFH do?

    1. Giovani Tapini

      Re: Sociopathic

      [What would the BOFH do?]

      He would offer to carry the laptop and papers, while helpfully opening the lift door and allowing boss to get in first, unencumbered. BOFH forgot to mention the lift floor was in the process of being replaced... oops!

    2. onefang Silver badge

      Re: Sociopathic

      "What would the BOFH do?"

      Similar to that bit you quoted - smacking the laptop owner with a clue-by-four until they learn better security practices.

  5. Little Mouse

    Sleep Mode - Biting users in the backside since it's inception.

  6. Alan J. Wylie Silver badge

    smacking the laptop owner with a two-by-four?

    Surely a $5 wrench?

    1. big_D Silver badge
      Boffin

      I'd use the King Dick, as recommended by John Cadogan. But you don't whack them about the head with it.

      For more useful advice on how to use the King Dick, watch John's YouTube channel, especially the Nut Fest Friday episodes, with his cock. Yesss!

    2. Alan Brown Silver badge

      "Surely a $5 wrench?"

      Rubber hoses leave fewer marks.

      1. Wzrd1

        "Surely a $5 wrench?"

        Nah, I like to leave a good impression. Ten pound sledgehammer. I'll have the password before the SOB runs out of knees.

  7. DrXym Silver badge

    So in summary

    If you happen to be running a device that runs a very specific BIOS, AND it was left in standby, AND it was encrypted, AND the device is easy to crack open (most ultrabooks aren't), AND it was stolen by technologically savvy hackers AND they have the exact custom firmware to flash that make and model, AND they know what they're looking for THEN you should be worried?

    I can think of easier modes of attack.

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019