32

I recently took a business trip to China. Our IT department told me I could not take my normal machine, and instead gave me a loaner. This loaner had MS Outlook and was linked to my normal company e-mail account. I logged into the corporate network using the same VPN and token (Mobile Pass on my iPhone) that I would have used had I taken my normal machine. I should note that I did take my normal iPhone, not a loaner.

The primary difference from the normal machine seems to be that upon my return, the loaner would be reimaged, and presumably used as a loaner on the next trip someone took. I was never asked not to place the loaner on the company network on my return, and I never tried so I do not know if it would connect to the network or not. There were also no restrictions on moving files from the loaner onto my normal machine. I also used my normal logins on the loaner (user id, passwords, etc.).

My question is: does this loaner laptop policy provide significant security benefit over taking the user's normal machine?

Follow up edit: and does the fact the destination is China, versus, say a location in Europe or the US make a difference?

Mark Buffalo
  • 22,498
  • 8
  • 74
  • 91
Stone True
  • 2,022
  • 2
  • 17
  • 25
  • 2
    If the department does not already have an overseas policy, they should have a stern talking to. Also it should not be the hodge podge of policies without a real threat model and mitigation processes in place. Very unfortunately this happens and not just in china. You'd think that a reputable hotel would not aid in this, but this is not the case. – m2kin2 Nov 20 '15 at 15:07
  • 2
    Another related question - should I have kept the laptop with me at all times? When I went to dinner, I locked it up in the safe in the room (I have a feeling the group will not like this). I should also add that full disk encryption was used on the loaner (Bit Locker). – Stone True Nov 20 '15 at 16:42
  • 1
    Probably. Hotels need to be able to get into safes in their rooms (else one visitor forgetting the code would result in a locksmith being needed), so they will have a way in. BitLocker might help, unless, and this is depressingly common, you use a hardware token and store it with the laptop. It also wouldn't protect against any firmware based attacks/hardware keyloggers/etc. – Matthew Nov 20 '15 at 16:47
  • 1
    I use a soft token app which is PIN protected on my complex-password protected iPhone 5S, which was of course NOT left in the hotel safe but was in my pocket when I went out. – Stone True Nov 20 '15 at 16:49
  • 1
    A huge amount has been said about malware and spyware being added to a machine; the simple thing is that employee assigned machines "collect" a lot of data on the local drives. A "blank" loner has a smaller payload to share should the entire machine be stolen. – Adrian Hum Nov 21 '15 at 00:10
  • "does the fact the destination is China, versus, say a location in Europe or the US make a difference?" -- not sure anyone's addressed this. Worst case no difference, since those other countries have access to all the same tricks. Average case yes, since (as far as we know) you personally are less likely to be targeted in the EU or US. – Steve Jessop Nov 21 '15 at 01:34

6 Answers6

47

I recently took a business trip to China. Our IT department told me I could not take my normal machine, and instead gave me a loaner.

That may not have helped you at all. The reason I'm saying this is because you connected that laptop to the corporate network after you brought it back to your country.

This loaner had MS Outlook and was linked to my normal company e-mail account. I logged into the corporate network using the same VPN and token (Mobile Pass on my iPhone) that I would have used had I taken my normal machine. I should note that I did take my normal iPhone, not a loaner.

You shouldn't ever reconnect that computer to your corporate network. You need a clear separation of concerns.

International Corporate Espionage and You

Do you have a company that does important business in China? You may have been hacked on arrival. Unfortunately, since you also connected to the corporate email and other accounts, you may have had all of your email addresses and contacts exfil'd.

Why would they need that information? For phishing attacks, for information on clients, contacts, et al.

Unfortunately, most of the hotel internet service that I've encountered have had significant problems with their login portals, such as drive-by-download exploits in Javascript, Flash, and Java. If you had any of those enabled, and your machine was vulnerable, then it's quite possible you're infected without realizing it.

I've personally come across hotel WiFi that "doesn't work," which requires "IT staff" in the hotels who will personally come in and set up your connection properties (IPv4, IPv6, DNS, et al) to connect through a malicious server. Sometimes they even try to download files on my laptop while "fixing" it.

Firmware attacks are possible

The primary difference from the normal machine seems to be that upon my return, the loaner would be reimaged, and presumably used as a loaner on the next trip someone took.

Unfortunately, this won't help against firmware-based attacks. It can be as simple as inserting a BadUSB device when you're away. Walk in, insert, wait for confirmation of flashed hardware, leave. If you're working for a government contractor, or have important company secrets to protect, I wouldn't even trust a re-imaged drive.

Full disk encryption doesn't protect you against flashed firmware, or even hidden device implants. They can simply turn on the laptop, insert a piece of media that contains malware, flash your bios without even touching the drive, and then install bios-based malware.

But firmware attacks aren't absolutely necessary

Did you leave the laptop alone in the hotel while you went shopping, or when to an important meeting? It may have been broken into physically while you weren't there.

One good way to defend against this is by ensuring that your hard drive was encrypted, and then shutting it off when you're gone. But this isn't perfect either; they can physically implant things in your laptop faster than you think. You could also try placing few warranty/void seals on the laptop edges before visiting China. If they're broken, assume the hardware is compromised.

Again, keep in mind that full-disk encryption won't save you from hardware-based attacks. If they copied your hard drive contents and then installed a hardware-based keylogger, then they could retrieve your hard-drive contents easily.

What about my phone? Is it safe?

Since you mentioned your phone in your post, I thought I'd add this little tidbit. It's possible to replace your phone's charging equipment with a malicious doppelganger while you're gone, or even while you're asleep.

If you spend enough time in hotels, you may run even into hotel employees who actually enter your hotel while you're asleep. Even if you've bolted the doors and locked them.

Should I connect to my normal corporate network while in China?

I was never asked not to place the loaner on the company network on my return, and I never tried so I do not know if it would connect to the network or not. There were also no restrictions on moving files from the loaner onto my normal machine. I also used my normal logins on the loaner (user id, passwords, etc.).

I would suggest that your IT Security staff spends a bit more time learning about foreign attackers. Using your normal logins is pretty much a huge no-no in China, or in any other high-risk area.

Are there any security benefits of your laptop policy?

My question is: does this loaner laptop policy provide significant security benefit over taking the user's normal machine?

Nope. The reason is that you ended up connecting to your corporate network's VPN. I took a lot of disposable tech to China, and it ended up getting hacked every single time. I reformatted afterwards, and the infection persisted. Had I connected that to an important network where I had read/write access to critical things, I'd be in for a world of trouble.

If you want an Advanced Persistent Threat spreading everywhere, go for it. Personally, I want all the infections so I can reverse-engineer them! :-) However, considering your company likely has secrets to protect, I would not trust this laptop policy.

In fact, what you're describing - the way you used the computer - sounds like a goldmine to a skilled hacker, or even a script kiddie who can automate the attack. What would you do at this point if you considered your data breached? It could just be the early stages of a breach, getting the data ready for a phishing attack, or you might've had more important information available potential attackers.

But what about the corporate VPN?

Keep in mind, as I've stated several times, if you connected to your company through the corporate VPN, and someone in China or elsewhere infected your machine, then anything you're allowed to do on that corporate network is also accessible to them. Are you allowed to create/read/write critical files and folders? So could they.

Again, whatever you're allowed to do on your corporate network, so can they if they control your computer. This could be done silently without you realizing it, even while you're on the system.

Mark Buffalo
  • 22,498
  • 8
  • 74
  • 91
  • Explanation for the downvotes, please? Thanks. – Mark Buffalo Nov 20 '15 at 16:30
  • 13
    I don't understand the downvotes either - the information you have provided is spot-on. Firmware based attacks are a huge vector that most IT techs just aren't aware of. Laptops for international travel to countries known for espionage should always be handled by security professionals. – Byron Jones Nov 20 '15 at 16:36
  • There's also `BadUSB`, which takes all of a few seconds to get going. – Mark Buffalo Nov 20 '15 at 16:45
  • 4
    The questioner was asking why the policy existed and if it was an improvement over taking the standard laptop. You have taken the assumption that he was immediately compromised. He never made that claim. – Burgi Nov 20 '15 at 16:45
  • @Burgi I assume that if you're working for an important company, and you bring a laptop to China, you're immediately compromised. The OP asked if the policy made a difference. I explained why it didn't. – Mark Buffalo Nov 20 '15 at 16:48
  • 5
    Burgi, it has been proven that China regularly targets industry visitors for tech espionage. It is a very common and widespread practice. – Byron Jones Nov 20 '15 at 16:50
  • 1
    @MarkHulkalo I was only pointing out the potential reasons for the downvotes – Burgi Nov 20 '15 at 16:50
  • 1
    The laptop hard disk was encrypted with Bit Locker, and it was powered down when I was not in the room (and in the hotel safe, which I realize only protects against casual theft and not a determined adversary). The laptop did not contain any top secret data or anything like that. If it did, I would have taken many more precautions (the most basic being - don't take the data!). I think the worse that would happen would be to use the laptop data for additional leverage to pivot into our corporate networks or for phishing style attacks. – Stone True Nov 20 '15 at 19:29
  • @StoneTrue They can still power it up and infect the bios, or do something to the hardware while you're gone. Even worse, drive-by downloads that mimic updates, or a 0day exploit here and there. If you connected to your corporate VPN while abroad, then they would've likely had access to the same things you did. – Mark Buffalo Nov 20 '15 at 19:30
  • @MarkHulkalo - true. I like the idea tamper seals to prevent against the hardware and will recommend that to our IT guys. I looked at the link on the BIOS infections - would that work on a UEFI machine? I am not an expert but I believe any BIOS malware would require a digital certificate that is UEFI compliant in this case. Not beyond the capabilities of a nation state actor of course, but if they want me that bad... – Stone True Nov 20 '15 at 19:42
  • @StoneTrue Not beyond the capabilities of a random hacker, either. Many nation-state actors are using random hackers they found somewhere. It doesn't even have to be the government after you; it could be a competitor. – Mark Buffalo Nov 20 '15 at 19:54
  • @StoneTrue Regarding UEFI bios malware, [check this](http://www.pcworld.com/article/2948092/security/hacking-teams-malware-uses-uefi-rootkit-to-survive-os-reinstalls.html). – Mark Buffalo Nov 20 '15 at 20:06
  • 3
    I am not surprised. I use a different BIOS, but there is no reason to think that my UEFI BIOS manufacturer would not be susceptible to the same thing. I still think the malware writer would need a stolen certificate, but that has occurred (although as a feature of the Stuxnet worm). Maybe I will just take a pencil and pad on my next trip... – Stone True Nov 20 '15 at 20:11
  • @StoneTrue - please don't forget to take a disposable dumb phone as well. – Deer Hunter Nov 20 '15 at 20:13
  • 4
    2 cans and a really long string... – Stone True Nov 20 '15 at 20:15
  • @DeerHunter I always buy a disposable phone in China when I go. But yeah, a disposable dumb phone is a good idea. And StoneTrue, when you visit China with your "UEFI Bios Machine," keep in mind it was manufactured in China. ;) – Mark Buffalo Nov 20 '15 at 20:15
  • @MarkHulkalo - actually made in Taiwan, but no doubt with components made in China. Will need to validate sourcing of pencil and pad and dumb phone... ;) – Stone True Nov 20 '15 at 20:41
  • 2
    The only valid items in your rather long entry are (i) re-use of passwords and (ii) firmware attacks. Everything else is FUD, borderline insulting the security team when you have no information except for your interpretation of the question and filling in the blanks with your assumptions. I strongly recommend editing out all the suppositions, and sticking to the point. – lorenzog Nov 21 '15 at 14:07
  • 2
    @lorenzog A "security team" that lets you connect laptops and phones into their networks that came back from China, the world's #1 corporate espionage hotspot, wherein there are countless documented events of companies being hacked the same way I describe, isn't a security team at all. It's a team of nerds that don't know anything about hacking, or other countries. – Mark Buffalo Nov 21 '15 at 14:11
  • @lorenzog The topic of this board is "information security." I'm showing OP how to avoid common Chinese spying methods, and what "they" could've done to penetrate Stone's corporate networks through their machine. Yes, I'm making *some* assumptions, but these are all common attacks, and things OP needs to take into account while visiting abroad, and assessing any damage done. – Mark Buffalo Nov 21 '15 at 14:15
  • 1
    I find this answer written in a very bizarre tone of voice, for example what value would the statement "That may not have helped you at all." ever have? – Celeritas Nov 22 '15 at 03:12
  • 1
    -1 because this does not seem to answer the question in a comprehensive balanced way, no discussion of risk or how common specific attacks are, no assessment of potential benefits, just a list of ways some measures might, in theory, be defeated, which is a very superficial approach to security. One example to explain what I mean: the thing about firmware-based attacks. Does it mean it does help against other attacks? If yes why not explain which ones? If no, why focus on a relatively complex attack that requires physical access? – Relaxed Nov 22 '15 at 07:56
  • 1
    The firmware attack mentioned is going to be pretty difficult with BitLocker due to the TPM requirement and the additional boot security that comes with it. The adversary would have to be very resourceful to find an exploit in this (against experts from Microsoft, Intel and UEFI forum) and is almost never worth it for business espionage due to the risk of exposing the attack that could be used on higher value targets. – billc.cn Nov 23 '15 at 14:36
  • @billc.cn True, but there's ways around it by simply pushing a drive-by-download or fake update on the user of the machine. Hotel web portals are notorious for this. While they're using the machine, you can use it to do whatever you'd like without them noticing. That isn't very difficult to pull off, and you can simply map corporate network drives if accessible (whatever is accessible via the VPN, is accessible to the attacker). The idea is to get information in any way you can, the easier the better. – Mark Buffalo Nov 23 '15 at 14:40
  • 1
    @MarkHulkalo I agree. (My comment was only on firmware.) Other factors are highly exploitable and probably are actively attempted. – billc.cn Nov 23 '15 at 14:49
23

Industrial espionage is unfortunately very common in China.

There are cases where spyware was installed on computing devices (allegedly by hotel staff) and in some cases even hardware spying devices were put into notebooks.

Wiping every loaned notebook is a good way to get rid of any spyware. Some advisories suggest to weight any hardware before and after a business trip and investigate if it somehow gained a few grams. Your IT department might or might not do this when receiving a loaner.

However, this does not prevent any spying which happens during the business trip.

Philipp
  • 48,867
  • 8
  • 127
  • 157
  • 8
    Can confirm. I've seen hotel staff using wireshark in a corner, and have had malware installed on my laptops several times. – Mark Buffalo Nov 20 '15 at 15:55
  • 4
    There are foreigner-only hotels, so yeah, staff that has multiple skills. ;) Many hotels do not allow foreigners to stay there. – Mark Buffalo Nov 20 '15 at 17:10
3

You should be provided with a laptop with no company information on it that isn't absolutely essential. Where possible, access to secure company internals should be prevented. Rather than your regular corporate email account, your company should provide you with a web based email account which is not part of their normal internal system - Gmail, Outlook.com, etc.

Upon return to the company, the computer should be returned immediately to the IT department. A routine virus scan will not be of use here, because they would almost certainly be using custom crafted exploits that aren't actively scanned for.

The company should erase the computer, REFLASH ALL FIRMWARE, and then reimage the computer.

For forensic purposes, performing a full SHA hash scan of the computer drives and firmware before and after the trip might provide useful information about what attacks took place.

Last but not least, make CERTAIN that whatever passwords you use on this trip are in no way similar to the passwords you normally use.

Byron Jones
  • 265
  • 1
  • 4
  • 4
    I wouldn't even trust a firmware-flashed laptop at this point. It's possible for them to come into your hotel room while you're gone, and implant devices there. – Mark Buffalo Nov 20 '15 at 16:54
  • 2
    I'll second @MarkHulkalo I'd recommend an old laptop from the to dispose pile, and physically destroying it on return. – Dan Is Fiddling By Firelight Nov 20 '15 at 21:52
  • Installing deepfreeze and blocking company internal access & admin access would be the best thing to do in my humble opinion. – ave Nov 22 '15 at 16:39
  • While I agree that separate laptops should be used, I'm not sure I see the benefit of physically destroying it. As long as the computer is used exclusively for visits to regions where it would be hacked, I'm not sure that whether it is hacked once or ten times ultimately makes much difference. Erasing the drive and reflashing firmware should be sufficient for most users who aren't top level security assets, who wouldn't be taking a laptop to China anyway. – Byron Jones Nov 24 '15 at 15:56
2

From the POV of a hypothetical black hat, there are lots of ways to compromise a laptop that a disk wipe or even a firmware flash can't touch. Imagine a very small hardware device, basically a SOC and a big lump of flash. Wired into SATA power, with data lines connected to the keyboard data lines. Just record all raw keystrokes for 64GB or 128GB worth of time, overwriting oldest with new when full, and attempt to recover/refresh if/when the laptop comes back in country. Trivial to do, not very expensive (on large corp/government scales), and would likely manage an acceptably high success rate, while being completely immune to reflashes and disk wipes. This is about 5 minutes thinking, with a government-level effort, things could get much, much nastier, very very quickly.

Forge
  • 21
  • 1
  • The major downside of such a gadget is that some of your targets will find it and say so on the internet, and so precise details of your method will be out there quite soon. That's basically why (as shown in Snowden's leaked files) the NSA's policy is to use its best secret attacks only on high-value targets. – Steve Jessop Nov 21 '15 at 01:37
1

The short answer (as usual) is, it depends. Given your scenario however using a loaner does make things harder for a potential attacker, so by definition it provides some security benefits.

Of course the devil is in the detail and in the end it depends how motivated is your attacker.

However, there is one thing you did not mention: does your company provide access to your mail via Outlook web app and if so, does it enforce two factor authentication or VPN access?

If the answer to the previous question is 'no', then consider this scenario:

  • Your laptop had a keylogger installed at some point, or was 0wned via a zero-day
  • You typed your password to access the VPN
  • That same password gives you access to your e-mail via a web interface
  • That web interface does not require the second token

Obviously this is borderline paranoid, but it really depends on the value of what you're trying to protect.

ps: did you bring your own iPhone charger?

lorenzog
  • 1,911
  • 11
  • 18
  • Our company does allow Outlook web mail which does not have to run through the VPN (I always use the VPN anyway as there is more functionality using full Outlook). Only user name & password required. I brought my own iPhone charger and plugged it into the wall. Are you saying there is malware in the 240VAC?!? ;) – Stone True Nov 20 '15 at 16:36
  • @StoneTrue no the wall socket is fine, but if you hadn't brought in your charger and instead used the laptop's USB port to recharge it.. – lorenzog Nov 20 '15 at 16:52
  • @StoneTrue however, if your username and password were compromised by a keylogger, then an attacker could log on your e-mail and escalate things from there e.g. sending out malicious attachments or phishing links posing as you, etc. It's a far fetched hypothesis but worth considering depending how much your IT department is paranoid. – lorenzog Nov 20 '15 at 16:53
  • @StoneTrue: Getting your own charger is good because "chargers" can inject malware across the USB cable. – DeepSpace101 Nov 20 '15 at 17:15
  • @DeepSpace101 - only if plugged into a USB port as opposed to a wall socket right? Although it IS possible to carry data using electrical wires. Rather common actually to extend WiFi (e.g. http://www.cnet.com/topics/networking/best-networking-devices/power-line-adapters/). I wonder if such a signal could get through the transformer & rectifiers on the charger? – Stone True Nov 20 '15 at 19:36
  • 1
    @StoneTrue But you do plug your iPhone into a USB port even when charging from the wall. You use a "wall-to-USB adapter" i.e. a charger. If someone else gives you a charger, there's a chance it's actually a tiny computer. – user253751 Nov 20 '15 at 21:56
  • @StoneTrue: No, the "wall charger" plugged into the wall outlet can be an embedded micro-controller (with/without its own wifi) that can inject malware over the USB cable. This isn't just theory, it's cheap too. Source: My eyes at DefCon as well as this from 4 years back: http://krebsonsecurity.com/2011/08/beware-of-juice-jacking/ – DeepSpace101 Nov 24 '15 at 15:34
0

Many companies require employees to bring loaner devices for entry into China or Hong Kong, for two main reasons: risk that Chinese authorities will steal intellectual property off the devices for use by domestic companies, and risk that they will install malware to enable them to do so when the device returns home.

jetset
  • 101
  • 2