My 3rd gen Thinkpad X1 Carbon with Windows 10 (protected by Bitlocker) and Ubuntu installed asked for my recovery key. Thinking it was just a kid messing with it, I typed in the recovery key. But there are a few things that raise suspicion:
- The Ubuntu bootloader was disabled (it boots directly into Windows). I don't see how someone could have done this without booting from a flash drive or logging into Ubuntu or Windows
- When I tried making it not ask for the recovery key again by disabling/reenabling Bitlocker, it would still ask for my recovery key (I was only able to fix it by decrypting and reencrypting the hard drive)
- Over a thousand dollars worth of cash was missing and the same two people had unsupervised access to the cash and my computer
I didn't setup a BIOS password and Secure Boot was disabled during the suspected attack. However, I did setup a BIOS password and enable Secure Boot afterwards, and it booted up (so either there wasn't a hacked bootloader or it was a more sophisticated malware that automatically fixed the bootloader upon booting or modified the BIOS itself)
Note that this person is not (to the best of my knowledge) a programmer and even if he was, I only told him where I work a week before the suspected attack (so I'm not sure if anyone could have written something that fast anyway)
So the question is: Could this have been caused by an available rootkit?
