Let's say you're in a public café, or conference, where you trust your device won't be stolen if you go to the bathroom for 5 minutes, but you don't trust it might not be tampered with.
What are the potential security risks I might run into here, assuming I lock/log off my laptop's (windows / mac / linux) user session, maybe even turn it off?
I reference the 10 immutable laws of security, especially #3:
If a bad guy has unrestricted physical access to your computer, it’s not your computer anymore
Of course a computer sitting unattended at a coffee shop for 5 minutes isn't going to be as vulnerable as a computer that spends a year at NSA headquarters, but you would be surprised how quickly someone with physical access can cause trouble.
This is a bit broad and I'd like to avoid a book for an answer, so I'm going to just focus on one class of attacks that most consumer laptops are vulnerable to: USB-based attacks. USB is fun because a USB port can be used for almost anything. This has lead to the classic form of an evil maid attack, whereby an attacker simply plugs a device into your USB port that promptly owns your computer. This can take a number forms, but I'll list just a few:
Here is a longer list, but since this is an entire class of attacks options will change and google is your best bet here. Many of these attacks require a device to be plugged in for just seconds. They can leave your computer completely compromised or just plain dead (aka the most effective DoS). Is this likely? Probably not. Is it possible though? Absolutely, with little effort, so long as someone is walking around with a device in their pocket.
The two answers so far have focused on inserting a USB device in the laptop. I'd be more concerned about inserting a PCI(e), firewire, or similar device with direct bus access into an expansion slot of the laptop. While USB doesn't have direct access to memory, various expansion cards do and can read/write directly to memory without going through the CPU. More information available from Wikipedia
That means it's possible for someone to read and write the entire contents of your memory directly by inserting a rogue expansion card in your computer.
I'll add that this is relatively unlikely, unless you're being targeted by an intelligence agency, or maybe highly organized criminals going after you personally. I don't know that a piece of hardware like this is commercially available.
Most laptops have provision for booting from an USB disk. If this is not blocked at BIOS level, an attacker could boot on their system disk, and then mount your physical disks and do whatever they want (read/write). This a the standard way to (re-)install a system.
I have a simpler risk: Social engineering. Much easier to do if the attacker can write down asset number (look on the backside of the laptop), telephone number of the support and the login name visible on the locked screen, and potentially know the company. Computer name (if on an asset tag) could also be useful for later mischief like faking an ID in the company network, credible camouflage when doing MITM and other funny things.
The answer is actually anything between „nothing“ and „anything“ and depends heavily on the device and the scenario you‘re talking about.
Most likely scenarios would be:
The following assumes that the attacker did not observe you entering your passcode, which is a realistic scenario as well.
The USB attacks mentioned here are mostly effective against unlocked devices. While the attacker could leave something plugged into the USB port, there is a high chance that you‘d discover it before you unlock.
The attacker could „bug“ your device in other ways, but it would have to be done in a way that you don‘t discover when you return. That will be very hard to do in 5 minutes and requires pre-planning.
Someone who is after your data could of course simply steal the device, which is presumably unattended. Then they can spend more time and effort on the attempt; though you would obviously notice that it has gone.
If the device is off and encrypted, the only way to gain access would be a dictionary or brute force attack on your passcode; everything would depend on the security of that.
If the device is encrypted and turned on, the encryption will be unlocked. The attacker may be able to extract data from the running system. This may require some custom hardware and the difficulty will depend on the type of device.
If the device is not encrypted, reading the data is trivial.
The chance that a random stranger will just walk by and hack an encrypted, locked device is remote - unless you are at a security conference.
If you have to worry about being targeted, there may be a credible threat.
But if you‘re defending against a targeted attack, just thinking about the device itself would be too narrow in scope: The attacker could also try to slip an actual bug into your bag or jacket. Or try to slip a USB device into your conference bag that looks like swag, in the hope that you connect it yourself. Or try to film or observe your passcode when you come back, in preparation for a later attack.
Against a targeted attacker, „device not compromised after toilet break“ doesn not equal „safe“.
The most probable „attack“ is still theft - even if only to sell the thing. Or, if they want to vandalize the machine, they could also just spill coffee over it and be done.
[1] I noticed the part where it says you „trust it not to be stolen“, though it is hard to imagine a situation where the device would be „supervised“ enough not to be stolen and yet tampering goes unnoticed. Many or most of the techniques mentioned here (including rebooting and entering the BIOS) are more conspicuous than theft in the first place.
Left turned off: variants of "evil maid attack" (compromising your bootloader in order to obtain your encryption password). Or if not encrypted - just booting from an external media and getting whatever interesting left in the filesystem and/or installing rootkit. Opening and plugging your storage elsewhere is also an option.
Left turned on and locked:
(1) turn it off and see above (you will notice but it may be late).
(2) without turning off: Exploit some external device driver vulnerability with some evil device (USB, eSATA, FireWire, mini-PCIx, NFC, CCID, power supply data interface, whatever) and gain partial or complete control. Yes, broken drivers do exist and most modern OS in their default setups readily load them when presented proper device IDs over the interface. Besides broken device drivers there are also broken application stacks (network, HID, pkcs11, whatever)
(3) Denial of service: Trying few wrong passwords and locking out your account (not every OS reports that your account is locked)
(4) Mounting remote attacks against Bluetooth, Wifi, NFC, IR, whatever - some of them require visible equipment in physical proximity.
(5) Collecting physical fingerprints from your keyboard for later use against fingerprint-enabled phone or the laptop itself.
(6) Installing spy hardware in your computer (ex. replacing your external or swappable battery, mouse, power brick or something else w/ something looking similar and having cell-enabled tracker and/or mic)
The list can really go on and on. Some of these attacks are complex and/or targeted, but pretty much doable.
Here's a specific scenario. You have a ThinkPad, and like most ThinkPad owners you have never set a supervisor BIOS password.
Note that a ThinkPad BIOS has two different passwords, in addition to any hard drive passwords. There is a supervisor password and a power-on password.
The power-on password lets you boot the machine. This password is easy to reset; in fact the Hardware Maintenance Manual for many ThinkPads lists the procedure to reset it. It is often as simple as removing the main battery and CMOS battery.
The supervisor password is required to change BIOS settings. This password is much harder to reset. The official method is to replace the system board. The unofficial method involves getting an SPI flash programmer, capturing a copy of the current BIOS, sending it to a company in Romania who will patch the BIOS for you, and then flashing their patched BIOS on your machine.
Because you did not set a supervisor password, anyone can boot your machine into the BIOS and set a new supervisor password after messing up your BIOS settings. This would take only a minute or two and it would leave you with an unbootable machine and no quick and easy way to recover.
Of course, the bad person is thoughtful enough to leave you a sticky note offering to save you the trouble of going through the procedure above. They will give you the new supervisor password in return for a Bitcoin payment.
This answer covers a non-data-security risk that may also be worth considering:
Worst case" for a system with ANY hardware port - total internal destruction in seconds.
"USB killers" have been mentioned - and have been dismissed by a number of people as being no different to other physical destructive attacks.
This comparison is incorrect.
A "USB killer" is a (usually) USB memory stick sized device that plugs into a USB port
(or other port if so designed) and delivers a high energy and/or high voltage impulse into the port with the designed aim of destroying as much of the system as possible.
While USB killers are offered or promoted by some sources as ESD testing devices and to demonstrate whether the USB ports exhibit "ESD vulnerability" (some test) this is unlikely to be the reason that the cool-kid plugs one into your computer while you are absent. It is suggested by some sites that proper design will avoid damage from such devices. I have a Masters in Electrical engineering and 50 years experience. Should I wish (which I certainly don't) I could produce a device that would defeat all but systems expressly designed to protect against exceptional high energy high voltage attack. Opto or other couplers, isolation, high energy capable clamps, ... .
These devices really exist.
They are easy to build and trivially easy to use. They are often designed to charge from the USB port BUT can be precharged. A device using eg "super capacitors" can deliver an impulse in a very small fraction of a second that has enough energy to do substantial damage to much of the system.
If someone was keen enough (and a few may be) a wired capacitor bank could be used to deliver far more energy. Wire can run down a sleeve and across the palm of the hand to the "head". A device with minimal risk to the user could easily be produced.
There ARE people who think it is 'cool' to use these sorts of devices.
Also people who would perhaps like to do damage to your property using axe-attack, incineration, defenstration, Shotgun, Desert-Eagle or other "suitable means".
HOWEVER, of all these* the USB killer attack is (usually) silent, rapid, inobvious and fatal. It MAY be able to be implemented entirely covertly in seconds. ->
Sit at table opposite or near laptop.
Slide hand with USB killer in into nearest USB port.
Cycle.
Leave.
The device could be precharged - making killing time somewhere under a second from insertion to removal.
*The Desert Eagle or Shotgun is liable to be rapid and fatal.
Silence is not a known feature of either.
If the Bluetooth is turned on, attacks like BlueSmack Attack can be performed. If the USB ports are enabled BadUSB attacks are common. This can be possible in case of android device as well if USB debugging is turned on. Main concern is with open USB ports, an attacker can inserts wireless key-logger in the device and can collect keystrokes within the same network.
