7

I was robbed...

That included my Linux notebook and my company's notebook. Both are encrypted. Mine is encrypted with LVM over LUKS, using a passphrase to unlock the hard drive once the kernel has been started by the UEFI. But Secure Boot was disabled on the machine.

The company uses Bitlocker in Transparent Operation Mode. They claim the computer would not boot if the hardware configuration is changed, and it was an HP notebook, which has special extra security.

However, for the thief who's not much interested in data, all this is not very concerning. On my setup, a simple USB stick containing an OS would allow them to reinstall an OS on the drive and sell the notebook. If I had activated the Secure Boot and set a password on the BIOS, it could have been more complicated. But not impossible. Whatever the security layer, all that is needed is to unplug the CMOS battery for long enough to reset the BIOS settings, and all that extra layer is gone.

One could think that the company's computer is a bit more secure, but recent issues with a patch by Microsoft showed that actually a reset of the BIOS is still possible to get access to the computer (not necessarily the data).

My new laptop has Secure Boot and a TPM (ASUS UX433 if that matters, but my question is more generic). Is it possible to configure the UEFI and TPM so that a tampering of the configuration really locks the computer to those that doesn't have the necessary (recovery) secret?

(Let's consider for the question that really complicated manipulations such as unsoldering and replacing a complete component is outside of the scope. The issue here is rather that it is actually simple to reset the CMOS. On my desktop computer, it is even worse: moving a jumper at boot is enough, and it is well documented in the manual!)

ximaera
  • 3,395
  • 8
  • 23
Cilyan
  • 183
  • 6
  • 1
    What does "useless" mean to you? –  Apr 13 '20 at 00:44
  • 2
    The Macbook Air has a firmware password which only can be reset in the Apple Store. A partial solution but worth a comment here I think. https://support.apple.com/en-us/HT204455 – nalply Apr 13 '20 at 09:53
  • I note disk encryption is not effective in a typical situation that the laptop is stolen while not being turned off. The lock screen is just a lock! – eli Apr 13 '20 at 11:50
  • @nalply yep, this would be the kind of solution that is interesting. The background idea is that the more the laptops are deemed "hard to reuse/resell" the less it would be tempting to steal them. – Cilyan Apr 13 '20 at 14:57
  • The laptops deemed hard to resell in one piece, like Macbooks, are known to be easy to sell disassembled for pricey spare parts. See, that's an arbitrage. There's no specific advantage to Macbooks here. – ximaera Apr 13 '20 at 21:20
  • @ximaera: Source? – nalply Apr 14 '20 at 13:12
  • @nalply source for what? I know a guy who has sold *his dead* MBP for spare parts. Dead is worse than just stolen. – ximaera Apr 14 '20 at 15:08
  • @ximaera Apple hardware is known for low repairability, so I assumed it's not worth it. It would be too much work to salvage and replacing parts. But you say it's the opposite, so I would like to learn more about this. That's why asked for a source. Is there a market for parts of stolen Apple hardware or similar, for example? – nalply Apr 14 '20 at 17:48
  • @nalply well, I've seen stores which advertise that they buy broken (and, probably, stolen, but I didn't check it myself) Apple hardware no longer than 2 months ago. Sure they are closed now but that's because of the force majeure. Quick googling reveals https://www.sellyourlaptop.co.uk/laptops.html — where they even buy iPads from you, devices much harder to repair. – ximaera Apr 14 '20 at 19:08
  • @nalply the simplest things that come to my mind are the keyboard (known to be faulty) and the screen. iFixit says those are still comparatively easily replaceable. The rest, well, depends on the average wage in your country. May be worth it. – ximaera Apr 14 '20 at 19:13
  • @ximaera, Thank you, you convinced me. In other words, it is impossible to make a laptop useless to thieves. Even Apple firmware locked hardware can be sold for spare parts. – nalply Apr 15 '20 at 01:24

2 Answers2

5

First of all, my condolences for your loss! Hope you're alright.

If I understood correctly, your general concern is how to totally prevent further stolen device usage (and/or sale) by a criminal.

In this case, this question won't ever have any answer that would age well, because whenever your machine becomes unreachable physically, the only way to ensure no further damage is to nuke it from orbit.

And, in any case, even with the Apple's "Find My Mac" service (or with the "Find My Device" feature of Windows 10), you definitely wouldn't be able to prevent disassembling your laptop and selling the components as spare parts.

Note that the laptops deemed hard to resell in one piece, like Macbooks, are known to be easy to sell disassembled for pricey spare parts; therefore, there's no specific advantage to Macbooks here. (Apple constantly makes its devices harder and harder to fix and repair, so, like I said, this answer won't age well.)

Apart from that, depending on the particular laptop model and the hardware configuration, there may be different ways (with different level of reliability) to brick the device or its components. In general, those matters have something in common with re-flashing some of the built-in devices. If you're really concerned, you may even try to pick a laptop which is easy to kill with software; generally, googling might help you here.

There would hardly appear any initiative by the laptop vendors for making their devices easier to brick, because:

  • Making a device sustainable against physical access and damage is enormously costly and is effectively a never-ending arms race, as the DRM initiative quite clearly shows us;

  • It doesn't look like that's the incentive of the laptop vendors who won't really earn a lot in this battle (actually, probably quite vice versa).

The simplest way to brick a device in case of a thieft and an arbitrary laptop is probably to attach a yellow Post-it to your laptop with something on the lines of password: 123 on it, and to run a bricking script when the incorrect password is entered. This won't be reliable, and nothing would be, but this would probably work in most of the cases.

ximaera
  • 3,395
  • 8
  • 23
  • 1
    I totally understand that no solution is perfect, even iPhones which are supposed to be protected are still stolen because one can make lot of money just by selling the parts. But yet, it seems that at the moment there isn't even any start of an effort by laptop manufacturers (appart from [Apple](https://support.apple.com/en-us/HT204455) maybe, thx @nalply). So I wondered if maybe TPM would bring some possibilities, even if not perfect. – Cilyan Apr 13 '20 at 15:04
  • Addressed that in the answer. – ximaera Apr 13 '20 at 21:28
  • 2
    @Cilyan Thinkpads have a anti theft function in the BIOS. I did not test it yet, but it can make the laptop useless to thieves. – allo Apr 14 '20 at 13:12
1

Sorry to hear about that. Hope your backups were up to date.

There are several things to ponder here before going this route.

First one is the discussion about if you really want to brick it as opposed to making the laptop seem to work for the thief (while it does not allow access to anything sensitive) but in a way that phones home and may let you end up recovering the hardware (hint: some laptops have an internal slot for a SIM card).

Second is the amount of complicated manipulations you are comfortable doing to recover your own system when the it falsely concluded that it has been robbed. Perhaps an employee reports the company laptop as stolen, so you trigger the quantum kill-switch for that device, which melts all its internal components. Next day he finds the "stolen" laptop on his car. Even with no user at fault, there will be some random misdetection. Plus you will want to test your bricking at least once.

Since you probably don't want to spend the cost of several laptops for it, you should be aware. It's the old tradeoff between making things hard for the attacker and bearing it off yourself. And the risk between an attacker accessing unauthorized data vs you losing access yo your own data. If you are the NSA, the option for bricking would be clear but often there is a wish to make that hardware -that you were bricking on purpose- work again.

You still want to go on the bricking path? Good. It's possible that some manufacturer has some solution where there is a configuration in the TPM chip able to brick the hardware. Here I am providing a much simpler solution, however, that should be available to everyone.

Our goal is to brick the system if the Boot protection was disabled. Thus, I simply propose to check, early at the boot process (as a GRUB module?), whether the BIOS was tampered with and, in such case, wipe the LUKS header and "update" the firmware with a code that will effectively brick it, requiring those "complicated manipulations" to fixup.

It may be possible to reset the BIOS and enter its configuration quick enough, but more often than not, such early boot code would run.

How to detect if the CMOS was reset? A really simple way, available for any implementation, would be a current time check. As the date time will be reset to some early epoch, if it was earlier than some known date when you installed it (e.g. before 2020), you detect that time went backwards, assume it is a tampering attempt and brick the computer.

A more advanced check -and specific to your UEFI firmware, probably- would be to read some parameters from its memory and compare them with the known ones that should be configured. Bonus if you actually store a key there in some unused portion. Note that the verification code doesn't even need to know the "key" (which will be lost on reset), only a hash of it (note that unlike most cases, here we need it to be computed quickly).

Ángel
  • 17,578
  • 3
  • 25
  • 60
  • 1
    Thanks for the answer. Well, my backups were up to date. But they got them too... (sigh) For even a stupid reason: they mistook the backup drives for backup phone batteries. They did not take other HDDs. Just these ones. :'( They are all encrypted, so they will be useless to them, but to me also. Hopefully, other data are dispatched elsewhere, like family photos, and so on. – Cilyan Apr 26 '20 at 00:16
  • 1
    This is also a bit of the start of the idea behind the question. The burglars took the phone backup batteries because that can be sold. But not the HDDs, that are not worth it. If it was known that a recent notebook is most likely useless due to protections, it would help us, legitimate users, keep our goods longer. – Cilyan Apr 26 '20 at 00:18