12

I read an article describing how FBI agents snatched Ross Ulbricht's laptop while it was running to defeat full-disk encryption:

Two plainclothes FBI agents, one male and one female, walked up behind Ulbricht and began arguing loudly. This staged lovers' tiff caught Ulbricht's attention long enough to distract him from his laptop. As soon as Ulbricht looked up, the male agent reached down and slid the computer over to his female colleague, who quickly snatched it up and handed it over to Kiernan for further investigation.

Ideally, one would only operate computers from places that are more physically secure than a public library, but that is not always practical in the real world.

I imagine that journalists working in dangerous places and other well-meaning people are also vulnerable to the theft of running laptops (thus defeating full-disk encryption), and I would like to figure out how to help them.

What kind of security measures can protect the data on a running laptop being physically snatched?

James Mishra
  • 1,124
  • 6
  • 12
  • Additionally, I have a handful of potential solutions of my own that I would like feedback on. Should I post them as an edit to a question, an answer to be commented on, or not at all? – James Mishra Jan 27 '15 at 05:26
  • 1
    Post them as an answer. If they are logically strongly separate, post them as multiple answers, although that's not common. You may wish to wait a while for other answers to show up, though, since that can increase traffic. – Nathan Tuggy Jan 27 '15 at 06:43
  • 3
    If I can give vent to a per peeve: you're not "defeating" FDE by doing this; FDE is only for protecting your computer while it is turned off. – Graham Hill Jan 27 '15 at 12:03
  • I think that a program that can be remotely used to turn off the Laptop provided you are close enough (e.g bluetooth) or via internet could work just as good – Freedo Jan 27 '15 at 20:16

6 Answers6

8

In fact operating a computer in a public place is not a good idea. If the place you will choose can somehow be predicted, surveillance devices might be attached to e.g. film you entering your password making the snatching scenario unnecessary for your enemy.

The following measures (most taken from the comments here: https://news.ycombinator.com/item?id=8929906) could help to protect data on your laptop:

  • a physical connection between you and the laptop that is plugged in and shuts down the laptop once unplugged
  • an invisible connection (e.g. Bluetooth) that reacts to changes in the signal strength
  • a build in or somehow attached accelerometer that detects rapid movements of the device
  • a software that detects loud noise (e.g. you shouting as loud as you can)
  • a software that uses the camera to detect a save pattern (e.g. your face, your red sweater with that big cross in the middle)

All of these might eventually trigger in a moment where they shouldn't so you might not want them to destroy your harddrive or you should check if the data that could be compromised is "worth" an accidental loss. Also if you are observed your enemy might eventually figure out what mechanisms are in place and will try to act accordingly.

Apart from that you should not decrypt all of your sensitive data when in a public place. You might want to decrypt only a minimal subset that is required for you to work on whatever you got to do. That will effectively minimize the amount of data available to your enemy after a successful snatching-attack.

Denis
  • 3,653
  • 2
  • 17
  • 16
  • Well, I guess I'm not as original as I thought. Most of the ideas I had were listed by you and the Hacker News thread. It looks like there are not many satisfactory implementations of these ideas, though... Might be something for me to do. – James Mishra Jan 30 '15 at 13:32
  • These are all great concepts. I'd like to see a multi-level protection implementing a bluetooth (of rfid) connection, a camera that can detect a specific phrase when shouted by the owner (voice recognition with a large amount of discrepancy potentially built in), and additionally the pin switch suggested by @boggart. Not that I would have need of such a device... – Ramrod Jan 31 '15 at 04:46
  • Definitely a program that worth to propose to the open source community... – Freedo Jan 31 '15 at 23:33
4

I saved the below from a comment on a post on Schneier's blog (schneier.com) some months ago:

A normally open pin switch is installed through the bottom of the case coming out of one of the feet. This switch is wired to a simple "power on time delay" circuit powering a relay coil that controls the connection between the main external power lead and the mother board. If the machine is lifted up, the switch opens and power is discontinued. The power on delay timer is such that the pin switch has to be depressed for about a minute or more before the relay is energized to supply power. Thus the power wants to be off. A quick interruption of contact with the machine from the desk kills power and it cannot be re-established without a delay.

I thought that was fascinating.... and it seems to answer your question, sort of. Obviously, the idea applies to operation of a laptop without its battery installed. The theory of operation is that by using a delay circuit that takes a while to energize the coil to a normally open relay contact controlling power to the laptop mother board, even a slight interruption of power will kill power to the laptop, and it will take longer to get power back to the motherboard than it would take for memory information (including master keys for your hard disk encryption) to dissapate. Thus if you're using full system encryption, the machine is effectively locked down.

I presume the circuit and relay would have to be installed inside the laptop case with some anti tamper to be effective. It also seems like it would be (a) risky that you might move the laptop and trigger the switch when you didn't want to; and (b) that an attacker might isolate you and then avoid moving the laptop. I suppose a variant would be to have a dead man's switch attached to a cord or line of some kind so that pulling the person away from the machine would interrupt power.

user
  • 7,670
  • 2
  • 30
  • 54
boggart
  • 516
  • 3
  • 5
4

One alternative is to do something like what is described in Locking and Unlocking a Linux Desktop Session with a Yubikey. Basically, you have a specific physical token that the computer is able to recognize (in the case of what is described in that blog post, a specific Yubikey), and when that token gets removed, the computer executes some arbitrary action (for example, locking the display, or triggering an immediate system shutdown; the latter might be a reasonable alternative when you are using FDE to protect sensitive data on disk). You then attach that token to your person for example by a chain to your belt, such that if the computer is snatched, the token is removed from the computer, thus triggering the desired action.

Now, don't for a second think that something like this would really protect you against law enforcement. The first thing any semi-competent IT forensics law enforcement officer is going to do is to make at least one exact duplicate of the hard disk's contents, which means that any form of destruction on wrong-passphrase entry is going to be ineffective. Next, if it turns out that the data is encrypted, it is perfectly possible that if they are unable to decrypt it themselves they will pressure you somehow into decrypting the data. Rubber-hose cryptanalysis (also Wikipedia) can be very effective. Or as it is put in the LUKS (Linux FDE) cryptsetup FAQ, on "Why is there no Nuke-Option?":

Now think of the typical LUKS application scenario, i.e. disk encryption. Usually the ones forcing you to hand over your password will have access to the disk as well, and, if they have any real suspicion, they will mirror your disk before entering anything supplied by you. This neatly negates any Nuke-Option.

Something like what I outline above will however protect your data from the petty thief, which for many is likely a more realistic threat. It won't protect the hardware (for that you need a slightly different approach), but hopefully if the data is in any way important then you have backups. In that case, loss of the computer itself means an inconvenience (waiting for a new computer to arrive) and a financial outlay for a new computer, but not disclosure of the data stored on it.

A thief is interested in the computer itself, but likely not the data. If the FBI are coming for you, most likely they don't really care about the computer at all, but are very interested in the data stored on it. Two completely different threat models with different mitigative strategies.

user
  • 7,670
  • 2
  • 30
  • 54
  • 1
    A nuke option is still a good idea, which is why Kali Linux baked it into their distribution. One of the annoying things about TSA is many times they _require_ that laptops are turned _on_ while being scanned. If you were in such a position, being forced to turn on and decrypt your data, nuking the drive header might be a good idea. They don't have a copy of your stuff at that point, and you can then recover your drive header when you arrive at your destination (you backed it up, right?). Otherwise, excellent answer! – Naftuli Kay May 31 '15 at 06:14
1

Let's say you had a laptop with a MagSafe power connection, full disk encryption, and no battery. You tether the power cord to your wrist. Any extreme movement would pull the cord and instantly shut off the laptop. Seems like such a setup might have made Ulbricht's situation tougher to crack, and pretty simple to set up.

Rocky
  • 119
  • 2
  • Almost wanted to post this as a question, but saw this existing question so I turned it into an answer. Comments appreciated -- does this approach sound reasonable? – Rocky May 31 '15 at 04:08
1

There are already excellent answers here, so read them.

Michael Kjorling posted an excellent answer using a YubiKey NEO, but it unfortunately makes things kind of awkward. You'd still need to tether the device firmly to your person somehow.

What I'd propose is the following:

  • have the computer measure Bluetooth signal strength for a low-power Bluetooth device that is kept conspicuously on your person.
  • once that signal descends below a certain point, lock the session.
  • once 3 or 5 (arbitrary number) bad password tries, shutdown.

A script for measuring Bluetooth strength of a given device is pretty trivial in Python on Linux at least. I'm honestly surprised that the last step isn't a default option in modern Linux desktop environments. Android has a similar feature for steps 2 and 3 in that progressive password attempts get harder and harder until it finally asks for a Google username and password. Android's Smart Unlock (insecure, don't trust it) also incorporates the Bluetooth aspect of things.

Since the thief's time with an open, unlocked laptop is limited in that he's probably running or at least moving swiftly away from the scene of theft, he cannot do anything to compromise the laptop then. By the time he has successfully walked off with the laptop, it will have locked itself. He (or maybe she?) will likely try a few passwords, at which point in time the computer will power down and the attack surface will become your FDE solution, which should be hard to break.

Remember, however, the point of the theft: he wants to make money or use the laptop. Full-disk encryption? New hard-drive. Obviously, make sure that your session gets locked quickly, but otherwise, your main concern should be that you're out money for a new laptop.

Community
  • 1
Naftuli Kay
  • 6,715
  • 9
  • 47
  • 75
-2

a software approach would be to task schedule a repeating forced shutdown command that runs every 1 - 10 minutes with a 5-10 second delay before activating it create a hidden shortcut with the shutdown abort function , assign an easy shortcut key to it

the drawback is that that you will get a prompt that the pc is shutting down all the time the function is activated

but you can choose to activate that task only then you are in public places and set the repeating timer according to your risk situation

Bluetooth, face detection might not work because you may be forced in front or near your laptop

the best hardwired solution

Level 1 route the power switch and connect it inline with a fake jack leading to fake headphones ( this also doesn't look suspicious and offer enough freedom of movement ) you do have to clasp the headphones wire to you , somewhere along the way from your head to the laptop so they are not snatched along

Level 2 No HDD, Boot you laptop from a live windows then remove the USB, use the live windows to remotely connect to your data ( another pc or cloud ) , recovering data from RAM is very hard

Level 3 Route the switch to force a restart ( harder depending on the motherboard ) restarting re-powers the ram modules so they are wiped clean ( from what i know )

Level 4 Use an additional open pin switch with a restart function

Level 5 ( if you feel that there may be a way you will be immobilized before you can release the pin or disconnect the fake headphones) Bluetooth device in your tooth that that can trigger a restart when you yell or if you bite hard on it in case somebody also puts their hand over your mouth

user
  • 7,670
  • 2
  • 30
  • 54
Alberto
  • 1
  • 1
    here is the time to start to use points at the end of your sentences and shift on their start at least if you want to find a good place here – peterh Jan 31 '15 at 08:58