I finished reading Cory Doctorow’s “Little Brother” (you can download and read it for free) over the weekend, and its put my mind cranking on security and privacy again. This is a topic that is near and dear to me, yet it seems as I get busy I don’t think much about it. Reading this book set the wheels in motion again, and I was thinking about how to set up whole disk encryption. That train of thought reminded me of a product by Wiebetech called a HotPlug.
The premise behind this product is that during a seizure, you may be able to catch a PC already booted, in which case the encryption key is already loaded and the data is available. How do you get it back to the lab without shutting down the system? Enter HotPlug. To make it simple, you attach the HotPlug device to the computer’s power cables (several methods available, from simple plug-in down to wire stripping and piercing) and this device seamlessly transfers power from the wall socket to your UPS. You can then take it in a powered up state back to the lab for forensic analysis. They also have a mouse jiggler device to prevent the screen saver from locking as well, assuming they executed the seizure while the target person was present and using the computer.
Thinking along these lines got me contemplating how to protect oneself against such a device. While I do not condone working to defeat a lawful seizure by warrant-producing members of law enforcement, I feel these attacks will become more and more common by more shady people, such as private investigators, corporate spys, and identity thiefs. Stealing a running PC with personal info such as bank account numbers, personal contacts, and online logins could become very much more valuable than the PC itself. The days of coming home and finding a missing PC with nothing else touched is getting near. With that in mind, I came up with some interesting ways to defeat the HotPlug:
- Have your system require a password within say 2 minutes of installing an unknown USB device. This would prevent the mouse jiggler from doing its job. It should not prompt for the password, but you would specifically have to go run the utility and enter the key. That way the attacker would not know he needed the password until it was too late. If the password is not entered in time, lock it down. By locking it down I mean wiping the key from memory (to prevent freezing the ram and reading the key) then powering the system off.
- Use some sort of hardware disconnect to trigger a lock down. If the LAN cable, USB hub, joystick, or any hardware device the system can detect is disconnected, lock it down. This would be especially useful if there is no way to move the system without unplugging something. As an example, don’t use a short cable to attach your machine directly to your network switch/router, otherwise they could leave the router on the HotPlug device too and defeat that security measure. Leave your router in another room or closet and use in-wall wiring to connect them. Having multiple hardware devices that must stay connected also takes the job from a one-person in-and-out job to a several person job to move all of the devices without disconnecting them. Think along the lines of PC, monitor, flat bed scanner, laser printer, external drive, and joystick. How easy would it be to move that computer with all of those devices remaining powered on and connected?
- Use a network based device to trigger a lockdown. For example, have your security software watch to make sure a specific IP or MAC address is available. This could be inside your network, or for even more security an outside source. If you have control of the outside source, make sure it only accepts requests from your IP. If the system is moved and re-attached to a different network (such as a cell phone network) in order to circumvent your security the system would still lock down. A drawback to this is in the event of a network outtage your system could lock down when you don’t want it to.
- Use a bluetooth device hidden somewhere else in range of your PC, such as an old cell phone. Plug it into its own power source separate from your PC (again, preferably a different room) and do not have a battery installed. This way even if they find and take the device with them, it will still power down and lose connection. When your PC loses contact with the device, lock it down.
- GPS presents several protection methods. Several laptops now-a-days have internal GPS devices. Program your security system to watch the location and if it moves more than say 1000 yards (to take GPS drift into account) lock it down. This could be paired with several of the methods above too. Bluetooth, disconnect or (if they find the GPS device) location change will lock it down. A USB GPS receiver attached via a long-distance USB cable that can not be moved without disconnecting it would also provide double-protection (if they manage to find a way to move the device while maintaining its connection to the PC, the location change would still lock it down later.
I can think of several varients of the above using different technology, such as cellular data cards (if it detects a tower outside of the normally available towers) WiFi network detection (if the available AP list changes more than X percent over X amount of time) and so on. In a way these methods of protection are modifications to the old dead man switch idea made popular in several movie plots, only these ideas may be a bit more convenient for the user to have in place. What ideas can you come up with to protect yourself in the event that your computer is stolen?