Security researcher Georg Wicherski recalls a friend who was once stopped at the airport on his way to the Black Hat hacking conference. Security took his laptop, supposedly for a routine X-ray, but it seemed to be taking too long. He suspected something more nefarious: airports are an easy place for authorities to place malware on seized equipment.
That’s one of the reasons that inspired Wicherski, who works at cybersecurity company CrowdStrike, to modify a laptop in such a way as to make it difficult for adversaries to install malware on it, even when they have physical access to the device. Wicherski presented that research at the t2’15 infosec conference in Helskinki on Thursday.
“The aim is to make it impossible to place an implant without leaving substantial traces,” Wicherski told Motherboard.
The security steps he presented involve a combination of software and hardware modifications to a bog-standard Chromebook.
By using a setup that is not very common, border cops might not know what to do
Wicherski took several different Chromebooks, and instead of using the native ChromeOS, replaced it with Arch Linux. Linux generally allows for greater customization, from the applications available to how the operating system itself functions. Arch Linux is one of very many freely available versions.
From here, he added Coreboot, a piece of open source software that allows a user greater control over the boot process of the computer, so they can make sure that no malware is surreptitiously modifying the procedure, as well as a few other tweaks.
Wicherski said he chose Chromebooks because they’re pretty cheap, widely available, and compatible with Coreboot. They’re so cheap in fact, that for many people “if you’re really concerned something happened, you can just throw them away,” Wicherski said.
These customizations make it difficult for an attacker to use any sort of turnkey solution, presenting a barrier to any off-the-shelf equipment attackers might use. At border crossings, Wicherski said possible attackers might have “an appliance, that comes with a manual, and low-skilled operators.” By using a setup that is not very common, the border cops might not know what to do.
Wicherski also lays out some ways to modify the Chromebook hardware itself. It’s possible to remove a pin from the SPI flash chip—the chip that holds the BIOS, the program that lies underneath the operating system—to effectively make it read-only, meaning that an attacker couldn’t easily tamper with the files.
When combined with the Coreboot changes, this makes the boot process more secure overall. “By using Coreboot, which is really the first thing that executes on your CPU, and taking control over the computer as slowly as possible, then employing cryptographic signatures at every stage from thereon, it is much, much harder to develop an implant,” he said.
“This is not something I envision the average activist or journalist doing.”
Possible users of such a device could be hackers or technologists who focus on surveillance issues. Wicherski highlighted that the NSA has a particularly nasty capability of tampering with a computer’s boot process in order to persistently access a hacked laptop. He pointed out that some regimes target political activists and journalists with malware too, and that commercial espionage is also a possibility.
Staff from non-profits traveling to China are also concerned about their devices being infected with malware.
But it’s worth making clear that Wicherski’s method is very technical: it requires physically tinkering with the innards of the laptop, and a decent understanding of tweaking a computer’s boot procedure.
“This is not something I envision the average activist or journalist doing,” he said.
And it isn’t a silver bullet solution. “This only protects against software and firmware implant deployment at borders, [and] it mitigates some hardware implants,” he explained. “You still have to encrypt your communication; you are still vulnerable to software exploitation.”