Ericsson and Intel Offer Remote Notebook Lockdown

MojoKid writes "Ericsson and Intel have announced that they are collaborating on a way to keep your laptop's contents safe when your laptop goes MIA. Using Intel's Anti-Theft Technology — PC Protection (Intel AT-p) and Ericsson's Mobile Broadband (HSPA) modules, lost or stolen laptops can be remotely locked down. Similar to Lenovo's recently announced Lockdown Now PC technology, the Ericsson-Intel technology uses SMS messages sent directly to a laptop's mobile broadband chip. Once the chip receives the lock-down message, it passes it to the Intel AT-p function, which is integrated into Intel's Centrino 2 with vPro technology platform. Unlike Lenovo's anti-theft solution, the Ericsson module includes GPS functionality as well."

lapjacking

[Skapare]

And once the codes to do this leak into the wild, laptop hijacking and ransoms will be next.

well

[scapermoya]

aside from the security risks, this can only become an effective deterrent if it sees widespread use.
good luck with that.

Government backdoor

[Lead Butthead]

The question is if this... feature has a government backdoor to 'assist' in 'terrorism investigation.'

Re:lapjacking

[Paradigm_Complex]

Unless the actual laptop owners get to set/change the codes themselves - as well as disabling the feature completely - in which case it won't be any worse than SSH/remote_desktop/et al.

Re:well

[fuzzyfuzzyfungus]

I suspect that this is less about deterrent and more about mitigating data loss. Laptops are cheap(and, given that this hardware and service aren't exactly going to be free) the cost of replacing some when they get stolen is probably lower than building all sorts of fancy features into them. Being able to nuke the data on the system(specifically, nuke the crypto keys to the disk's already encrypted contents) could be well worth the money for a fairly broad swath of business type purposes.

They crypto keys should be off-drive anyways

[davidwr]

Here's how I would build a lock-downable laptop:

BIOS/preboot environment: Looks to an external device, probably a USB stick, for part or all of the crypto key. Use that to decrypt boot loader on hard disk or other boot device and follow its instructions. Of course this should have a passphrase.

Boot loader will look to whereever it chooses for crypto keys for the rest of the drive. These may be the same keys as the bootloader used or they may be something else. They may be partially or completely downloaded from the Internet, and once decrypted with a passphrase, are stored in memory or better yet only on the CPU in such a way as they are never stored in a paged-memory file.

Furthermore, really sensitive data can be encrypted in container-file partitions, encrypted compressed files, or what not using OS- or application-level-encrypted containers.

This, in conjunction with an "lock all I/O and networking and turn on the screensaver" software when the user is away from the computer, will render it very difficult to get at the data on the drive, difficult to deter all but the most determined adversary.

Now all the user has to do is remember to remove his USB stick after booting. Of course, if his laptop does get stolen he's still out the replacement cost of the machine and the cost of restoring his data from backups.

Re:They crypto keys should be off-drive anyways

[tomhudson]

Terrible idea. Now you have yet another failure point - losing the off-drive crypto keys. You don't even need to physically lose the USB key - just break it, have it die from static discharge, etc.

People lose things a lot more expensive all the time - ask anyone who's ever lost a cell phone, or left a laptop on the roof of their car, or lost their wallet or purse.

Re:horrible idea

[tomhudson]

It'll become a source for used/spare parts. Need a battery? A charger? A new screen because you left your lappy on the car roof and drove off? A new keyboard because you spilled crap on it? A bigger hard drive? Extra ram? A new case? A spare drive caddy and connector? A cheap DVD/Blu-Ray upgrade?

The easily-disposed-of parts of a disassembled laptop are worth as much as the whole lappy.

Re:horrible idea

[SanityInAnarchy]

I mean yeah it's supposed to stop people from stealing your much more valuable personal data but that should be password protected anyway with a directory hider/protector (not like a compressed archive file with a password cuz that's too slow) so why bother?

Your ignorance is showing...

Compressed archive files are plenty fast, depending on what you're trying to protect. The real problem is, what happens when you "open" them? Most of the time, it'll be unpacking them to a temporary directory, opening them with some random program on your (unencrypted) hard drive (likely without anything to prevent it from being swapped out, so now your stuff is on disk in the clear twice), saved back to the temporary folder (three times, if you're still counting), and put back into the archive.

Plus, there's now a mention in Recent Documents, and all kinds of other information letting people know, at the very least, that you have some encrypted files, and what their names are.

This applies to Truecrypt also, by the way, unless you're using it for fulldisk encryption.

And if you're encrypting the whole disk -- where will you keep the encryption keys? How will you boot? Doing it in hardware suddenly makes sense -- probably a slight performance boost, also.

And once you're doing that, having a way to remotely destroy the crypto keys also makes sense -- if you're paranoid enough to encrypt your whole hard drive, this is the next best thing to putting thermite in the case and triggering that remotely instead.

It's not a deterrent, it's a way to make the crypto much more secure.

Re:They crypto keys should be off-drive anyways

[sumdumass]

The problem with a thumb drive security stick or removable hard drives and such is that they will all end up in the same bag as the laptop making the separation pointless when someone takes the entire enchilada.

Sure, you can keep them separate but lets be practical here. Keys end up making it onto key rings with other keys, phone numbers all make it to the same places, and so on. It will either be something that is lost or kept together for convenience reasons.

Re:lapjacking

[afidel]

You keep talking about codes, WHAT codes? The payload that activates the feature (at least in the Lenovo implementation) is a cryptographically signed message, there is no default code! It's just like Blackberries, a cryptographically signed message is received by the device and it initiates a wipe of the device, it the case of the Blackberry it wipes the RAM and flash areas, in the case of the Lenovo it wipes the storage keys from the TPM chip.

Re:They crypto keys should be off-drive anyways

[jack2000]

How do you know it isn't?