Nov 222010
 

Summary

This post outlines why and how travelers with laptops, especially business travelers, are put at risk by border police searches of their computers.

I also attempt to present some techniques as to how this risk can be avoided, or at least mitigated.

Thus Far

The United States Transportation Security Agency, and the United Kingdom’s Regulation of Investigatory Powers Act (RIPA) have one thing in common — they expose travelers carrying sensitive information to risk.  A few relevant links on the subject:

Security researcher Moxie Marlinspike profiled and detained, equipment confiscated (later returned)

Wikileaks volunteer and developer David Appelbaum detained, equipment confiscated (some of it returned)

ACLU mounts lawsuit against baseless border laptop searches (a warrant is required since 2009)

UK man jailed under RIPA for refusing to hand over encryption keys to laptop

The USA and UK are by far not the only countries where user laptop or portable device data is put in danger.  In other nations, individuals may encounter draconian police laws (e.g. in totalitarian states) or corruption, and some other developed, stable, democratic countries occasionally make legal provision for confiscation of devices or investigation of data.  For example, in 2006, Brazilian federal police raided the offices of Credit Suisse, as well as the homes of several senior bankers.  What kind of access this gave them to business-critical data is open to speculation.

A Hypothetical Situation At the Border

The scenario that most concerns us is as thus:

A user (let’s say a busy manager) boards a flight.  He is on a way to a business meeting, to negotiate a merger.  On the flight, he relaxes and opens his laptop to get a bit of work done, editing his presentation for the first meeting, then becoming a bit distracted and looking over pictures of his little daughter playing in a kiddie pool.  The manager is annoyed at his chatty neighbor trying to crane his neck to get a look at his monitor, but his privacy screen blocks prying eyes.  30 minutes before landing, he closes his laptop lid and opens a paperback.

Upon entering customs, an official looks at his passport and picks up the phone.  He mumbles something about “additional screening”.  Two uniformed officers appear and very politely ask the confused executive to please follow them.  He is escorted to a windowless room, whose walls are lined with posters extolling the mission and professionalism of the bordeabr patrol, and warning against importation of illegal substances.  The manager is asked about his identity, and prompted to empty his pockets and open his bag on a table; while an inspector rifles efficiently through his carry-on, a second official looks on.  The manager’s questions and protestations are met with bland reassurances about “standard protocol”.

The first inspector finds the laptop, and walks out the door with it.  As the manager moves to stop him, the second inspector scowls and blocks his way.  Within a minute, two more officials enter, and begin talking about a suspicion of child pornography, and what serious consequences it harbors.  They mention that a fellow passenger reported having seen “suspicious” images on the laptop, and “encourage” the manager to cooperate, bringing up vague hints of terrible punishments, no-fly lists, and harassment.  He is presented with a form and a pen, and asked to write down his laptop screen lock password.   The manager looks at his watch — he has not slept much and needs a shave; his limousine charter has probably left by now.  His requests to make a phone call are politely but firmly denied.

Periodically, someone re-enters the room to ask about another password to an application (email, etc.)  An investigator inquires as to the password of his PGP-encrypted virtual disk.  The man’s protests are met with stern reminders that he must cooperate.  The executive has heard that it might be a good idea to have a lawyer in this country, but as a foreigner, he does not know how to go about it, and must be present at his meeting tomorrow.  In any case, he could not contact an attorney.  He does not think of asking to leave.  After four hours of this, punctuated by short interviews asking him to clarify, his laptop and phone are returned to him and he is allowed to leave.

What now?

Do we know that the data was removed upon failure to show any child pornography, incitement to money laundering, or terrorist literature (insofar as any of the above are not protected by free speech anyway)?  When the above user is the CEO of a multibillion dollar corporation, or his fully authorized deputy, are we sure that no information was passed on to a national champion or other competing firm?

Ideological Disclaimer

However, the United States and UK are the two largest, most economically significant liberal democracies to give their police and border protection enough leeway in terms of data interception and confiscation to constitute a real danger to anyone carrying sensitive data (or just those who feel that what’s on their laptop is nobody’s business; whether those contents are legal or not is beyond the scope of this article.)

Full disclosure:  I am vehemently against search and seizure laws that do not require a warrant.  I oppose border inspections of personal digital data unless they are extremely tightly controlled, as I believe laptops are very personal items.  It is my opinion that law enforcement (particularly border control) authorities should be held to a very high standard, so they can be trusted to maintain the high professional standards they claim to adhere to, to safeguard data and privacy, and to consistently respect rules of evidence.  Nonetheless, I suspect that border patrol and law enforcement agencies in much of the world have at least at some point acted as agents of industrial espionage.  I have strong ideological convictions in this regard, and do not hide these.

My objections are not so much addressed at places like China or Saudi Arabia, which openly engage in totalitarian, intrusive aspects of data analysis and censorship (and possibly theft), or Venezuela or Indonesia, where corruption and arbitrary measures can be expected.  You know what expects you when you visit an authoritarian or corrupt country.

These are my personal opinions.  I will be happy to provide my reasoning elsewhere.  This post, however, is no more than a discussion of technical and procedural controls that allow individuals and companies to reduce their exposure from mobile device seizure and data analysis.  For the purposes of those who claim that “those who have nothing to hide won’t mind security measures”, I say that

  1. no security is engendered by this.  It is nonsense “risk management” or investigatory technique
  2. it sets a very dangerous precedent in any society making even a small pretense as to individual liberty and freedom from arbitrary search and seizure, and questions the idea of the fundamental human right to travel
  3. it puts a burden on host countries, insofar as illusory, ineffective, intrusive security mechanisms discourage travelers from visiting and bringing money and business, and
  4. from now on, you will leave the door to your toilet open every time you go to take a dump

For the purposes of this article, we do not care what kind of data you have.  We will assume that you want to protect it, and that users are sort-of-but-not-highly technically versed.  Furthermore, I cannot address mobile phones, embedded tablet PCs (iPads e.g.) or PDAs, because I am unfamiliar with security mechanisms supported by various operating systems (IOS, Android, BlackBerry OS), so we’ll focus on generic mechanisms for laptop operating systems, with a few concrete examples.

Hardware Exploits, Rootkits, and Keyloggers

First of all, the as soon as someone has unsupervised physical access to your device, it is possible to implant keylogging hardware.  Although the supposed Dell laptop keystroke logger was a hoax, small hardware keyloggers are a fairly mature technology.  Interrupt detection won’t work, as the keylogger isn’t being installed stealthily (remember, the device is out of your possession / sight, and no attempt at stealth is being made.  If it’s rebooted, it’s rebooted.)  We assume the device is being carried, rather than checked in luggage, a stupid thing to do in any case — as such, the whole problem with border patrol or police temporary confiscation of laptops is that it is done in the open.

Even without manipulation of hardware, the hypervisor rootkit model presented by Joanna Rutkowska (“Blue Pill” — more here) would allow persistent access to even an otherwise “secure” laptop operating system, with full bypass of its security capabilities (e.g. by intercepting monitor signals or keystrokes).  I am unfamiliar with any functioning examples of such an exploit, but that does not make the concept any less valid or dangerous, or mean that it does not exist.

If there is any suspicion of the above, there’s not much point to reading the rest of this article.  The instant that something leaves your possession and sight, it can be assumed compromised.  The only mitigating factors are

  • hardware keyloggers cost money.  You may not be worthwhile (does not necessarily apply to, say, a senior executive)
  • installation takes at least a bit of time.  I do not know whether a rootkit could be slipped onto a drive without imaging the entire system
  • there is a tiny risk of detection if done inexpertly — if you are ultra-paranoid and have opened up your device, noting down component serial numbers, you may be able to detect new hardware
  • certain types of hardware require user interaction to get around drive-level encryption; cracking these is not feasible in a short period of time.  Then again, someone may just demand a user’s boot password under threat of prosecution or harassment, and walk off with it.
  • hardware keyloggers that are hard to detect must be prepared.  An investigator would have trouble having clandestine-ready hardware for any given laptop model ready.

A software keylogger or spyware program / trojan can equally be installed, but a number of methods exist for detecting these with a reasonable degree of reliability, including virus scanners, and cryptographic checksums that can be compared with a central server, e.g. some equivalent of Tripwire or another host-based intrusion detection system (HIDS).

Most importantly, though, the moment something like a keylogger or other hardware exploit is on your laptop, it does not matter what other security measures you take.  Someone will always have access to your laptop from now on.

If the above applies, there is not much point to reading the rest of this article — it is the equivalent of telling a friend a Gmail password, then changing it — while he is watching.  The only ways to deal with this are

  • buy a new laptop
  • assume that all communications are bugged, all files can be intercepted / opened, and only work with data that does not matter

Data Dumps and Stuff

Be hind the scenes of the fictitious episode above, a forensic investigator took a full image of the user’s laptop.  There was no effort made to hide what was going on, nobody told him about his rights concerning search and seizure, habeas corpus and illegal detention, customs regulation, court and government rulings regarding data investigation, etc.  He was simply coerced into providing access to his information.  All attempts to encrypt, or hide, data on his laptop, and all mechanisms to foil intruders, came to naught.  The government in question, regardless of the (il)legality of its customs agents’ actions, now has a full dump of the user’s laptop, which may or may not include saved passwords for his webmail account, confidential company materials, a (weakly) password-protected Excel list of passwords, personal photographs, contacts, etc.

I’ll leave it to the imagination of the reader why this might be a bad thing.

If you maintain constant visual contact with a confiscated laptop, and can determine, with 100% assurance, that nobody has managed to slip something dodgy on to it, great.

However, the best way to secure yourself against compromise is to assume that any data on a laptop is forfeit and to avoid having any information on the laptop to start out with.  Remember — even if nobody installs anything, it’s pretty easy and quick to just dump a full storage device and play around with its contents later.

User Education

No amount of confidential information is worth the life, safety, or freedom of the person holding it (aside from exceptional situations — we’ll assume there’s not much wartime spying going on here.)

It is the responsibility of an employer to teach any business traveler two things:

  1. Cooperate with authorities — regardless of what the situation is, nobody on the road for work should have to be a hero
  2. Understand basic data protection techniques, including taking due care with creation of information so nothing described in this article actually becomes an issue

The point of all this is to avoid having to not cooperate or having to worry about data while on the road.

First Baby Steps

A few simple things might provide some degree of protection, but not a whole lot.

Set up a dummy account.  Keep it logged in.  Ensure that your login window does not show a list of users, but rather a username/password field, e.g. not this

but rather this:

When prompted to log in, do so with the dummy account.

Note that this will only fool idiots.

One-Way Encryption

A user cannot give up a key that he does not have.  Bruce Schneier wrote about this idea — allow a user to encrypt his laptop / files with a random key at some point before he is at risk of having his laptop accessed at the border.  Give someone else the password.  After passing the border, call this person to retrieve the password.

The downside to this is that, under something like RIPA, a user may face legal consequences for having encrypted material in his possession for which he cannot / will not provide the password.  The law puts the onus on the holder of the data.

Furthermore, this may expose the person carrying the information to harassment and difficulty entering the country.

External Media

A 64-GB thumbdrive, or a DVD containing personal/confidential data, could be hidden somewhere in a user’s luggage, or mailed out of band (e.g. FedEx).  However, that carries with it risk of interception.  If it is found on a user’s person or baggage, the user can also be coerced into giving up an access code.  If it is mailed separately, it may be very difficult to crack (e.g. PGPDisk) but there is still the risk that the wrong persons get their hands on it.

Pre-Trip Backups

All data on a user’s laptop should be backed up before he leaves.  This can take the form of incremental backups, or a full disk imaging.  This is useful in case a full restore from scratch to a new laptop is necessary.

All users should be storing their important work data on a network drive anyway, see a little further down as to why.

Remote / Travel Laptop Builds

A properly paranoid company will make a travel build available for its international travelers.  This is a stripped down OS configuration, containing as few hints as possible as to the nature of the company and its business.

It makes sense to do this anyway to avoid loss of confidentiality from lost/stolen laptops.  Make sure that someone on the road only has what they absolutely need on their laptop.  It’s understandable that someone wants to work on a presentation or document on the plane, but in this case, it is important to educate users about the need to only carry the data that is absolutely necessary for the current trip.

Unfortunately, that covers locally archived emails, and breaks down on trips involving multiple clients.  Furthermore, if the files a user is working on, say, during a flight on in a departure lounge, are actually highly confidential (e.g. the example of the merger negotiation)

Boy, the consultants will scream about this one.

Virtualization

Use virtual machines, such as VirtualBox, or VMWare.  At the very least, this allows reasonably quick restore of compromised working environments, and can be used to restrict access to a host OS by dodgy websites.  No particular benefit to travelers, except to add another layer of obfuscation — it is conceivable that an encrypted VM could be used for something like the “One-Way Encryption” environment above, completely masking what files / applications / sites are used.

Secure Remote Desktop

Most mobile users have access to remote working tools via VPN.

I once completed an architecture project that provided a Citrix environment over an IPSEC VPN to users.  A limited desktop, located on a hardened server in a DMZ, was presented to users.  Someone connecting remotely had access to their data, could work remotely, and download folders and individual files.

These could be the files that were backed up / copied to the network drive earlier.

Webmail interfaces (SSL-protected, via IPSEC) allow users to get around having to keep mail archives on laptops — unfortunately, most companies do not understand the concept of sufficiently large server mail quotas.  Disk is cheap.  Buy some.

Data Segmentation

For added peace of mind, users traveling to a country whose border patrol or police are known as a source of risk should be limited, via profile, to a subset of data on the remote desktop server.  Allow users to copy their files by project — and specify, either via user interaction, or via centralized management, which elements they have access to.

Most consulting firms already have “Chinese Walls” in place in order to prevent conflicts of interest, i.e. sanitizing one client’s data before using it with another so as to avoid exposing trade secrets.  The user mentality is thus already in place.

Access Logging and Monitoring

Companies should ensure strict logging of all access events, as well as all user activity.  Companies should maintain access profiles and correlate user activity with what is expected — a sudden attempt to dump entire file trees via remote access may be cause for alarm.

This ensures that, in case of a break-in by a foreign law enforcement agency using stolen credentials, it’s clear what was compromised.  This is good practice in any case; in the Brazilian example earlier, police had presumably unfettered access to a major corporation’s international network — many major global companies have some sort of poor segmentation between country networks.  Imagine the amount of scrambling and incident response work required to find out exactly what information they were able to obtain?  A single user is no different, if you don’t know that he has been forced to divulge access, or if your external VPN connectivity uses weak authentication and credentials are extracted from a copied laptop drive.

Two-Factor Authentication

Require users to use two-factor auth (e.g. RSA SecurID cards, chip cards, etc.) — this reduces risk from exposure of saved passwords or persistent authentication cookies dumped from a laptop.

Duress Passwords

In the extreme case that a user is forced to log into a corporate network via remote access, he should be given a a “panic account“.

This could take the form of “salomon.john” as opposed to “john.salomon”.  Keep passwords the same to keep things simple – complexity causes people to become nervous and give things away.  This account could even have access to the same dataset as the “real” account, while setting off all kinds of alerts and informing administrators that shenanigans are in progress.

User training is a strong prerequisite to make this work.

Remote Data Wipe

Many laptops have a SIM card slot.  In the case of the Apple iPad 3G, one of the few reasonable security measures is the central remote wipe capability.  Use it.  Whether as part of a duress code mechanism, or in case of unexpected activity, it may be wise to err on the side of caution and just nuke anything via remote management.

Third-Party VPN Termination

This is an extreme solution to what is, at best, a paranoid situation, but it might be interesting for companies to set up VPN connections to trusted intermediaries located offsite.

This is a bit of a separate issue, but a user connecting to an IPSEC concentrator with an IP registered to a given Swiss bank may raise the curiosity of law enforcement agencies who like to know, out of principle, what a Swiss bank executive is doing in their country — thus giving cause for additional searches the next time the user passes through a choke point like an airport.  Connections to an innocuous IP, however, may avoid such attention.

If the intermediary is trusted, a separate IPSEC connection can then be established from his servers to the corporate DMZ.

Conclusions

Controls of user laptops need not follow rational justifications — even developed countries have shown that their police and border investigations can be arbitrary.  While it is unlikely that a given traveler’s laptop may be investigated in depth, if it happens to you, the probability of it becomes academic.

No company should ever expose its mobile users to danger through their mobile data.  However, there are sensible ways to limit the potential fallout from unauthorized exposure by foreign law enforcement agencies to data that is simply none of their business.  It just takes a bit of investment and willingness to change mobile working habits.

 Posted by at 6:20 pm
Nov 052010
 

Pull up a chair, kids, it’s time for a bit of mental masturbation.

Picture this scenario:  sometime in the next ten years, a tourist snaps a photo of a common landmark.  What he does not realize is that, somewhere in the scene, a malicious person has put a  sticker advertising a cleaning service on a lamp post.  The sticker is ratty, half-disintegrated, and only semi-legible to humans, who will never call the half-visible number on it.  It also contains a steganographically obfuscated block of data that exploits a weakness within the camera’s image processing software.  The camera is a consumer model, permanently online so shutterbugs can instantly upload and share their snapshots with friends.  The exploit triggers a worm through this channel…and take it from there.

This is pure fantasy — or is it?  Attack vectors for exploits have changed, from floppy diskettes, direct access to vulnerable servers, and email, over web site piggybacking, injection into vulnerable wireless networks, and others — why not consumer devices?  Let’s look at some individual components that already exist or are plausible:

Attacking Digital Cameras

Two things came to mind in this section:

First, Roman Abramovich’s huge $1.2 billion yacht, Eclipse, is rumored to come equipped with an anti-paparazzi system that, according to various accounts, sweeps its surroundings with lasers that detect CCDs (see below) and fires a stronger, “blinding” laser at them, either destroying the sensor or at least blanking the shot.  There are multiple problems with this idea, none of which I’m sufficiently familiar with to go into detail about:

  • until a shot is taken, the sensor is masked by the camera shutter (true, but if the thing is fast enough, that might not be an issue)
  • most modern DSLRs use CMOS sensors, and I can’t find info on whether such detection techniques would work on these
  • photos of Eclipse exist, casting doubt on whether this functions as advertised (then again, maybe it’s just not turned on while in port due to legal restrictions)
  • it could be defeated by a one-way mirrored lens

For such a system to work, it implies a computational reaction speed that seems improbable, but remember, we’re talking futuristic here.  Moore’s Law and all that jazz.  The idea itself is not fundamentally invalid.

Second, Adam Harvey claims to be working on an “anti-paparazzi” clutch purse.  This is a significantly simpler context, incorporating photovoltaic sensors that set off a bright strobe light when a camera flash is detected, thus whiting out pictures and supposedly guarding the user’s privacy.

Friends and I have discussed the feasibility of something similar for motorway speed cameras…

The point?  Cameras are already fair game for electronic countermeasures.

Steganography

Not rocket science.  Hiding content in digital images (pdf) is a comparatively new technology, but applications have existed for several years that will do this quickly and easily.

Causing visual content to short-circuit complex systems is doable.  In the case of humans, such a “vulnerability” was inadvertently exploited when several Japanese children suffered photosensitive seizures while  watching Pokémon (it’s making me feel a bit sick).  Subliminal messaging has also been demonstrated to work in a number of studies.  And as my friend Brian astutely pointed out, I completely missed the opportunity to make any Snow Crash references here.

2-D bar code reading applications are fairly common in camera-equipped mobile phones.  Snapping a photo of a given pattern causes an installed application to perform a certain action (e.g. visit a web site.)  That is, assuming you have the application installed and configured.  Now imagine the possibility of a bit of data that causes not an application, but the actual core camera firmware to “do stuff” — i.e. replicate.

Exploiting Camera Image Processors

This is probably the biggest technological leap, but the component elements are in existence.

A digital camera consists of two main internal components (aside from the lens):  a CCD (charged couple device) or CMOS (complementary metal-oxide-semiconductor), which handles incoming light signals, and a miniature computer.  The latter has numerous tasks, from governing exposure and ISO values to processing pictures (e.g. turning RAW format into JPEG, including EXIF data, etc.)  Some cameras include on-the-fly face recognition capabilities (for example, the Fujifilm FinePix F40fd came out in 2007).

Any security professional will confirm that, as a rule of thumb, complexity engenders risk.   Digital camera firmware is generally proprietary in nature, and thus not as subject to widespread review or stress-testing as, say, common workstation operating systems or even certain embedded systems.  Embedded platforms can be susceptible to exploits; it is a function of how they are built and what software they run.  The bigger and more complicated a camera operating system and chipset becomes, the more likely it is that an exploitable security vulnerability could affect it.

Exploit code can be tiny (here is a link (pdf) to a 625-byte exploit of a known vulnerability) so the difficulties of hiding a visual exploit in an image need not face data size limitations.  That is, if you even bother hiding it.  While we’re not restricted to the standard, just for argument’s sake a 144×144 pixel data matrix can contain up to 2KB of information.  Make it A4-sized,  that’s ca. 1.5mm2 per pixel.  I won’t do the exact math, but a 20MP camera handles ca. 10,000×20,000 pixels.  The above A4 sheet can be pretty far away for each pixel in the data matrix to still be discernible, at least electronically.

Through the image sensor, you have a data entry path that is fundamentally no different from a network card or any other integrated device.

Oh yeah, and here is a timeline of image file exploits.

Wireless Photo Upload

Remote photo capture via USB cable is pretty standard (I use Canon’s EOS Utility with my Hackintosh).  Wireless photography, via surveillance cameras or bluetooth webcams, is also a common practice.

A common problem faced by even casual photographers is police harassment, leading up to confiscation of equipment and prosecution — often in violation of existing law enforcement guidance and/or local law.  Numerous instances exist of photographers who were forced to delete photos by security guards or police officers [1][2][3].  I’ve read several discussions about the desirability of some sort of immediate camera photo upload; products like the Eye-Fi already offer limited functionality in this direction.

I can think of no good reason (aside from bulk and battery life, which I cannot imagine being problems for a long time) why DSLR cameras in the near future would not incorporate some sort of nG wireless connectivity, fast enough for bulk Internet uploads of even larger images.  IPv6 will do away with the address space restrictions that are also a brake on the direct connection of small end-user electronic devices like cameras to the Internet.

Wait for cameras to incorporate “automatically post to FaceBook” features, and there’s your communication path.

…like I said, just having some fun, enjoy the future.

IF THIS WERE A VIRUS

YOU WOULD BE DEAD NOW

FORTUNATELY IT’S NOT

THE METAVERSE IS A DANGEROUS PLACE;

HOW’S YOUR SECURITY?

CALL HIRO PROTAGONIST SECURITY ASSOCIATES

FOR A FREE INITIAL CONSULTATION.

 Posted by at 1:42 pm