12

Are there any simple steps one can follow to verify if a notebook is clean from hardware spyware?

What should be looked for? How should it look?

If any visual tutorials with photographs are available, that would be wonderful.

One note is that the person who would do the search has not much experience in identifying hardware.

nealmcb
  • 20,693
  • 6
  • 71
  • 117
Strapakowsky
  • 3,049
  • 8
  • 26
  • 31
  • Potential duplicate of [How to manually check for rootkits on a server](http://security.stackexchange.com/questions/4390/how-to-manually-check-for-rootkits-on-a-server) – this.josh Sep 16 '11 at 05:12
  • @this.josh That question is about software, not hardware. – nealmcb Sep 16 '11 at 05:41
  • You meant "hardware, not software", correct? Yes I am talking about hardware inserted in notebook that acts as spyware. – Strapakowsky Sep 16 '11 at 05:58
  • @nealmcb Righto, but my answer was hardware related. Hmm can not retract a flag or vote... Ok, I get to reprise my answer. – this.josh Sep 16 '11 at 06:25

5 Answers5

8

This is an important question. But I'm guessing you won't be happy with the answer. While some of the simplest attacks can be easily detected, a wide range of attacks will be undetectable by nearly everyone. So someone with little experience identifying hardware will be hard-pressed to get much confidence. This basically underscores the importance of physical security at all times, which itself is a very hard problem.

On the other hand, this sort of attack is probably pretty rare, assuming you aren't a high-value target of some savvy attacker. It is easy to get so paranoid about such things that you spin your wheels and don't get around to things that are really important. See e.g. How do you manage security-related OCD (i.e. paranoia)?. So you may well just want to not sweat it and skip the rest.


It might well help to follow @KarelThönissen's advice to take a picture of your hardware in its original, presumably "clean" state, inside and out, so you'll have something to compare with when you check it later. But this will help you detect only the simplest, boldest attacks, like some keyloggers.

At the other end of the spectrum, evidently even computer manufacturers can't be sure that the parts arriving in their supply chain are free of malware. See e.g. the comments of Greg Schaffer at DHS reported at Information Week: Homeland Security: Devices, Components Coming In With Malware. If the people making your computer can't be confident that it doesn't have hardware malware, that makes it pretty hard for an IT shop to do so.

In between those extremes, note one of many examples of quickly hacking a voting machine in ways that are difficult to detect, e.g. by replacing a ROM chip: The New Jersey Voting-machine Lawsuit and the AVC Advantage DRE Voting Machine (pdf).

@this.josh points to some good sources on hardware hacking at Literature about IT security from hardware standpoint.

Note also, as discussed at Wireless keyboard sniffing risk, that some hardware spyware isn't inside the computer, but detects what is going on via electromagnetic or acoustic surveillance. E.g. even a wired keyboard or display can be spyed on remotely, so you need to somehow also check that the surrounding area is clean.

Attacks on firmware like the BIOS might also be relevant to you. See How to check the integrity of my BIOS? and Tamper-proof BIOS password & settings storage with Trusted Platform Module? for some good tips in that realm.

nealmcb
  • 20,693
  • 6
  • 71
  • 117
6

Most laptops come with all the hardware spyware would ever need, they're called network adapters, cameras, and microphones.

If you ignore all that, there's still no way to prove a negative like that. The best you can say is "nothing I could find".

ddyer
  • 1,984
  • 1
  • 12
  • 20
  • 3
    The 'nothing I could find' comment is very important. Depending on the level of assessment you go to, an attacker above that level could implement something you can't find. An assumption as to how much effort they will put in will help you define what you need to do to be reasonably assured. – Rory Alsop Sep 17 '11 at 09:23
6

You will have to consider how malicious and powerful someone stealing your information would be to know what types of attack to look for.

Those common bugs that anyone can buy over internet are generally small enough now to fit inside a notebook. Examples: Spy Gear Pros, Build your own keylogger. They are cheap, too, so anyone could buy it for very simple "spy" thing.

For heavy spying, things get complicated. One could open a notebook, attach something to the usb ports inside it, put in a small transmitter, and then have a repeater in the next room so that he can transmit everything to anyplace further. And then, perhaps, just scanning radio frequencies could help you.

If you're really worried about someone doing that, buy another notebook. It's faster and cheaper.

culix
  • 164
  • 1
  • 12
woliveirajr
  • 4,462
  • 2
  • 17
  • 26
5

Are there any simple steps one can follow to verify if a notebook is clean from hardware spyware?

No. Simple steps can only identify simple attacks, especially if the investigator is not familiar with computer hardware. Planting a hardware device for surveilence or reconnance is a very sophisticated and costly attack.

What should be looked for? How should it look?

I have never seen a laptop, notebook, or any type of device that had hidden surveilance hardware inside it. I dont know of anyone in the IT Security community who has seen such hidden spy hardware in a computer. And I was unable to find a recorded criminal investigation where a piece of spy hardware was hidden in a computer.

That said, to investigate a computer notebook you will have to be an expert in ASICs (Application Specific Integrated Circuits), printed circuit boards, printed wiring assemblies, computer data buses, FPGA (Field Programmable Gate Arrays), schematic diagrams, wave soldering, reflow soldering, and manual soldering.

I would start with the service manual for the laptop. Read the manual and find all the place there are screws to extract. Look at those areas for evidence that a screw has been loosened or removed. Evidence could be: scratches or dents where the top of a screwdriver hit or rubbed against the case, the screw being at the wrong depth compared to an identical screw, slight oil or graphite residue. Then look for small opening where something could be inserted into the laptop without taking out the screws. These are things like: air vents, PCMCIA slots, speaker vents, a removable CD/DVD-ROM drive, the security cable slot. It is helpful to photograph these areas before you do anything to the laptop, so that you can send the pictures to others to look for signs of intrustion.

Then remove all cables and components from the laptop. Next remove any components that do not require you to remove screws to take them out: the battery and often the CD/DVD-ROM drive. As you go examin and photograph each step. Next I would remove the hard disk and RAM. Those usually require the removal of screws but are otherwise easy to remove.

Next I would go for the screen, take off any pieces you need to detatch the screen. I would look for a hidden device near the base of the screen where the cable comes in behind the screen. A hardware spy device will either need to come with its own power or use the computer's power. If it uses the computer's power it will need to be near a wire or cable carrying power. It would be small and similar in color and markings to other chips.

Then I would check in the main case. Again it is likely small and connected to a power line or cable. It might even have its own ribbon cable of small board to make it look like an intentional part of the design.

Your best chance is to compare the parts against the service manule and find something that isn't in the schematic or diagram, or more likly something that is a little bigger or a little out of place.

Speculation on the device:

What data is it ment to capture? Maybe audio, maybe video, maybe both. It likely would not be data that is stored on your computer. Data stored on your computer is easier to acces by other more common attack methods.

So why audio or video? Maybe your laptop does not have a built in microphone or camera. Or maybe the intent is to be able to observer or listen in multiple dirrections at once. The laptop can only be a platform for power and data transmission. These types of device in the past had to have their own RF to transmit, but with the data transmission of the laptop any extraneous RF transmission would just expose the covert device.

this.josh
  • 8,843
  • 2
  • 29
  • 51
3

Make a photograph of a clean machine - when it is known or assumed to be clean, i.e. when it is new, and use that for future reference. Not perfect, but might be helpful and simple.

AviD
  • 72,708
  • 22
  • 137
  • 218
  • I'm sorry, what now? I'm not sure if this is supposed to be humourous, or... But anyway, welcome to [security.se]! – AviD Sep 16 '11 at 11:20
  • I am not new (I just did log on using my account), neither here, nor in the field of IT-sec, and I am not trying to be humurous. Anyway, what I meant was, take a photograph of the machine when it is known or assumed to be clean, i.e. when it is new, and use that for future reference. Not perfect, but might be helpful and simple. – Karel Thönissen Sep 16 '11 at 13:16
  • 1
    Sorry, your account page says you registered today... but FTR, I didnt downvote you... – AviD Sep 16 '11 at 15:04
  • I can see how this could serve as some basic inspection of hardware devices and if they were tempered with, but you could say the same for checking the paint on heads of the chassis screws and warranty stickers, which would be a lot faster and possibly cheaper too. Having a look at the PCB components and other attached hardware wouldn't tell you anything conclusive with a notebook, when all the necessary devices are already there and it would take is a slight modification of Opcode, be it in UEFI BIOS, FPGAs, Firmware EEPROMs... you name it. Still, +1 for waking up the dragon LOL ;) – TildalWave Feb 21 '13 at 15:51