Slashdot Mirror
Phoenix Unveils Anti-Theft BIOS
linuxwrangler writes "According to articles at PC World, c|net, Internet Week and elsewhere, Phoenix Technology is introducing a new BIOS-based anti-theft system. Every time a TheftGuard equipped machine connects to the internet it pings a server at Phoenix which can instruct the machine to wipe its hard drive, report its location or disable itself. Given that most people don't want to have their every movement tracked and don't want someone else to have the power to wipe their drives, Phoenix figures that corporate clients are the prime customer. I just wonder who is liable when a company sells a surplus laptop on eBay but gets their inventory control screwed up and reports it as stolen..."
I wonder if that kind of system would be vulnerable to spoofing attacks? That would be a pretty nasty trick to play on someone; erase their hard drive by puting a phoenix spoofing server on their network.
Why not just encrypt the whole hard drive or the just sensitive data? To the thief, it's as good as it being erased.
Besides, in either case, if the thief were an enterprising individual they could recover the data. Empty hard drive? Just do a low level scan. Encrypted hard drive? Spend lots of time and resources trying to crack the key.
With that, why not go for the least destructive measure? Unless, of course, Phoenix is going for the Mission Impossible market -- this laptop will erase itself in 20 secs...
A growing number of boxes these days are behind routers or using winmodems, neither of which is easily supported by the limited space on a BIOS chip.
:-)
Then again, thieves are more likely to steal a dedicated T1 line on a BIOS-supported ethernet card than the rest of us
You can't judge a book by the way it wears its hair.
Why not just rewrite the BIOS and flash it to disable or eliminate these features. Of course only your Uber Geek would be able to do this (certainly not I) and IMO, if he/she can do it, they've EARNED the laptop.
Once this BIOS is hacked (assuming it can be), how long before copies of BIOS start going out over Kazaa?
There is nothing inherently safe about liberty. That's why so many people died protecting it.
I just wonder who is liable when a company sells a surplus laptop on eBay but gets their inventory control screwed up and reports it as stolen...
Exactly the same thing that would happen if someone checked the serial number and found it was reported stolen. Police investigate, the owner provides a transaction history, the original owner discovers the mistake, charges get dropped, original owner gets sued for negligence.
And should the HD get erased the FIRST TIME someone connects to the internet, it's not likely to create any serious data loss issues. The owner would probably think there's just something wrong with the computer. They'll complain, the problem will be discovered, etc etc.
Of course, this theftguard assumes a number of things. Certainly the BIOS won't have any interaction with the internet unless the OS permits it. Any intellegent thief would wipe the drive and resinstall without ever booting it, let alone connecting it to the internet. There are many other ways to trace a stolen computer once it gets online, assuming the OS wasn't reloaded first. Having a machine "check in" isn't a bad idea in theory, but there's no particular advantage to using a hardware solution over a software one.
-Restil
Play with my webcams and lights here
I cannot seriously see anyone accepting this tech.
Corporations *might* but only if they can set it to poll THIER servers, and have it under their control.
Personally though.. it scares me that MS and their "Trusted Computing" scheme Might force this onto the users..
There is only three people/organizations that should have the ability to remove/restrict "owned" things... Me (the owner), The LAW (only after following the judicial system) or Judge Dredd.
"Consider how lucky you are that life has been good to you so far. Alternatively, if life hasn't been good to you so far
"Since TheftGuard's also in the BIOS, even if you remove the hard drive, we can still track or disable the machine, or wipe the drive," he said. Another trick that can eradicate anti-theft software -- running FDISK to reformat the drive -- also is foiled by TheftGuard's place in the HPA section of the hard drive, which is immune to simple reformatting tools.
Any hard disk forensics person will tell you the wonders of dd and netcat working together. Adjust the dd parameters a tad, and the HBA is no longer a problem. If they think the bad guys don't have access to this knowledge, they're as FDISKed as they seem.
This is seriously stupid, so it must have come from marketing, not the techies.
Soko
"Depression is merely anger without enthusiasm." - Anonymous
I hear people here rant about the evils of microsoft, which I will be the first to agree they are a big evil, but seldom do I hear about the BIOS monopoly.
I'm i'm not mistaken, award, ami, and pheonix are owned by the same company. Atleast Award and Pheonix seem to be at anyrate. I could be wrong about this, but this would be due to the lack of attention on this little piece of software you are required to buy.
Unlike the Microsoft software where you at least (all though arguably) have a choice to buy a system without it... the same can't be said about the BIOS. Now they have a good product... worth paying for, though I wish they would have added some more *nix like features quite frankly, and it's a pain when one motherboard has for example the Symbios boot for cheep scsi cards feature, where another motherboard with the same make bios is missing that feature, dispite the fact that it's been shown this could be added with ease, and heaven forbid any end user requests for these features present in one and not the other.
So, when Pheonix decides to be most irrating and implement systems like this, who are you going to turn to? I honestly don't know the actual cost of the bios licensing and it's cost per PC motherboard, but I'd wager to guess it's pretty cheep... based on what i've seen in old computer shopers, some companies were charging like $20 a chip. I assume it's a sub $20 per chip fee. I personaly am happy to pay it, as these companies pretty much became comercialy viable because they undersold Compaq and IBM, and dispite their flaws they are the lesser of the big blue and wannabe blue.
This is one of those products that you pretty much either *assume* you have legit license for, based on faith that the motherboard maker. For your average geek, it's pretty much a simple task to establish wether or not you have license for the product.
It's also one of those products that the end user doesn't typicaly pirate. Pirated, or rather, bootleged bios are typical found on the cheepest motherboards available. I do not feel that this is the solution as it's not typicaly the end user pirating their product, it's little no name companies that buy their product bulk from the likes of PC Chips and resell them without a licensed bios.
*SOLUTION* why not ask for cash? You may say what you will about these companies, but unless the freebios projects mature enough there isn't really much of an alternative, and it is a product worth paying for as it does make the system work, and i'm all for supporting them as they pretty much are, in part, responcible for the whole clone market, until something better comes out. If their product is indeed typicaly sub $20.00 for that little holographic sticker, this is a VERY small price to pay for updates. During y2k, they would have made a KILLING on all those cheep ass funky motherboards if they were able to provide on their website the correct bios based on it's ID number, explain that you need to pay $20.00 to download it, rather then the more foolish end users who bought copies of that Symantic product to compensate for only level 2 complience.
The alternative is getting bad press about some little old lady who bought a system on good faith, who in good faith bought a system, getting her hard drive wiped because of someone else bootleging a product she doesn't understand exists.
There is no sanctuary. There is no sanctuary. SHUT UP! There is no shut up. There is no shut up.
This is a far saner, less failure prone solution to "The Problem". I have already seen similar hardware solutions used by a friend who develops commercially sensitive commerce stuff, the laptop's a paperweight without the key-card.
Only keep your keys on a something like a USB keychain rather than proprietary hardware. Then attach it to said employee's security pass so they don't leave it plugged into the laptop (or keep a log that emails you every time the laptop is shut down with the USB key left plugged in).
But alas, I can see the PHBs of the world will demand the Mission Impossible version because it sounds cooler.
Xix.
"Everything is adjustable, provided you have the right tools"
Wow. I can totally see something like the Slammer virus coming along and either wiping out Phoenix's computers and screwing them up badly, or just attacking all computers and forcing the ones with this BIOS to do some pretty nasty stuff. Of course, this will only teach more people to back up their data more often.
Kind of reminds me of Hackers. "Hackers of the world unite!"
woot.
I sell out to The Man every day.
Actually the BIOS has complete control over all the hardware parts in the system. Once it detects a Network chip it can use that to do whatever it wants. Remember that a BIOS is an OS in itself. Windows and the such only extend the ability to operate/read/write to the disks. Windows only sees what the BIOS shows it.. Anything can be done through the BIOS as long as their is enough space to store it all on the chip... scary thought now that someone has brought their idea forward.. but there are enough people out there that modify BIOS's that it will not last long after it is brought to public.
Of course, if your main reason for using a system is data security, having a system that still works even if the hard drive is removed is a little pointless, isn't it?
Personally, I like the whole idea, except for the fact that it reports back to Phoenix's servers--if you could have it ping back to your own server, or to some trustworthy third party of your choosing, it would be a lot more attractive.
I wonder if you could combine it with some sort of real self-destruct mechanism...ten or twenty grams of thermite ought to do the trick. Not that I personally have anything worth that much, really, but if anyone ever stole my laptop, there's a part of me that would enjoy knowing that it was melting into a pile of slag.
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
...if my network connection is down? Will my machine refuse to boot?
I think some of the technical folks on here have missed the point: A 'ping' signal doesn't have be the regular ICMP ping. It could be any sort of protocol that requests an echo back from the target.
...just my 3 cents worth (Canadian funds :-)
I do think that an awful lot of people on here are getting the point: What happens when I, mister malicious black
hat decides to spend a little money on research material and aquires, by one menas or another, a few of these units for destructive testing and reverse engineering? Now I can spoof the Pheonix server on any given LAN and - proof - Merry Christmas, Bob's your uncle!
I can see the military and paramilitary organizations liking something like this. I'd also be surprised if they don't have something similar under lock and key right now. If I recall, most of the concern over the laptops wasn't over the data on them, but more over how the security procedures when awry. There were one or two that went missing from internal areas that wouldn't have been equipped for travel, but they likely wouldn't have been protected by this system either.
Personally, I think people fall into one of two categories:
1) The stupid/ignorant. These people wouldn't buy this BIOS anyway. They're gonna be hooped when their data gets lost/stolen.
2) The paranoid. These people are probably already using strong encryption, finger print scanners, etc. They're gonna be hooped as well... unless they were paranoid enough to do regular backups! Admittedly, the thief won't have access to the data, but I suspect most of the stolen laptops get wiped shortly after the thief copies the porn off for his own amusement anyway.
I see IT managers loving this because it covers their arses. I see the users either not needing it or not liking it.
-Rob
It's cheep security, None of the peripherals seem to be protected and that's the meat of any system.
If you buy a used PC with that system in it you should have the ability to contact the maintainer of the system to work out ownership transfer. There should be no fee for this.
Prediction by MrPredicter:
One week after deployment a copy of the BIOS will be posted to usenet, Seventy Six Milliseconds after that it's cracked, patched and offered on WareZ sites with instructions on how to burn, unplug or desolder and install the new chip.
Fixing the above, off the top of my head:
Hardwired into the motherboard is a distributed encryption device that holds all of the motherboard chips, drives, ram and compatible installed cards in an inactive state until a USB or other device is insterted. The unlocking device needs to have been activated with a PIN prior to insertion so that the secret key inside can encrypt a challenge response with the devices in the computer. The device in the computer should also do realtime transparent encryption of the drives and offer network encryption as it would be trivial to add. Internal keys in the device would be the provence of the local IT security staff, they could not be changed by the user.
One nice feature of this method is that, with a well setup OS each users network presence (data, settings, drives ect) could be transparently encrypted, each PC would be generic with no user or company data stored on the PC just on the network. Other networkable protocols could be implemented. I think Linux is close to part of this done in software.
The device would need to be distributed, that way an attacker would have to compromise every device in the computer to make any use of the computer. Even the ram would not be of use.
It would be possible to do this in a compatible way to protect the addons use extenders/risers that contain the encryption receivers which would be epoxied to circuit cards, drives and ram would slightly reduce cost and void warranties but allow easier upgrades by just adding a riser. The other method is to order specially modified hardware and only the Motherboard needs this. Yes, there are all sorts of drawbacks mostly stability issues and the CPU is stil not protected from theft.
Isn't there some sort of specification for all this, this didn't just come to me a vacuum, well I vacuumed it up, most probably from the cypherpunks mailing list but can't remember.
Total added cost to the PC, too much:
Just hire a damned good degreed security specialist and a retain a good physical security consultantcy and let them work with a team of people to implement a reasonable security system and stick with it. Add to that good training for the security people and rigorous *reoccuring* background checks. Also a mid/upper level management that actually listens to the experts in this is needed, eviserate the dead weight as needed.
I'd go on a Vegan diet but the delivery time from Vega is too long. --brownkitty
Easily, if you've ever worked with any kind of embedded system you know that even low-memory microcontrollers can have TCP/IP capabilities, in a pretty trivial amount of space. Many implement a TCP/IP stack in a 32K rom with room to spare.
Do most recent laptops have one?
I know most/many desktiop motherboards have a jumper that allows you to reset the BIOS.
Wouldn't that disable this "feature"?
B.
Laptop thieves are largely a stupid lumpen lot.
Any 'smart' laptop thieve is the exception and not who this tool is designed to 'bust.'
It's designed to nail the lowlife at the airport who wouldn't know what to do with the laptop if he did actually open it up and turn it on. He turns it in at the hock shop (you've seen 'em- the ones with the big sign on front 'we buy laptops for CASH' whose windows geeks should just bust out regularly) and uses the $16 he gets to buy crack.
The Club is a device that locks onto your car or truck's steering wheel and prevents the wheel from being turned and thus the vehicle from being driven. There are several very effective ways of removing the Club without using a key, some of which can be done in less than a minute. Despite this, the Club is an effective anti-theft deterrent. Why? It's a huge improvement if you stop just the dumb crooks. Sure, a smart crook can get past it -- but there's a whole lot more dumb crooks than smart ones, so if it doesn't cost too much, the benefits far outweigh the costs.
SMI = System Management Interrupt.
a tashts/2525 16.htm
When an SMI is triggered the system jumps to a special memory space called SMM. SMM space can only be accessed/modified when in SMI. The BIOS implements the handler and the handler cannot be taken over by the OS. Lots of events can cause an SMI. That is a possible mechanism.
Check out the feature in chapter 5 of the ICH5 datasheet
http://www.intel.com/design/chipsets/d
Before everyone goes crazy bashing Intel, every x86 chipset/system supports SMI since 386.
I think the main problem with computer theft is not the loss of some more or less cheap piece of hardware. That can be replaced easily. The major damage is that you'll lose your data. But security measurs like the harddisk security features that are stored in a hard disks firmware make it very hard to get access to the data. Especially considering that a normal thief is not an IT expert.
If industrial espionage is concerned then your enemy has enough knowledge to do bad things when he has real phyical access to the machine. So a BIOS won't help much to keep an expert away from my data if I don't do additional measures.
What would be really helpful against data loss is a BIOS that goes on strike if I don't do backups of my data frequently... but that leads us to the problem that there is no easy way of backing up 80 Gigabytes on a 3.5 inch floppy...
Let's face it, the thief who steals it won't have the problem, it'll be the poor sap daft enough to buy it at the end of the chain. Just like the stolen coded (i.e. not-working) car radios which get sold at the local pub/garage sale/car boot sale - who's going to have all the necessary gear to check it at the time of purchase.
By the time the buyer realises, the thief is long gone - it just moves the problem, doesn't eliminate it. Just like the car immobiliser law brought in here in Western Australia - all cars have to have them. So now we get people being attacked near their cars or in the house so the thief can get the keys.
Go permanent? In your dreams and my worst nightmares.
When I was a student at Unnamed University;
:)), a reboot and reaching a state where the network cards could function took less than 100 seconds.
The system simply pinged each machine connected to the netwrok every few seconds. If any of the machines failed to respond to pings for more than 100 seconds (depending on the time of day) it would be flagged as stolen/damaged. A security chap would come around to have a look see.
The real goal of the system was to prevent people from opening the case and flicking a little bit of RAM or a HDD. (loads of poor students in the place). The site was open 24 hrs you see and there were not many people around usually.
Most of machines were just X-Terminals. Nice, powerful machines -- that ran an X-Server. So there was not very much that could crash them; When they did (err.. for testing only
If you or a network admin wanted to move the machine or do anything like that, you had to send mail to a support@unnamed and they'd stop the pinger for your system for a given duration. They now have a lot of Windoze machines in the place. I am not sure how the pinger system is coping
Actually, the grandparent post suggests the first viable attack on this that I've seen suggested here - the other attacks (network tricks, etc.) rely on Phoenix's BIOS designers being so amazingly technically incompetent that they wouldn't cryptographically sign the "kill yourself" message.
This attack, however, relies only on a single instance of minor social incompetence by a call-desk employee. Attacks like this have already been shown to work on large corporations who are supposedly in the business of verifying identity - remember when VeriSign handed out two certificates for "Microsoft Corporation" to people who just asked for them?
The disadvantage of this attack is that it would in all likelihood be relatively easy to trace who had done it - it's highly unlikely that Phoenix's call center would accept a "my laptop's been stolen" call from a pay phone, and their procedures may even call for confirming any theft report by calling the supposed rightful owner back.
However, depending on the relationship between Phoenix and the major OEMs, the attack may get easier - it may be much easier to get Phoenix to think that I'm a Dell call-center employee reporting the theft of Mr. BigWig's laptop than to convince Phoenix that I'm Mr. BigWig or his authorized representative. That's something we'll have to wait and see on - it all depends on how the social network between Phoenix and the large OEMs are designed.
I'm certain that there's no one thinking up a technical attack here on slashdot that's viable against this system in the field. However, I have a reasonable expectation of incompetence from large corporations when it comes to designing the social network half of this system.
If we accept for the moment that virus is a second declension noun, \then the nominative plural would be viri, not the original poster's v\irii. Virii would be the plural of virius. Beyond th\at, viri is a perfectly good Latin word; it means men.
But virus in that sense is not a second declension noun. It's a four\th declension noun (like cantus and gradus). The plural would thus be virus\, with a macron over the u to indicate that it's long. (There's probably a\n HTML entity for it, but I'm too lazy to look it up.) Except, of course, that\ no classical author used virus in the plural.
You should make sure you know what you're talking about before you correct p\eople. A little learning is a dangerous thing, and there are some things that \a table of declensions won't tell you.