Slashdot Mirror
Ask Slashdot: How Do You Best Protect Client Files From Wireless Hacking?
dryriver writes: A client has given you confidential digital files containing a design for a not-yet-public consumer product. You need to work on those files on a Windows 10 PC that has a wireless chipset built into it. What can you do, assuming that you have to work under Windows 10, that would make 3rd party wireless access to this PC difficult or impossible? I can imagine that under a more transparent, open-source, power-user OS like Linux, it would be a piece of cake to kill all wireless access completely and reliably even if the system contains wireless hardware. But what about a I-like-to-phone-home-sometimes, non open-source OS like Windows 10 that is nowhere near as open and transparent? Is there a good strategy for making outside wireless access to a Windows 10 machine difficult or impossible?
.. and disabling the device in Windows 10 or the BIOS isn't enough, then just remove the wireless card. If by PC you mean desktop PC, unless it's a USB wifi chip soldered onto the motherboard, it'll be a typical miniPCIe or M.2 card. Remove it. For laptops a physical switch or hotkey for disabling the wifi card at the firmware level is common, but the same goes for that. They're not soldered onto the board (with some very rare exceptions) - they're miniPCIe or M.2 cards that are removable. Whether they're easily accessible varies by laptop model, but they're still removable.
on a Windows 10 PC First problem
that has a wireless chipset built into it Second problem.
1. Don't work on sensitive issues using Windows of any version. Explore a windows VM under a more secure hypervisor where the guest cannot override the host on hardware or network issues.
2.Don't work on sensitive issues using a system with communications ability that does not use a verified hardware kill switch. EG: Avoid systems that use software to check the hardware switch to disable. Use hardware that uses a hardware switch to either kill power to that subsystem or uses an NMI to prevent function.
3. Build a Faraday cage room for sensitive work stations. There are government manuals on how to create TEMPEST spaces.
Sound hard? Somewhat. But then again, security, real security, isn't trivial.
Necessity is the plea for every infringement of human freedom. It is the argument of tyrants; it is the creed of slaves.
Just Google the model of the laptop in question and teardown, example, "thinkpad yoga teardown"
Many laptops still use WIFI+Bluetooth cards which can be physically removed. The antenna wire runs directly to the module and can be removed disabling the antenna if you don't want to pull the module.
Even the newer Yoga's have WIFI modules which can be physically removed.
So if you want to make outside WIFI access difficult or impossible, remove the module and it will be impossible. Plug the laptop into physical wiring only and secure your network.
As for running Windows 10, that OS has a mind of it's own and the only way you can stop the madness is at the network level.
I was going to suggest VirtualBox as well.
I routinely install Windows into VirtualBox guests that have no virtual LAN adapters configured (i.e.: no network access). The guests can only access: inserted optical discs and/or .iso files; authorized USB sticks; persistent/non-persistent VirtualBox shares.
The big downside, though, is accelerated graphics: