Laptop ban, and threat models

At some point this past month, the USA has been talking about banning laptops in cabin luggage, from flight coming from Europe as well as the Middle East, where such a ban is already in effect. This appears to have been reversed just a week later, so it may not be quite a problem right now.

Many words have been spent already to point out how pointless, unsafe, and ultimately futile this ban is from the stated reasons, and the security risks connected with the Government (capital G because this is mostly an abstract at this point) having access to your laptop without your presence, so I won’t be spending any time for that. I may come back to talking about practical security aspects, including mitigation, later, but for this post, I’m mostly interested in talking about the threat modeling, which should always be at the base of security practice, but often it isn’t.

Let’s handwave the first bullet point, and assume that anyone with the means who want to mess with you, either actively (attacking you) or passively (monitoring you), can take over your laptop against you if they have physical access. Any laptop, and an amount of time that is consistent with the time the laptop is out of your control in a situation such as checking it in a flight. As I said this has been discussed and is being discussed, and it’s not the kind of thing that I’m interested in talking about.

The question I want to ask is: who should be worried about their laptops? Everybody or a limited public? And to answer this question, I will use three straw travellers, and give examples of why all three of these should care about this particular problem, even though it may not appear so at first. These actors are drawn upon the information I have about myself, my sister, and my brother in law, because the three of us have an interesting different set of problems and fit widely different categories.

So there is me, working for a multinational company that, in its entirety, has access to a significant user base and personally-identifiable information (PII) (although I don’t have access to much of that, luckily for me). My sister, who works for a small, local company in Italy, that used to have PII from the local government, but at most nowadays has access to clothing and accessory manufacturers model and price information. And my brother in law, that works in the sales department for a different kind of multinational company, in a specific industrial manufacturing sector, holding a number of patents on their technologies.

Is every government interested in the three of us equally? I think it’s clear it’s not the case. The United States, with their current government being worse than the twenty years of Berlusconi we had in Italy, is moving further and further away from a democracy, and then having the ability to target people based on profiling that can only be done with PII no company in their sane mind would ever surrender them short of a hostile takeover, would probably be interested in me. Either because my laptop could contain, or be used to gather, credentials to access said PII, or because through me they can work their way through to more interesting targets.

Would they care about either my sister or my brother in law? Probably only if they knew the connection and were planning on getting me indirectly, which I would expect they wouldn’t do, as I’m too little a number in the organization for me to be worth that amount of time. Getting me first hand, sure, through third parties? Probably not. It would then be easy to discount the problem: who cares, if you’re a possible target of the US government, use burner laptops, if you’re not, check in your laptop and stop complaining! Except.

Except you can imagine a different government, say one that people have been very sceptical about because they tend to have a heavy hand on both their local and export market, and that has been suggested plays a role in industrial espionage on foreign companies. Such a government may actually be interested in my brother in law’s computer. While he doesn’t work on the technology himself any more, he probably gets to know about launches, new sale and, most importantly, prices they apply to their customers. If the government is out to make money, rather than profile people, he’s a target.

But governments, usually, play by some rules. Well, maybe not the US government this year, but even the TSA would have some regard about which luggage gets inspected, and how the content of said luggage is treated. My checked in luggage got inspected multiple times (because I flew a whole lot too much across the states these past few years), and they never broke or misplaced anything. In one case they actually repacked my bag better than I did myself, and I felt bad to have to empty it out to take my charger out.

What I would be more worried about is the baggage handling on the European airport side. It was in the 90s that Venice Marco Polo had a huge problem with theft from the checked in luggage, but my mother is still afraid of that and upset, because she lost a number of souvenirs from her trip to Madrid (back when such a trip was worth a lot more money, and she would get it as a prize for selling Avon products). But if valuable laptops are in the checked luggage, would you not expect this to happen again? This is something that everybody risks being a target of. But of course it is very obvious and easy to notice and possibly make right.

What if there are criminals among the baggage handlers that are more sophisticated than that, and can actually use techniques similar to the government’s to subvert your laptop? We have seen this happening already with the WannaCry attack just now, this is more than just possible. But of course just a ransomware in this case would be a lot of wasted effort and just as visible as the pure theft.

But what about criminals who may be looking for making much more money from CEO fraud? This kind of fraud is not new, and it’s spread enough, and can make quite a bit of money. In this case, the laptop of someone working in sales for a medium-sized multinational company, or someone working for a small company that contracts out for a much bigger fashion accessory company would be very interesting. Among other things, they are likely to let them in on the conversation happening with customers, and from there to understand their workflow of purchase orders and invoices… and if you just wait enough time between the travel and the scam, it’s going to be very hard to detect.

With these criminals, both my sister and my brother in law are targets, myself a significant amount less, because I work in the engineering department, and thus I have no access whatsoever to purchase orders and similar. Having an invoice arrive from me would raise all the possible red flags and give the criminals away immediately.

Now, there are of course more stereotypes or templates of people, and I’m sure that I can find one where storing a laptop in the checked luggage does not, actually, cause a significant risk. But my first impressions of having thought about this is that we should all be careful, and paranoid, about this particular attack vector, even more so than about end-to-end encrypted messaging, which has instead taken over the conversation for the past year.

3 thoughts on “Laptop ban, and threat models

  1. I wouldn’t be worried about Humpty Dumpty building his wall… as the nursery rhyme goes…Humpty Dumpty built a great wall,off of which he’ll have a great fall.All the world’s women and all the world’s menWill not want him together again.He might try protectionist policies like this, but the way he’s going about things, he’ll either be impeached or assassinated. To paraphrase Roger Waters, all in all he’s just another brick in the wall.My concern would be more for the fragility of the laptop and its battery. Unless you pay (comparatively) megabucks for an industrial-hardened one like I did, your average laptop’s case doesn’t offer a great deal of protection to the electronics inside. The race to the bottom on price has seen some real flimsy machines pushed through the production lines in China.The baggage handlers aren’t exactly gentle with peoples’ luggage, and thus the potential for a laptop to be damaged is significant.Rough and tumble pierces a battery… flames start. Heat builds up and before long, starts popping other batteries. What would have been a pretty inert device in the cabin, becomes a potential bomb, in close proximity to other, similarly explosive, bombs. A counter-productive policy if ever I heard one.Physical access is of course, of concern, but given how much luggage passes though, I doubt they’d have the time. They’ve got to identify your bag, open it up to locate the laptop, perform their exploit on it, then put everything back. In theory they could do this to one or two bags, but given the volume of traffic and timing requirements, I doubt they’d get the chance in practice.

    Like

  2. With the right setup, I’d guess that would could change the MBR code in under 2 minutes. (Open laptop, remove HDD, stick it into loader, replace and close laptop).

    Like

  3. You tried opening a modern laptop (in an undetectable manner) in two minutes? Some might, but not most of the low-end rubbish you see today.My work one even, a Panasonic CF-53… you might get the HDD caddy out in 10 seconds flat, but it’ll be 20 minutes of careful prying with a screwdriver before you get near the SATA connector on the SSD.

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s