197

My laptop was confiscated by the military institute of my country and they made me to give them all my passwords (I cannot tell you the name of my country). They did not give it back to me for one week (yes, it was out of my sight for a while). I nuked it from orbit but I just realised that it was on sleep state for 2 days and not in shutdown state, so it was connected to my modem via wifi. Does it need to be worried about?

and

I need to make sure if they have added something to monitor my activities or steal my data or not? And if they have done that, what should I do to prevent them.

I have double checked the laptop physically and there is no sign of screw or plastic deformation. Is that still possible that they have compromised its hardware?

Improve this question
1
  • 4
    Comments are not for extended discussion; this conversation has been moved to chat.
    – Rory Alsop
    Commented Dec 21, 2018 at 15:52

10 Answers 10

Reset to default
272

If the device left your sight for any amount of time, replace it. It can no longer be trusted.

The cost to assure it can still be trusted significantly exceeds the cost of getting a new one

There is effectively no way to verify that the hardware has not been tampered with without significant expertise and employing non-trivial resources. The only solution is to replace the laptop and all associated components. Without knowing your country or other aspects of the situation you are in, there is no way for me to comment on the likelihood of this, only on the technical feasibility.

If you do need to verify the integrity of the laptop, there are a few things to check (non-exhaustive):

  • Weight distribution - Verify the precise weight of each component (ICs, PCB, etc). Weight distributions can be analyzed using gyroscopic effects. This requires having uncompromised equipment nearby for comparison. Extremely precise measuring equipment is required. You'll need to be aware of the different tolerances each part has in order to know what is anomalous.

  • Power consumption - Verify the power consumption of each component over time. Backdoors often use power, and their presence can sometimes be detected with a power analysis attack. Do not rely on this however, as integrated circuits can use extremely little power nowadays.

  • PCB X-ray inspection - Use X-rays to view the circuit board internals. This requires expensive equipment for a multi-layer printed circuit board such as a laptop motherboard. It also requires many man hours of intensive inspection of each square micrometer of the device. This is probably the easiest to do, although still takes specialized equipment and skills.

  • IC inspection - Physically remove the various layers on integrated circuits ("decapping") and analyze the internal die. For anything much more complicated than an 8051 microcontroller, this will require significant expertise and is not possible without a high level of domain knowledge and a lab. But this would have to be done for everything from the main chipset to every CPLD on the board. Do you have a full-face respirator and a fume hood for all the acid you'll need to use?

Sounds excessive? It is, but this is what you would have to do to have a good level of confidence that no malicious hardware modifications have been made. It will be cheaper just to buy a new laptop. Note that this is not intended to be practical advice, and it is not even close to complete even if it was. It's meant only to illustrate this near-impossibility of searching for sophisticated hardware implants.

I nuked it from orbit but I just realised that it was on sleep state for 2 days and not in shutdown state, so it was connected to my modem via wifi. Does it need to be worried about?

In theory, compromised hardware or firmware would be made to compromise your wireless access point or other devices listening in. While a suspended state (sleep mode) normally also disables the NIC, you cannot make that assumption if the hardware is compromised. However, while this is theoretically possible, it would require a far more targeted attack, and most military groups will not want to give away their 0days by shooting them at any random nearby wireless devices.

Unfortunately, it is also theoretically possible that your modem has been compromised. If that is the case though, I think it'd be incredibly unlikely that it was done by your exploited laptop, as they could have just taken over your modem through your internet connection (TR-069 is a bitch), assuming they can control or compromise your ISP. If they have tampered with your hardware, it's much more likely that they have only done so for surveillance purposes, not to spread some silly worm.

I have double checked the laptop physically and there is no sign of screw or plastic deformation. Is that still possible that they have compromised its hardware?

Absolutely. There are many ways to open a laptop without that fact being apparent. While many sophisticated chassis intrusion detection mechanisms exist (some that even detect small changes in air pressure that would indicate a person messing with it), there are some "ghetto" techniques which you may be able to use in the future. One technique is to sprinkle nail polish with glitter on the joints of the system, inside and out. Take a high-resolution photo of this (and don't store the photo on the computer!). If the device is opened, the precise layout of the glitter will be disrupted, and it will become exceptionally difficult to put it back in place. You can compare it with the stored photo and look for subtle differences. This is sufficient to detect tampering by most adversaries, if done right.

The term for this is tamper-evidence, which is any technique that makes it difficult to tamper with a device without that fact being noticeable. More professional options would include bespoke tamper-evident security tape or holographic stickers. There are lots of epoxy potting solutions too (but beware of overheating!). Unfortunately, this can only help you in the future and will obviously be incapable of protecting your system retroactively. But consider how likely it is that they really compromised it.

Improve this answer
18
  • 13
    Replacing the device might be a threat of equivalent force in this case. OPs country could stealthily take control of the computer supply chain and infect a significant supply within its borders.
    – redbow_kimee
    Commented Dec 22, 2018 at 23:04
  • 5
    @redbow_kimee That's extremely unlikely due to how quickly it would become known.
    – forest
    Commented Dec 23, 2018 at 3:09
  • 15
    Surprised you don't mention malicious firmware (for the main motherboard, or for any of the devices). x86 System Management Mode allows nearly-undetectably doing things behind the back of the OS. (There is a performance counter (AMD) or MSR (Intel) that counts System Management Interrupts, though, so you could check for suspiciously-high SMI activity. Is there an equivalent register to Intel's MSR_SMI_COUNT on AMD architecture?)
    – Peter Cordes
    Commented Dec 23, 2018 at 18:11
  • 11
    @PeterCordes Malicious firmware can get around SMI_COUNT.
    – forest
    Commented Dec 24, 2018 at 3:24
  • 2
    @JonBentley Yes, but that's a completely different threat model. If they want to get OP, they aren't going to be confiscating his laptop, they'll interdict it as it's being delivered.
    – forest
    Commented Dec 27, 2018 at 6:56
74

The main information we are lacking is your threat model.

Is it likely that the military targets you specifically, and would be willing to expend some resources on you? We don't need to know the details, but the answer changes depending on whether what happened is more or less standard procedure for your country, or you are being singled out.

And we don't know what secrets you are protecting. If you have personal data and communications, that's a different game than being an active element in a political opposition movement or other activity that might get you murdered if they get the data. There are countries in the world where being a human rights activist can get you on a death list.

If this is standard procedure, and your data isn't life-or-death, you can take the usual precautions, complete OS reinstall, firmware flashing, if you want to go the extra mile, replace components such as the Ethernet port and whatever else is replaceable. Then operate under the assumption that you might have missed something more deeply embedded, but your chances are better than average that you are clear.

The same is true for the active network connection. It is likely that your adversary did standard attack patterns. If your network is secured, and you don't see any signs of intrusion on the inside (firewall logs, IDS if you have, etc.) you could be fine.

If it is more likely that you received special attention, I would strongly suggest using the machine in some innocent ways (surfing the web, etc.) somewhere and then leaving it out in the open when you go to the toilet. Or in other words: Make it get stolen. That way nobody can blame you, the adversary cannot tell for sure if you intentionally "lost" the device and in any case can't prove it, and it's the only way to be sure. Even if you had it sitting nearby powered off, there could still be a microphone hidden inside that monitors you. So getting rid of it is the only safe option.

For the details, I can't do better than forest in his answer to show how deeply stuff could be hidden inside. They could've even switched out components with seemingly identical ones, plus backdoors. There are things you can do to hardware that the manufacturer would have trouble finding.

The same is unfortunately true for your network. There is always one more 0-day out there, and backdoors in network devices aren't exactly unheard of as well. If you are a high-profile target, you need to assume that the network has been compromised.

However, all of this advanced stuff isn't free or cheap. That is why the threat model is important. It is unlikely the military would use its best stuff on a random search.

Improve this answer
55

Methodology aside, just assume that the laptop and anything within audio and visual reach of the laptop is compromised and therefore subject to monitoring as well as the activity on the computer itself.

Searching for, tampering with, or removal of the computer/monitoring devices might well be detected and seen as a criminal act. Also, complete destruction of the laptop or pointedly not being used can also be viewed with extreme suspicion.

All you can really do is continue to use the laptop, but with the knowledge that activity is being monitored (so only do "legal" stuff on it). Visual/audio monitoring devices need not involve the laptop being powered up.

Invest in a nice, secure, padded (and soundproof) laptop bag to store the laptop in when not in use.

Improve this answer
1
  • 1
    Comments are not for extended discussion; this conversation has been moved to chat.
    – Rory Alsop
    Commented Dec 21, 2018 at 19:46
30

In addition to what others have mentioned about detecting hardware changes (chiefly that it is nearly impossible), you should recognize that the most likely vector of compromise would be the installation of software, especially if they only had your device for a fairly limited period of time.

To have a reasonable level of certainty that your device is clean from software exploits you should throw out the hard drive and start with a fresh one and a fresh install. Many of the more practical (and easy) low-level rootkits modify the firmware on hard drives to prevent a normal format from removing the malware. This is also one of the easiest ways to alter a system fairly quickly and "undetectably". If your laptop has a replaceable network card, this would also be something to consider replacing as it is also another fairly useful place to deploy a hardware implant.

Any malware likely needs to phone home eventually. Start up your computer and any common applications you run. Connect it to an external router (this is important as you cannot trust software running on the laptop) that records all traffic. Let the laptop sit unused for at least 24 hours. Now, painstakingly validate all the IP's via ARIN or other registries, to see if any of them look suspicious. You will almost certainly have several that you cannot validate, even if the machine is not compromised, but this may give you some confidence-level of compromise. Do be aware that nation-states often possess the ability to inject traffic into legitimate streams from legitimate locations, and also may compromise legitimate services or use existing legitimate services (such as docs.google.com where any user can create documents of arbitrary data). In addition network traffic on any network protocol is suspect and should not be discounted while trying to validate the traffic.

Lastly, think of your risk profile. Is your nation known for hacking devices and monitoring them? Are you a victim of bad luck or are there legitimate reasons why they should or did suspect you? A certain level of paranoia is healthy, but be practical with your assessment. Custom hardware implants are not cheap, and the cost of discovery can be both embarrassing and expensive. If you are not a likely suspect and of some significant importance, the most likely implant will be software/firmware based, if anything was implanted at all. As others have pointed out, any credentials you had on your machine/that you provided/or any active browser cookies, and any files on the system should now be considered compromised.

Improve this answer
2
  • 7
    I don't understand why this answer is not the most-upvoted. Software backdoors are a million times more likely than a hardware one, for all sorts of reasons. I blame the effectively-debunked Bloomberg piece for the undue hype around hardware backdoors.
    – Angelo Schilling
    Commented Dec 26, 2018 at 19:42
  • @AngeloSchilling Fair, but the resolution for a durable rootkit in the firmware of your components is pretty much the same as it would be if novel hardware was grafted into your laptop.
    – Michael come lately
    Commented Nov 28, 2023 at 15:18
14

Given what you've told us, you need to assume that not only is the laptop irrecoverably compromised, but so is your entire home network, everything connected to it, and every account you have anywhere that was ever accessed from the laptop or from another device connected to your home network.

  1. Physically destroy the laptop, preferably by melting/burning it rather than simple shredding or pulverisation.

  2. Do the same for every single component of your home network.

  3. Do the same for every device that was connected to said network during the time after the laptop was "returned".

  4. Close and delete every account that you have on every website that you have ever accessed from the laptop or from any of the devices in step 3.

  5. Cancel and physically destroy any and all credit/debit/gift cards that you have ever made payments from via the laptop or via any of the devices in step 3. Also cancel any payments that were made using any of those cards during the time after the laptop was "returned".

  6. Close all your bank accounts, withdrawing their entire contents in cash. Destroy any paperwork in your possession associated with any of those accounts.

  7. I cannot emphasise strongly enough the importance of fleeing to a country with better protections against these sorts of abuses by arms of the government.

Improve this answer
4
  • 11
    This seemed really really excessive, but it all made sense leading up to the final point, so +1. Except maybe sell the devices instead of destroy them. And I'd guess this may be good advice too: DON'T TRY TO LEAVE A COUNTRY LIKE THAT WITH LOTS OF CASH, THEY'LL JUST TAKE IT AT THE BORDER
    – Xen2050
    Commented Dec 22, 2018 at 15:55
  • 5
    Destroying the machine would only confirm the monitor's suspicion - continue using it, but only use it for stuff that would give nothing but wasted time and boredom to a would-be spy!
    – rackandboneman
    Commented Dec 22, 2018 at 19:54
  • 11
    Also, I would assume a government-authorized organisation that means business would not need to do one single thing to an individuals home computer to compromise their internet connection, bank accounts or communications accounts. In any country.
    – rackandboneman
    Commented Dec 22, 2018 at 19:57
  • 5
    Unless you want to burn two laptops instead of one, you should probably do #4 before #1.
    – Fax
    Commented May 23, 2019 at 12:33
12

If they have all your passwords, as you say, and had possession of the laptop, the laptop, its operating system and software installed are all suspect. As suggested, nuke from orbit.

I would also be concerned that any software that might possibly have been implanted could (and would) attempt to compromise other computers on connected networks. Do not connect this machine to an ethernet, nor power it on near any WiFi networks if it has WiFi (nor around Bluetooth devices though I know little about this).

It may not be possible to wipe it even under safe conditions due to compromised firmware.

If they had the laptop for, say, 30 minutes (or less), the drive could (and would) have been imaged/copied. Its secrets are no longer yours alone.

You also have some work ahead of you to change all your passwords: you might want to nuke the accounts for extra safety. Delete all content (if possible) and close the account. Good luck with that. Information may have already been collected, however.

There have been answers regarding hardware modification, and while this is a possibility, clearly software tampering should be high on your mind.

Improve this answer
8
  • 2
    Forget compromised firmware, if they're serious about monitoring the OP, how about a compromised Ethernet port, or a compromised monitor cable?
    – Mark
    Commented Dec 19, 2018 at 0:45
  • 2
    ...or a compromised memory bank? There's no limit to the shenanigans you can play with hardware.
    – Tom
    Commented Dec 19, 2018 at 13:36
  • 2
    @Tom I think it would be very hard to compromise the DIMM (if that's what you mean by memory bank) without the implant being extremely obvious. Modern DRAM operates at such blindingly fast speeds and with such extreme sensitivity to latency that a fairly large, bulky logic analyzer is required to even so much as analyze the commands being sent to the DRAM modules. Humanity simply lacks the technological capability to create a small implant that's capable of actually monitoring memory in that way.
    – forest
    Commented Dec 21, 2018 at 4:07
  • @forest - yes, you would have to go above the individual module. And you won't get much logic. I was more thinking about a simple copy, similar to a monitoring port.
    – Tom
    Commented Dec 21, 2018 at 9:45
  • @Tom I'm not sure if it'd be able to simply copy data either. At those speeds, the electrical characteristics of wires begins to matter.
    – forest
    Commented Dec 21, 2018 at 9:52
7

I need to make sure if they have added something to monitor my activities or steal my data or not

Consider that they have all your data already. You surrended all your passwords, so even data that is not on your laptop (e.g. mail, cloud) is now in their hands. Extended comment: if you were not under arrest you could always change as many passwords as you could after giving them, but we want to assume our attacker has so much resources and efficiency that they grabbed an entire copy of all your online activities by the second you wrote down your password on a piece of paper. Pessimistic approach.

As pointed out by @forest, you can do something to try to prove they did it, but it is so expensive that you better go BestBuy as fastest as possible to get a new laptop. Unless your goal is to whistleblow your government is spying on you and how.

And if they have done that, what should I do to prevent them.

I assume you asked "what should I do to prevent them in the future?". Please edit if not. Getting a new laptop and implementing proper security measures is good, just as we others are doing.

Full disk encryption, plausibly-deniable hidden volumes and complex passwords are the basic tools. A military corp targeting an individual can have so many resources (including 0-days) that you can not prevent them to hack you forever, but you can still protect yourself and make it a painful time for them.

Remember, you said you gave them the passwords. This is where TrueCrypt/VeraCrypt come handy. I recommend you to take a look at this QA. Remember to use the cover OS often. Once in the future you will be questioned again for your passwords, give them the decryption key for the "outer" OS. They are not stupid, they will try their best to extort you that you are running a hidden OS too. For example, just that you are using VeraCrypt instead of stock Windows BitLocker or stock Linux LVM, that might be grounds for questioning/extortion.

You may also want to carefully and safely copying documents from the old hard drive using a USB adapter. Documents, not executables. And, out of paranoia, who can tell if some PDF documents were altered to exploit a 0day in one of the popular readers?

You may want to escape from that country as soon as possible, for what concerns me.

Improve this answer
11
  • 6
    Leaving the country really is the best advice.
    – Gherman
    Commented Dec 20, 2018 at 15:01
  • 3
    It is important to note that in such a situation, trying to deceive the military who is trying to break into your computer might introduce serious consequences. Lying to them outright is a recipe for disaster.
    – schroeder
    Commented Dec 20, 2018 at 19:24
  • 5
    There's an interesting idea about "plausible deniability" and encryption - TrueCrypt's Plausible Deniability is Theoretically Useless - "It's also a strictly dominant strategy for the government to keep torturing you... So no matter if you're using a hidden volume or not, the government gets the highest reward by continuing to torture you. So if you and the government are both rational and self-interested, then you are going to use a hidden volume, and the government is going to keep torturing you."
    – Xen2050
    Commented Dec 22, 2018 at 16:51
  • 2
    @Xen2050 That website has an extremely naïve understanding of elementary game theory. TrueCrypt's plausible deniability is useful in a large number of threat models. Now, whether or not it's easy to maintain an outer volume that has convincing metadata (timestamps indicative of genuine access) is a different story.
    – forest
    Commented Dec 24, 2018 at 3:43
  • 1
    @Mark There is no huge, contiguous chunk. The outer volume is created first, just as if there was no hidden volume at all. Only after it is created are the unallocated regions (which are heavily fragmented) used to hide the hidden volume. The one and only difference between a real volume without a hidden volume and the outer, dummy volume is that one of them has unallocated space that is randomized, and the other has unallocated space that has encrypted data. For a modern cipher like the ones used in TrueCrypt/VeraCrypt, it is impossible to distinguish ciphertext from uniform random data.
    – forest
    Commented Mar 13, 2019 at 8:43
1

A backdoor still has to communicate to the attacker, so watching network chatter via your router should suffice. Wiping a harddrive and reinstalling an OS may not be enough, they had it for a week, they could've taken it apart, installed a network tap device and put it back together.

That's not all there is either, there may be no network activity and the program/device may be silently collecting data for somebody to physically retrieve later, probably via a knock on your door.

A new laptop is in order, however I'd keep the old one, maybe even put it on a DMZ so it can't talk to other devices on your home network and it goes without saying, it can't be used for anything sensitive ever again.

Improve this answer
4
  • 14
    You probably should look at a copy of the NSA's hardware implant catalog that leaked a few years back. They've got backdoors that can communicate in all sorts of ways, including by modulating an externally-transmitted radio signal.
    – Mark
    Commented Dec 19, 2018 at 0:43
  • 17
    @RandomUs1r - the adversary here is the military, not some run-of-the-mill cybercriminal with a backdoor he copied from some darknet forum. There are plenty of ways to send out data in ways that even most cybersecurity professionals would not detect. Some of my friends would approach a device like this with an oscilloscope. There's half a dozen documented ways to get data into and out of machines that are seemingly not connected to any network. There's plenty of ways to hide network, system and memory activities.
    – Tom
    Commented Dec 19, 2018 at 11:44
  • 3
    Or the malware does not communicate at all, but just stores the data until the laptop is searched again.
    – allo
    Commented Dec 20, 2018 at 14:11
  • A trained user with an oscilloscope would only stand any chance if they knew roughly what they are even looking for.
    – rackandboneman
    Commented Dec 22, 2018 at 19:58
0

The main issue is to have a good threat model. Perhaps the military are just doing routine things. Perhaps they have been ordered to spend a lot of specific efforts to spy you.

If you suppose that the military is doing routine (unsophisticated) things (then they probably installed some malware, probably one that most software tools won't detect, and have copied all the contents of your laptop on their servers), you could consider clearing all the disk (that is, reformatting it completely) and installing (for example) some Linux distribution on your computer (however, doing that might make you suspicious, but that is a different issue). Copying all the contents and adding a malware is, from the military point of view, very easy (it could take 5 minutes of human work, and 1 hour to wait for the copy to complete).

How to clear all the disk is a different matter. On Linux I would dd if=/dev/zero of=/dev/sda bs=4k for example which fills the sda disk with zero bytes. Of course, all the data is lost (on SSDs, something could remain) and you need to reformat (technically to repartition) the disk. And you could just replace the disk (it costs a few dozens of euros and can easily be changed).

As commented, you should perhaps reinstall the firmwarev(e.g. BIOS) of your laptop.

If you suppose that the military deploy specific efforts against you they could have physically embedded some microphone, some GPS, some other hardware inside the laptop to spy you (and then no software solution exists; and, unless you are a hardware expert, you won't be able to notice). Changing the hardware is less easy (could take hours or days). In that case you'll better destroy the laptop.

Improve this answer
2
  • 1
    Know that overwriting the disk in that way is unsafe on solid state drives.
    – forest
    Commented Dec 27, 2018 at 8:40
  • 2
    Firmware malware/backdoors are just as easy and would survive each of your suggestions.
    – schroeder
    Commented Dec 27, 2018 at 11:58
-5

If the laptop is a Windows 10 due to secure boot, Windows virtual memory, driver signing- you can ensure the machine is trustable. This doesn't rule out malicious applications installed and set to run and access the computer's resources, however, they would have virtually no way to access other applications or processes which don't "put themselves out there".

Windows virtual memory addressing essentially scrambles memory of user-mode applications. So if a virus tries to access memory through hacked methods it's not able to discern what's what. So every process has its own 2 gb or so virtual memory that it uses which is translated by Windows to real address space. Process memory is basically private to that process. They can share memory with handles. But I believe this would require the cooperation of both processes.

Additionally malicious software set to run can see network traffic but that can be viewed by anyone also once it's broadcasted on a network.

So basically, securely written applications can't be easily dropped. Unless the "military" had access to OEM, Windows, or Intel/AMD and they make that ability available to them, or they have realized vulnerabilities not yet known to exist.

Improve this answer
23
  • 4
    I disagree. Trusted boot prevents the genuine UEFI firmware to run untrusted software (i.e. software cannot be tampered). It does not prevent tampered hardware to boot the genuine OS. Your assertion on virtual memory is correct, but nobody prevents a military corp with enough resoruces to replace the UEFI firmware with a hypervisor on top of which the OS runs. Then you have ring-0 control over machine.
    – usr-local-ΕΨΗΕΛΩΝ
    Commented Dec 20, 2018 at 12:07
  • Intel management engine is the starting point, intel needs to provide the oem with information and tooling to use the secure execution processor, which windows uses. There was a recent exploit with macs, but this was with the secure execution engine not used and configured which is done by oems, Windows would not boot under such an environment, and this still would require intels tools.
    – marshal craft
    Commented Dec 20, 2018 at 12:33
  • "Windows won't boot". That's new for me, I will research on thah. Thank you. Yes, a TPM module can validate hardware and refuse to issue the key if the hardware is compromised, but that's something different from the OS to validate the hardware. An example is Magisk for Android. Magisk operates with unlocked bootloader but is capable of tricking Android into thinking that the hardware and the OS are intact. From what I have learned, Magisk is mostly invulnerable. So Android cannot refuse to boot. This justifies my surprise in your sentence. This is a very interesting topic
    – usr-local-ΕΨΗΕΛΩΝ
    Commented Dec 20, 2018 at 12:39
  • In the Magisk example: the locked phone will refuse to boot Magisk because hardware checks the OS. But when the software (e.g. SafetyNet) tries to assess the hardware, Magisk creates a layer of smoke that makes the software think the hardware is sane. Surely, Android vs Magisk is just a bare example, I don't know what Windows does to validate hardware when hardware is capable to provide a fake attestation
    – usr-local-ΕΨΗΕΛΩΝ
    Commented Dec 20, 2018 at 12:41
  • 2
    Let us continue this discussion in chat.
    – usr-local-ΕΨΗΕΛΩΝ
    Commented Dec 20, 2018 at 12:57

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .