Laptop Repair vs. Evil Maid
Suppose you need a laptop repair, so you bring it to
- A big box store where you have some sort of coverage (who will have the computer for 2-3 weeks)
- A small chain of repair shops
- a small independent repair shop
All in the United States. Now, we are going to assume you cant practically perform the repair yourself without damaging the machine (perhaps anti-tampering mechanisms are built into it)
Now normal attempts at avoiding the evil maid usually involve some tamper-proofing or taking physical measures to be able to check if the computer has been tampered with, or even doing something like using radio waves bouncing around inside the case to check if something has changed (saw a paper/article on that somewhere) or using a wire where if the connection is interrupted takes some sort of an action (shutting down, notifying the owner somehow, etc.)
However, here, the laptop will be "tampered" with intentionally.
Particularly for the big box store, they typically don't do board-level repair; rather, they do a somewhat ham-fisted approach of replacing components like a laptop motherboard with CPU + GPU + TPM on it or replacing the entire machine.
There are some reasons to think that getting a computer repaired requires a security evaluation:
- Snooping/stealing your data 0 1
- (Tinfoil hat) Cooperate involvement with spooky government agencies for (possible):
- Mass surveillance (primary concern)
- Because the repair shop has contracts with government agencies/military/security contractors/etc.
- (Fairly legit but should probably have your consent too/inform you) Law-enforcement reasons like in this article
- Set up a botnet or other malicious intents (probably by a rouge employee or malicious shop)
I shudder to think what malware/spyware they might install, what they use to search the computer, or even what new compromised hardware they might install. Goodness, I have heard of people saying you should not bring a laptop to China 1 2 3 4 or one can get a rootkit just from plugging a phone into an unknown USB device. I can't imagine if an "adversary" knowingly has full physical access for days or weeks!
The primary interest for doing this vs. a supply chain attack in the first place would be to exfiltrate data after the machine has been used. I am unsure if there is any additional intention for installing extra surveillance mechanisms/malware for mass surveillance beyond what already might be there through the supply chain (e.g., likely, Intel ME, AMD PSP, or Windows).
So suppose I use secure boot and can verify my OS is fine; the boot firmware/BIOS/UEFI could always be compromised, or new hardware could be installed that I don't know about (ignored by the Evil Maid firmware/bios/don't know exact terms/etc. intrigued by this answer, but iirc MBR is an old Windows/DOS "standard" before UEFI, and I don't know if this applies to types of ROM or firmware that might be installed in various chips on the board).
Also, the TPM may have been replaced (or compromised), so I may not even be able to verify my OS (or trust such verification).
In extreme cases, the CPU/GPU/TPM or other chips could be removed and hooked up to a JTAG device and compromised or replaced with identical-looking malicious counterparts (same with other chips on the MOBO or elsewhere in the computer, especially in hard-to-inspect regions)
Assuming I am within a standard deviation of "interesting" (no more interesting than anyone else), I'd like to know how to achieve a reasonable amount of relative security (by auditing, or taking steps before the computer goes out, or things I can do when it gets back); and by relative, I mean no worse than before (regardless of spyware, Intel ME, etc., was installed on the machine before). Basically, ensure that what I shipped out was what I got back (just possibly with some replaced parts, but those parts are not compromised).
Here is what I am thinking:
- Remove any disk (SSD/HDD) before sending it out
- Remove RAM (if it does not require a boot, post can be checked, and they will take it) if you can (some RAM might be soldered to the board)
- If you can't remove RAM, run some process that takes a lot of RAM to ensure that secrets are not still in there (like passwords) but have no secrets/important info itself (possibly overwrite memory).
- Document the device: copy codes, serial numbers, etc., on as many chips inside the device as possible, and take as many pictures of the boards as possible (though there may be some that are inaccessible, particularly in a laptop)
- (And this one I need help with) Dump all firmware, ROMs, BIOS/UEFI images that you can, and create checksums: The issue with this is that there could be a legitimate update, say to a new UEFI version, or you have a slightly different version of the board. You could try to diff the binary to see if substantial portions were changed, but if malware existed before, suppose, and a flag was flipped to switch it on, so you could not tell, you might not know. So you cant fully tell, but you can limit certain things. Here, I would like to ask how this can be done, especially with minimal hardware If possible, I would like to use the computer. If this is impossible, it is something like an RPi or simple-to-build circuit, but nothing too expensive.
- Social Engineering: Tell an employee to make a note that you will audit the computer after you get it back to make sure things are the same (perhaps specifying certain measures you will take). This could easily backfire, though, and make you more suspicious and make you more thoroughly investigated/a target for any spook that may (or may not) be going on.
- Make a specific request(s): i.e., "Please preserve the TPM" and "Please make sure the same BIOS version is used."
Are there any other possible threat modeling/countermeasures people can think of (extreme or reasonable)?
