Daniel Dimov - Privacy and Security of Modern Technology

1.Introduction

In 2006, a laptop containing personal and health data of26,500,000 veterans was stolen from a data analyst working for the USDepartment of Veterans Affairs. The data contained the names, dates of birth,and some disability ratings of the veterans. It was estimated that the processof preventing and covering possible losses from the theft would cost betweenUSD 100 million and USD 500 million.

One year later, a laptop used by an employee of the UKslargest building society was stolen during a domestic burglary. The laptopcontained details of 11 million customers names and account numbers. Theinformation was unencrypted. Subsequently, the UKs largest building society wasfined with GBP 980,000 by the Financial Services Authority (FSA). The reasonfor the fine was failing to have effective systems and controls to manage itsinformation security risks.

From these two examples, it can be inferred that laptoptheft is a serious problem that concerns both businesses and individuals.Victims of laptop theft can lose not only their software and hardware, but alsosensitive data and personal information that have not been backed up. Thecurrent methods to protect the data and to prevent theft includealarms, anti-theft technologies utilized in the PC BIOS, laptop locks, andvisual deterrents.

This article is focused on the BIOS anti-theft technologies.It starts with an overview of these technologies (Section 2). Next, the work discussesthe legal (Section 3) and technological problems (Section 4) arising from theuse of BIOS anti-theft technologies. Then, it recommends solutions to thoseproblems (Section 5). Finally, a conclusion is drawn (Section 6).

2. Overviewof BIOS anti-theft technologies

BIOS anti-theft technologies are embedded in the majority oflaptops sold on the market. They consist of two components, namely, anapplication agent and a persistence module. The application agent is installedby the user. It periodically provides device and location data to theanti-theft technology vendor. In case a laptop containing an installedapplication agent is stolen, the anti-theft technology vendor connects to theapplication agent with the aims of determining the location of the computer anddeleting the data installed on the laptop.

Upon a request of the owner of the laptop, the anti-thefttechnology may permanently erase all data contained on the magnetic media. Inorder to make sure that the data have been deleted property, some anti-thefttechnology vendors overwrite the data sectors of the deleted files.

The persistence module is embedded in the BIOS of mostlaptops during the manufacturing process. The BIOS is the code running when thecomputer is powered on. It initialises chipset, memory subsystem, devices anddiagnostics. The BIOS is also referred to as firmware.

The persistence module is activated during the first call ofthe application agent to the anti-theft technology vendor. The persistencemodule restores the application agent if it has been removed. For instance, incase a thief steals a computer and reinstalls the operating system, thepersistence module will restore the agent. It should be noted that, until theapplication agent is installed by the user, the persistence module remainsdormant.

Even if the BIOS is flashed, a persistence module that hasbeen enabled will continue restoring the application agent. This is because thepersistence module is stored in a part of the BIOS that cannot be flashed orremoved.

3. Legalissues

Principally, if the buyer of a laptop agrees with theinstallation of an application agent on her computer, there is nothing illegalin the use of anti-theft technologies. However, in some cases, a seller of alaptop may either accidentally activate the application agent before sending itout or sell to the buyer a machine that was originally meant for a customer whoordered a computer with an installed application agent.

When an application agent is installed without the consentof the user, it falls into the scope of the definition of backdoor. Backdoor isa program that gives a remote, unauthorized party complete control over asystem by bypassing the normal authentication mechanism of that system.

The application agent is not the first case of a backdoornot specifically designed to damage and/or disrupt a system. In April of 2000,several e-commerce websites discovered that their Cart32 shopping card softwarecontained a backdoor password enabling any user to obtain a listing of thepasswords of every authorized user on the system. The purpose of the backdoorwas to enable technical support personnel to recover the users passwords.Because the backdoor password was embedded in the program code itself, anyonewith access to the software could exploit it undetectably.