aboutsummaryrefslogtreecommitdiff
path: root/docs/hardware/x60_security.md
diff options
context:
space:
mode:
Diffstat (limited to 'docs/hardware/x60_security.md')
-rw-r--r--docs/hardware/x60_security.md123
1 files changed, 58 insertions, 65 deletions
diff --git a/docs/hardware/x60_security.md b/docs/hardware/x60_security.md
index b393c232..44d5fb4a 100644
--- a/docs/hardware/x60_security.md
+++ b/docs/hardware/x60_security.md
@@ -1,10 +1,14 @@
-% Security on the ThinkPad X60
+
+Security on the ThinkPad X60
+============================
Hardware modifications to enhance security on the ThinkPad X60. This
tutorial is **incomplete** at the time of writing.
[Back to previous index](./)
+
+
Table of Contents
=================
@@ -12,6 +16,8 @@ Table of Contents
- [Software Requirements](#software_requirements)
- [The procedure](#procedure)
+
+
Hardware requirements {#hardware_requirements}
=====================
@@ -25,6 +31,8 @@ Software requirements {#software_requirements}
- none (at least in the scope of the article as-is)
- You probably want to encrypt your GNU+Linux install using LUKS
+
+
Rationale
=========
@@ -39,58 +47,42 @@ purely theoretical for the time being.
Disassembly {#procedure}
===========
-Firstly remove the bluetooth (if your X60 has this):
-
+Firstly remove the bluetooth (if your X60 has this):\
The marked screws are underneath those stickers (marked in those 3
-locations at the bottom of the LCD assembly):
-
-![](../images/x60_security/0000_bluetooth0.jpg)
-
+locations at the bottom of the LCD assembly):\
+![](../images/x60_security/0000_bluetooth0.jpg)\
Now gently pry off the bottom part of the front bezel, and the bluetooth
-module is on the left (easily removable):
-
-![](../images/x60_security/0000_bluetooth.jpg)
-
-If your model was WWAN, remove the simcard (check anyway):
-
-Uncover those 2 screws at the bottom:
-
-![](../images/x60_security/0000_simcard0.jpg)
-
-SIM card (not present in the picture) is in the marked location:
-
-![](../images/x60_security/0000_simcard1.jpg)
-
+module is on the left (easily removable):\
+![](../images/x60_security/0000_bluetooth.jpg)\
+
+If your model was WWAN, remove the simcard (check anyway):\
+Uncover those 2 screws at the bottom:\
+![](../images/x60_security/0000_simcard0.jpg)\
+SIM card (not present in the picture) is in the marked location:\
+![](../images/x60_security/0000_simcard1.jpg)\
Replacement: USB dongle.
Now get into the motherboard.
-Remove those screws:
-
+Remove those screws:\
![](../images/x60_security/0000.jpg)
-Push the keyboard forward (carefully):
-
+Push the keyboard forward (carefully):\
![](../images/x60_security/0001.jpg)
-Lift the keyboard up and disconnect it from the board:
-
+Lift the keyboard up and disconnect it from the board:\
![](../images/x60_security/0002.jpg)
Grab the right-hand side of the chassis and force it off (gently) and
-pry up the rest of the chassis:
-
+pry up the rest of the chassis:\
![](../images/x60_security/0003.jpg)
-You should now have this:
-
+You should now have this:\
![](../images/x60_security/0004.jpg)
The following is a summary of what you will remove (already done to this
-system):
-
-![](../images/x60_security/0001_overview.jpg)
-
+system):\
+![](../images/x60_security/0001_overview.jpg)\
Note: the blue lines represent antenna cables and modem cables. You
don't need to remove these, but you can if you want (to make it tidier
after removing other parts). I removed the antenna wires, the modem
@@ -99,11 +91,9 @@ part where the wwan antenna goes (wasn't sure what it was, but I knew
it wasn't needed). **This is optional**
Remove the microphone (can desolder it, but you can also easily pull it
-off with you hands). Already removed here:
-
-![](../images/x60_security/0001_microphone.jpg)
-
- Rationale:
+off with you hands). Already removed here:\
+![](../images/x60_security/0001_microphone.jpg)\
+**Rationale:**\
Another reason to remove the microphone: If your computer
gets[\[1\]](#ref1) compromised, it can record what you say, and use it
to receive data from nearby devices if they're compromised too. Also,
@@ -112,42 +102,31 @@ could theoretically be programmed to accept remote commands from some
speaker somewhere (remote security hole). **In other words, the system
could already be compromised from the factory.**
-Remove the modem:
-
-![](../images/x60_security/0001_modem.jpg)
-
+Remove the modem:\
+![](../images/x60_security/0001_modem.jpg)\
(useless, obsolete device)
-Remove the speaker:
-
-![](../images/x60_security/0001_speaker.jpg)
-
+Remove the speaker:\
+![](../images/x60_security/0001_speaker.jpg)\
Reason: combined with the microphone issue, this could be used to leak
-data.
-
+data.\
If your computer gets[\[1\]](#ref1) compromised, it can be used to
transmit data to nearby compromised devices. It's unknown if it can be
-turned into a microphone[\[2\]](#ref2).
-
+turned into a microphone[\[2\]](#ref2).\
Replacement: headphones/speakers (line-out) or external DAC (USB).
-Remove the wlan (also remove wwan if you have it):
-
-![](../images/x60_security/0001_wlan_wwan.jpg)
-
+Remove the wlan (also remove wwan if you have it):\
+![](../images/x60_security/0001_wlan_wwan.jpg)\
Reason: has direct (and very fast) memory access, and could
-(theoretically) leak data over a side-channel.
-
+(theoretically) leak data over a side-channel.\
**Wifi:** The ath5k/ath9k cards might not have firmware at all. They
might safe but could have access to the computer's RAM trough DMA. If
people have an intel card(most X60s come with Intel wifi by default,
until you change it),then that card runs a non-free firwamre and has
access to the computer's RAM trough DMA! So the risk-level is very
-high.
-
+high.\
**Wwan (3g modem):** They run proprietary software! It's like AMT but
-over the GSM network which is probably even worse.
-
+over the GSM network which is probably even worse.\
Replacement: external USB wifi dongle. (or USB wwan/3g dongle; note,
this has all the same privacy issues as mobile phones. wwan not
recommended).
@@ -175,8 +154,7 @@ half of the video to see how to do the above.
Also not covered yet:
---------------------
-- Intrusion detection: randomized seal on screws
-
+- Intrusion detection: randomized seal on screws\
Just put nail polish with lot of glider on the important screws,
take some good pictures. Keep the pictueres and make sure of their
integrity. Compare the nail polish with the pictures before powering
@@ -196,6 +174,8 @@ Also not covered yet:
- <https://en.wikipedia.org/wiki/Tempest_%28codename%29>
- https://gitorious.org/gnutoo-for-coreboot/grub-assemble/source/a61f636797777a742f65f4c9c58032aa6a9b23c3:
+
+
Extra notes
===========
@@ -213,6 +193,7 @@ with the help of an SDR and some directional antennas[\[3\]](#ref3).
controller](http://www.coreboot.org/Intel_82573_Ethernet_controller) on
the X60 seems safe, according to Denis.
+
Risk level
----------
@@ -223,6 +204,9 @@ Risk level
- Speakers: only problematic if the computer gets compromised.
- EC: can be mitigated if following the guide on software security.
+
+
+
Further reading material (software security)
============================================
@@ -232,9 +216,12 @@ Further reading material (software security)
/boot)](../gnulinux/encrypted_parabola.html)
- [Notes about DMA access and the docking station](dock.html)
+
+
References
==========
+
\[1\] physical access {#ref1}
---------------------
@@ -247,6 +234,8 @@ to 400000\$, some other websites had prices 10 times lower but that but
it was probably a typo. So if people increase their security it makes it
more risky and more costly to attack people.
+
+
\[2\] microphone {#ref2}
----------------
@@ -257,6 +246,8 @@ microphone jack can now become a headphone plug, that's called
retasking. There is some support for it in GNU+Linux but it's not very
well known.
+
+
\[3\] Video (CCC) {#ref3}
-----------------
@@ -265,8 +256,10 @@ their demo is experimental(their hardware also got damaged during the
transport), the spies probably already have that since a long time.
<http://berlin.ftp.media.ccc.de/congress/2013/webm/30c3-5356-en-Firmware_Fat_Camp_webm.webm>
-Copyright © 2014, 2015 Leah Rowe <info@minifree.org>
+
+
+Copyright © 2014, 2015 Leah Rowe <info@minifree.org>\
Permission is granted to copy, distribute and/or modify this document
under the terms of the Creative Commons Attribution-ShareAlike 4.0
International license or any later version published by Creative