Laptops

New solutions to remotely secure a stolen laptop

In the past, a lost laptop automatically meant a compromise of whatever confidential data it contained. This is changing for the better, however. Paul Mah discusses the latest developments on the anti-theft front, featuring remote management or deletion of data for laptops that are lost or stolen.

I recently wrote about some simple hardware approaches to secure laptops.  In the earlier article, I have advocated the use of FDE (full disk encryption) or the use of an encrypted flash volume as means to ensure the security of confidential or private data.

A couple of vendor announcements in the past few weeks show an increased emphasis on data protection.  I'll examine developments on the anti-theft front for the remote management of stolen laptops -- once the sole domain of smartphones like the RIM BlackBerry and Microsoft's Windows Mobile-based devices.

Alcatel-Lucent OmniAccess 3500 Nonstop Laptop Guardian

One proprietary solution that got on my radar a few months ago is the OmniAccess 3500 Nonstop Laptop Guardian by Alcatel-Lucent.  The 3500 is a Linux-based PCMCIA card that emulates a smartcard for authentication.  In short, the laptop will cease to work if this PCMCIA card is physically removed.  What differentiates the 3500 from a typical smartcard is that it packs an integrated 3G modem, GPS, and its own battery for power.

The wireless link and GPS let the PC be located and have its security policies managed even if the laptop is turned off.  The depth of its features, which includes the ability to terminate VPN traffic and store encryption keys, currently represents the holy grail of locking down and managing remote laptops.

Of course, its downside is that it is only available in the PCMCIA form factor - which is fast losing appeal among newer laptops.

Lenovo Constant Secure Remote Disable

Lenovo recently announced a feature called Lenovo Constant Secure Remote Disable.  Working together with BIOS maker Phoenix Technologies, Lenovo integrated the ability for a user to remotely disable his laptop on the hardware level.  This is done by means of a text message containing a "kill command" that is sent by text message from designated mobile phones.

Once the kill command is sent, the ThinkPad is either disabled immediately or when the laptop is turned back on - as in the case when a system is suspended or hibernated.  Once shut down this way, the only way to get the laptop back on is to type in a preconfigured "resurrection code" when the laptop is started.  Obviously, an embedded cellular WWAN (wireless wide-area network) card will be necessary to use this feature, as well as a relevant mobile subscription to allow receipt of text messages.

Lenovo Constant Secure Remote Disable will be available as a free BIOS upgrade expected this month or first quarter of 2009.  The technology will work with ThinkPad laptops running on the Intel Centrino 2 platform.

Intel Anti-Theft PC Protection

The first laptop based on Intel's anti-theft technology, ironically, will also be released by Lenovo this month.  Lenovo's new ThinkPad T400 will ship with Intel's Anti-Theft PC Protection as well as Computrace technology from Absolute's Software.

The combination of both hardware and software allows for a robust solution.  For example, via the Computrace software, it is possible to set timers to disable logins if the computer has not checked to a central server within a set period of time.  It can also help in tracing the location of the laptop or remotely lock it via the Internet in the event of theft.

A machine can also be set to brick upon a certain number of password failures, or a signal from a remote server.  When bricking, the chipmaker's vPro technology can halt the laptop at the BIOS boot screen, effectively rendering the entire hardware useless.  It can also permanently erase the encryption keys for a FDE disk, ensuring the guaranteed confidentiality of data.

Conclusion

The advantage of the approach taken by the OmniAccess 3500 Nonstop Laptop Guardian by Alcatel-Lucent is by leveraging on well-understood smartcard technologies.  Building a stand-alone data modem and GPS hardware into a PCMCIA form factor can't be cheap, but does allow for a comprehensive end-to-end solution for laptops containing extremely high-value data.

Lenovo's approach allows the use of relatively minor BIOS updates to bestow the ability to remotely shutdown compliant ThinkPads.  A built-in WWAN card is still necessary, as with a relevant mobile plan subscription.  On the bright side, availability of laptops with built-in WWAN cards can only increase and if popular, should be trivial to incorporate by other vendors.

Finally, Intel's approach represents a solution involving both hardware and software vectors.  The vPro technology gives it a robustness of a hardware-based solution, while the use of software like Absolute Software's Computrace gives it a versatility and control second to none.  The downside appears to be slightly higher complexity in terms of management, though.

What do you think of the solutions mentioned so far?  Which anti-theft technology do you see as something you will deploy, or see wide deployment over the next few years?

About

Paul Mah is a writer and blogger who lives in Singapore, where he has worked for a number of years in various capacities within the IT industry. Paul enjoys tinkering with tech gadgets, smartphones, and networking devices.

6 comments
Daniel.Muzrall
Daniel.Muzrall

http://adeona.cs.washington.edu/ From their website: "Adeona is the first Open Source system for tracking the location of your lost or stolen laptop that does not rely on a proprietary, central service. This means that you can install Adeona on your laptop and go ??? there's no need to rely on a single third party. What's more, Adeona addresses a critical privacy goal different from existing commercial offerings. It is privacy-preserving. This means that no one besides the owner (or an agent of the owner's choosing) can use Adeona to track a laptop. Unlike other systems, users of Adeona can rest assured that no one can abuse the system in order to track where they use their laptop."

curtis
curtis

We just use FDE along with a USB encryption token, and train users not to keep them in the same place. The data is what we're concerned about, not so much the cost of the laptop hardware itself. Lenovo's approach is exciting though, it would be neat if it could text back the GPS location to you.

paulmah
paulmah

In the past, a lost laptop automatically meant a compromise of whatever confidential data it contained. This is changing for the better, however. Here are the latest developments on the anti-theft front, featuring remote management or deletion of data for laptops.

pierre.lavelle
pierre.lavelle

Look for portable thin clients, like Tadpole (I am NOT affiliated with them). You may still loose your laptop, but the data never went outside your company's servers. Only the requested chunks were shown on the screen, and the link was encrypted by a VPN. Long live the Thin Client. Downside: it does not work if you don't have a link... you should relax and enjoy those precious last few moments.

ken.kruger
ken.kruger

I do not think the PCMCIA form factor is a downside. The newer USB based WWAN is just another security issue. Many of them include more removable storage which just adds to the security problems. I think that OmniAccess has the correct form factor with PCMCIA.

Vitreketren
Vitreketren

with the setup of these cellphones to a bios or hardware solution of these products. wouldn't it be easier to conduct some form of sabatoge and be able to have someone other than yourself be able to delete your data with these types of systems? A disgruntled IT personel with control of these laptops set up could have all the data deleted on the way out My question is wouldn't this pose more of a security violation than a savior?

Editor's Picks