Gojomo

2002-12-17
The Trojan Laptop?

Criminal Cutting Edge
"Technological self-help" against criminals risks liability beyond a certain point. If you fear your laptop will be stolen, you might add a mechanism where it occasionally prompts for a valid password. It's probably alright in the eyes of the law to disable the laptop if the proper password is not given. It's definitely not alright for the laptop to explode, injuring the user.

But how about a more subtle countermeasure where the unauthorized user's activity is monitored, and perhaps exploited to recover the value of the laptop in cash? Crafty, but still illegal.

Now what if you are yourself a technically sophisticated criminal, and want to let "your" laptop be stolen, so as to steal a greater amount from whoever eventually possesses it -- whether that person is a laptop thief or merely the final recipient of stolen goods? You might try the following:

  1. Outfit a laptop with custom trojan software which spies on its user, collecting passwords, personal information, credit card and social security numbers, etc. Install this software in a manner which makes it likely to survive even a hard disk wipe and OS reinstall. (For example, put it in the BIOS or use HD boot-sector trickery.)
  2. Leave this laptop somewhere that a opportunistic thief will snatch it.
  3. Wait.
  4. When the trojan software has collected enough data, and furthermore detects an internet connection, have it post the harvested data -- in encrypted form -- to some public net forum. (This could be a website, USENET, whatever.)
  5. Collect the data.
  6. Use the data to steal from the laptop's current user.
Many laptops so planted would never report back, nor provide much in the way of exploitable info... but if only some did, it could repay the initial criminal investment. Trojan laptops.


Comments: Post a Comment