[4099] in cryptography@c2.net mail archive
Points of attack for IBMs 'smart' laptop ID tags. (fwd)
daemon@ATHENA.MIT.EDU (Jay D. Dyson)
Fri Jan 29 16:19:32 1999
Date: Fri, 29 Jan 1999 13:04:35 -0800 (PST)
From: "Jay D. Dyson" <jdyson@techreports.jpl.nasa.gov>
To: Cryptography List <cryptography@c2.net>
-----BEGIN PGP SIGNED MESSAGE-----
Courtesy of John Kozubik <john_kozubik@hotmail.com> via dc-stuff.
Interesting observations on the new IBM 'smart' ID tags.
- ---------- Forwarded message ----------
Date: Fri, 29 Jan 1999 10:30:29 PST
From: John Kozubik <john_kozubik@hotmail.com>
To: dc-stuff@dis.org
Subject: Points of attack for IBMs 'smart' laptop ID tags.
Here is the problem I see with the new IBM 'smart' ID tags for laptops:
I was at a conference a few months ago for investment bankers in the
security industry, and IBM did a nice dog and pony for us concerning the
asset tracking ID stuff ... pretty interesting, but I brought up some
questions that IBM did not really have an answer to.
1. The signal traveling from the threshold of the building that will turn
off wayward laptops on their way out of the building is _not_ encrypted,
therefore, if you intercept that signal and re-apply it elsewhere to
machines in the field, you now have the ability to apply a DoS attack to
these laptops in the field. The IBM representative verfified that this is
indeed 'theoretically' possible.
2. There is 256 bytes of user definable data in the laptop itself, which,
depending on the implementation of IBMs product you use, _can_ be
broadcast out from the laptop. The point of this is so that as the laptop
leaves the building, it can tell the threshold "hi, I am this laptop, I am
leaving now". This is all fine and good, but this data is not encrypted
either - which means that in potentially hostile situations (heads of
state, high powered execs who have a danger of being kidnapped for ransom,
etc.) the laptop is now sending out a "hey, over here, it's me!" message
to all who might be listening, in clear format (not encrypted).
These are two major drawbacks I saw to the system. #2 might be a little
nit-picky, but number one (DoS) is definitely a problem.
kozubik - John Kozubik - john_kozubik@hotmail.com
PGP DSS: 0EB8 4D07 D4D5 0C28 63FE AD87 520F 57BE 850B E4C4
______________________________________________________
Get Your Private, Free Email at http://www.hotmail.com
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
iQCVAwUBNrIiZ7l5qZylQQm1AQHJXwQAnicq4YAnrrBIGXXMWPVyBoDHNPLrgy8z
5jQx62hqlsCNMRBbM19nCVVH8gZsQJq+ZuoMYVAloZdmrhay55vjCt+ZcA8kqWnj
JtZb2mNFmOJWsirhJbmJJWt+p/fmYzBsUG0eXemIh/u6mnuxykYCTSzRo/V0YCr/
zAqPY0WBx+M=
=fr9E
-----END PGP SIGNATURE-----
