While “backdoors” in hardware sound like a good idea… you don’t know how hackers are using it to sabotage infrastructure or extort bitcoins of another country’s companies… see “backdoor in cisco router“. IT IS F**** DANGEROUS!
ESPECIALLY if it is enabled per default and ESPECIALLY if it automatically tries to connect to some command and control server center out in the internet.
while the hardware costs of a laptop maybe 300-1500€/USD – the data and VPN stuff on it might be way more valuable – because it could lead to your company being hacked – with downtime of your IT-infrastructure and thus way more costs.
so in order to stay save – why not…
- white list servers that are allowed to communicate with your company
- like: windows update server, antivirus update server…
- BLOCK ALL OTHER TRAFFIC
- is a tedious job, because to avoid DNS forgery you would have to manually administer a white list of IPs not of DNS names (who’s IPs could change over time)
- encrypt the harddisk with a good password per default
- DISABLE backdoor features per default in BIOS/UEFI (if possible… seems to be possible with lenovo t440)
- let the thieve have his hardware
PS: Juniper, Fortinet and Co.
“In the case of Juniper, the name of this particular digital lock pick is “FEEDTROUGH.”
This malware burrows into Juniper firewalls and makes it possible to smuggle other NSA programs into mainframe computers. Thanks to FEEDTROUGH, these implants can, by design, even survive “across reboots and software upgrades.”
In this way, US government spies can secure themselves a permanent presence in computer networks. The catalog states that FEEDTROUGH “has been deployed on many target platforms.” ” (src)
hardcoded password: is:
<<< %s(un='%s') = %u.
who did it?
“Shortly after Juniper posted the advisory, an employee of Fox-IT stated that they were able to identify the backdoor password in six hours.
A quick Shodan search identified approximately 26,000 internet-facing Netscreen devices with SSH open.
Given the severity of this issue, we decided to investigate.” (src)
Did the CEO know of this or not? Was it an secret NSA-spy-coder or a official NSA-request?
“During a recent internal code review, Juniper discovered unauthorized code in ScreenOS that could allow a knowledgeable attacker to gain administrative access to NetScreen devices and to decrypt VPN connections,” Bob Worrall, the companies’ CIO wrote in a post. “Once we identified these vulnerabilities, we launched an investigation into the matter, and worked to develop and issue patched releases for the latest versions of ScreenOS.”
“Juniper released patches for the software yesterday and advised customers to install them immediately”
“‘This is a very good showcase for why backdoors are really something governments should not have in these types of devices because at some point it will backfire.'” (src)
But if the backdoor survives software upgrades and reboots…
“For the past several years, it appears that Juniper NetScreen devices have incorporated a potentially backdoored random number generator, based on the NSA’s Dual_EC_DRBG algorithm. At some point in 2012, the NetScreen code was further subverted by some unknown party, so that the very same backdoor could be used to eavesdrop on NetScreen connections. While this alteration was not authorized by Juniper, it’s important to note that the attacker made no major code changes to the encryption mechanism — they only changed parameters. This means that the systems were potentially vulnerable to other parties, even beforehand. Worse, the nature of this vulnerability is particularly insidious and generally messed up.” (src)
In 2013, The New York Times reported that documents in their possession but never released to the public “appear to confirm” that the backdoor was real, and had been deliberately inserted by the NSA as part of its Bullrun decryption program” (src)
… this does not sound toooo good. CEO must have known about this and simply tries to save the reputation of the company.