Thinkpad T450 hardware attack / TPM protection
Thinkpad T450 hardware attack / TPM protection
Dear all,
This is my first post on the forum, so I would like to thank you for the hard work and nice information.
I am planning to purchase a Thinkpad T430 or T440 (with a preference for the T440).
I will be running GNU/Linux only, probably with a custom static kernel.
1) My first question is as regards hardware attack, especially firmware replacement.
How is Thinkpad protected against firmware replacement on hardware: keyboard, sound, hard drive, display, network, etc... ?
I am aware that UEFI secure boot should provide a minimal protection.
Can a low-privilege user run a firmware replacement tool and bypass the TPM?
In other words, is firmware protected by the TPM?
2) After purchasing a ThinkPad, can I query firmware versions to make sure these are "genuine" ?
Kind regards,
ThinkOfIt
This is my first post on the forum, so I would like to thank you for the hard work and nice information.
I am planning to purchase a Thinkpad T430 or T440 (with a preference for the T440).
I will be running GNU/Linux only, probably with a custom static kernel.
1) My first question is as regards hardware attack, especially firmware replacement.
How is Thinkpad protected against firmware replacement on hardware: keyboard, sound, hard drive, display, network, etc... ?
I am aware that UEFI secure boot should provide a minimal protection.
Can a low-privilege user run a firmware replacement tool and bypass the TPM?
In other words, is firmware protected by the TPM?
2) After purchasing a ThinkPad, can I query firmware versions to make sure these are "genuine" ?
Kind regards,
ThinkOfIt
Last edited by thinkofit on Sun Jan 08, 2017 8:15 am, edited 1 time in total.
Re: Thinkpad T430 / T440 hardware attack / TPM protection
Finally, I will probably buy a T450 a it is more recent.
How is firmware protected on the T450?
Thank you.
How is firmware protected on the T450?
Thank you.
-
BillMorrow
- *Senior* Admin

- Posts: 7153
- Joined: Tue Apr 13, 2004 9:40 pm
- Location: San Francisco -> Florida -> Georgia
- Contact:
Re: Thinkpad T450 hardware attack / TPM protection
hello thinkofit.. 
good user name you chose..
and welcome to the forum..
i must admit that yours is the first i have ever heard of a firmware attack on ANY computer..
BUT it seems i have been hibernating too much..
so googling found THIS articla in infoworld magazine:
http://www.infoworld.com/article/261811 ... tacks.html
it seems such things are possible but might have to be aimed at a particular bit of hardware rather than the general population of computers..
so, your inquiry is interesting and lets see what other forum members think about this issue..
good user name you chose..
and welcome to the forum..
i must admit that yours is the first i have ever heard of a firmware attack on ANY computer..
BUT it seems i have been hibernating too much..
so googling found THIS articla in infoworld magazine:
http://www.infoworld.com/article/261811 ... tacks.html
it seems such things are possible but might have to be aimed at a particular bit of hardware rather than the general population of computers..
so, your inquiry is interesting and lets see what other forum members think about this issue..
Bill Morrow, kept by parrots
& cockatoos
Sysop - forum.thinkpads.com
*
She was not what you would call refined,
She was not what you would call unrefined,
She was the type of person who kept a parrot.
~~~Mark Twain~~~
Sysop - forum.thinkpads.com
*
She was not what you would call refined,
She was not what you would call unrefined,
She was the type of person who kept a parrot.
~~~Mark Twain~~~
-
RealBlackStuff
- Admin
- Posts: 17485
- Joined: Mon Sep 18, 2006 5:17 am
- Location: Mt. Cobb, PA USA
- Contact:
Re: Thinkpad T450 hardware attack / TPM protection
Intel's dirty tactics with VPro and ME are definitely an attack on/via hardware.
They allow access to your hardware from outside, even if it is switched off!
https://semiaccurate.com/2012/05/15/int ... nightmare/
https://hardware.slashdot.org/story/16/ ... t-audit-it
http://hackaday.com/2016/01/22/the-trou ... nt-engine/
They allow access to your hardware from outside, even if it is switched off!
https://semiaccurate.com/2012/05/15/int ... nightmare/
https://hardware.slashdot.org/story/16/ ... t-audit-it
http://hackaday.com/2016/01/22/the-trou ... nt-engine/
Lovely day for a Guinness! (The Real Black Stuff)
Check out The Boardroom for Parts, Mods and Other Services.
Check out The Boardroom for Parts, Mods and Other Services.
Re: Thinkpad T450 hardware attack / TPM protection
Thanks for all these information that I was not aware of.
I am quite surprised that the vPro extension might be an embedded system able to take control of the computer.
If this is confirmed, large companies (ex : in Energy, Banking, Automation, etc ...) are not going to like it.
We have to admit that in our world nothing is really secret for governments.
A probem arises if Chinese and Russian governments have access to these technologies.
With an electronic microscope and proper software, you can probably disassemble the code and understand how it works.
There may come a time when China and Russia may be able to break in our computers (Western I mean) in the US, France, U.-K., Germany, etc ...
Well-played Intel. This is all a mess ...
Secure platforms probably require a very limited system, using simple boards or embedded platforms.
Everything else is NOT secure.
I am quite surprised that the vPro extension might be an embedded system able to take control of the computer.
If this is confirmed, large companies (ex : in Energy, Banking, Automation, etc ...) are not going to like it.
We have to admit that in our world nothing is really secret for governments.
A probem arises if Chinese and Russian governments have access to these technologies.
With an electronic microscope and proper software, you can probably disassemble the code and understand how it works.
There may come a time when China and Russia may be able to break in our computers (Western I mean) in the US, France, U.-K., Germany, etc ...
Well-played Intel. This is all a mess ...
Secure platforms probably require a very limited system, using simple boards or embedded platforms.
Everything else is NOT secure.
Re: Thinkpad T450 hardware attack / TPM protection
Security issues on newer Intel platforms are now widely known. Basically everything with ME (Management Engine), AMT (Advanced Management Technology) allows access to the computer when it is switched off. And it isn't BIOS that allows that, but those features use embedded controllers with own memory. The only way to have "safe" computer (in that sense) is to remove software from these controllers, also replacing BIOS. There are couple projects that focus on security, Coreboot and it's derivative - Libreboot. The latter has rather non-compromise approach as it allows only 100% free software and system (approved by FSF - Free Software Foundation). You probably can run with this Debian or Ubuntu but you will definitely not run Windows or Mac OS. Also they have some specific requirements for WiFi cards - accepted are only those which doesn't require any proprietary software.
Coreboot gives more choice with software, although I don't know if you would run Windows or Mac OS with it either.
You can read more about Libreboot project here - https://libreboot.org/
Also on current threats on Intel platforms - https://libreboot.org/faq.html#intel
Be aware that AMD isn't saint too - https://libreboot.org/faq.html#amd
If you are really afraid of these security issues you should stick with older Thinkpads - X60(s), X200, T60, T400, T500 - they are supported by Libreboot. Few newer models can work also under Coreboot - eg. X220, X230, etc.
EDIT: Forgot to add. With Coreboot or Libreboot you get boot loader installed into EC (Embedded Controller) so you don't need to install one into MBR. That allows you to have real full disk encryption, including boot folder. This should prevent your computer from MBR directed attacks (eg. rootkits) and increase safety of data (especially when they are fragile).
Coreboot gives more choice with software, although I don't know if you would run Windows or Mac OS with it either.
You can read more about Libreboot project here - https://libreboot.org/
Also on current threats on Intel platforms - https://libreboot.org/faq.html#intel
Be aware that AMD isn't saint too - https://libreboot.org/faq.html#amd
If you are really afraid of these security issues you should stick with older Thinkpads - X60(s), X200, T60, T400, T500 - they are supported by Libreboot. Few newer models can work also under Coreboot - eg. X220, X230, etc.
EDIT: Forgot to add. With Coreboot or Libreboot you get boot loader installed into EC (Embedded Controller) so you don't need to install one into MBR. That allows you to have real full disk encryption, including boot folder. This should prevent your computer from MBR directed attacks (eg. rootkits) and increase safety of data (especially when they are fragile).
Daily: T500
Previous: X40
Previous: X40
-
- Similar Topics
- Replies
- Views
- Last post
-
-
Thinkpad T450 mod to WQHD possible?
by agarza » Tue Feb 28, 2017 12:28 pm » in ThinkPad T430/T530 and later Series - 0 Replies
- 1027 Views
-
Last post by agarza
Tue Feb 28, 2017 12:28 pm
-
-
-
T450 - Brightness control hotkeys not working after system wake
by Czechnology » Tue Jan 10, 2017 9:05 am » in ThinkPad T430/T530 and later Series - 0 Replies
- 413 Views
-
Last post by Czechnology
Tue Jan 10, 2017 9:05 am
-
-
-
WTB: T450/s/p trackpad
by Whitieiii » Wed Mar 01, 2017 1:42 am » in Marketplace - Forum Members only - 0 Replies
- 856 Views
-
Last post by Whitieiii
Wed Mar 01, 2017 1:42 am
-
-
- 3 Replies
- 459 Views
-
Last post by edik
Wed Mar 29, 2017 10:36 am
Who is online
Users browsing this forum: No registered users and 2 guests



