You bought a new PC or laptop, and you got it home. You plugged it in, switched on, and started enjoying Internet access, games, email, and a bit of social networking. Perhaps you played with the webcam and uploaded a clip to YouTube.
Perhaps your computer is running the most recent version of your operating system; perhaps it arrived pre-installed with anti-virus tools.
Sadly, none of this proves the most important fact: that your PC is secure.
Is Someone Intercepting Your Hardware?
The facts are clear. Your PC, smartphone, router, server or whatever lands in your home – either purchased from a store or by mail order or even directly from a warehouse – is pre-installed with an operating system or firmware, ready to be used.
But recent stories teach us that, in almost every case, there is software pre-installed on your device designed to intercept online transactions, listen in, or compromise your security in some other way.
Recently we’ve been warned of the Superfish malware that was preinstalled on Lenovo laptops (including the one I’m writing this on!), but the problem is greater than a few thousand ultrabooks. Government agencies are involved, and they’re looking at you.
Cicso Routers and the NSA
Back in May 2014 we learned through Glenn Greenwald’s book on the Edward Snowden affair that “NSA has been covertly implanting interception tools in US servers heading overseas”. This after claims from a House Intelligence Committee that Chinese companies such as ZTE and Huawei were installing backdoors in hardware and as such “may be violating United States laws.”
As reported by The Register, it is now possible to avoid having new Cisco routers intercepted by arranging shipping to an unrelated, possibly empty address. This, hope’s the US networking manufacturer, will help retain confidence in US hardware that has been deeply tarnished – and possibly damaged beyond repair – by NSA activities.
At a Cisco press event, security chief John Stewart said:
“We ship [boxes] to an address that’s has nothing to do with the customer, and then you have no idea who ultimately it is going to.”
“When customers are truly worried … it causes other issues to make [interception] more difficult in that [agencies] don’t quite know where that router is going so its very hard to target – you’d have to target all of them. There is always going to be inherent risk.”
Stewart does concede, however, that the move – and other checks in their router mainboards and chip architecture for NSA taps – are not guarantees of protection. The NSA were revealed to be intercepting hardware en route to customers, installing their taps and then delivering to the intended recipient.
Now, you might think that this is fine; the NSA is surely protecting your rights. Except, of course, that by reading this very post you’re probably already on a watch list. Also, it has been recorded by Snowden/Greenwald that dissenters are also targeted, not just foreign powers.
Lenovo and the Superfish
Bloatware has always been a problem, but as we found in the case of the Superfish malware preinstalled on Lenovo laptops in 2014 and early 2015, it hasn’t previously broken online security in order to hijack the adverts displayed on your computer, and potentially facilitate a man-in-the-middle attack.
The fact that this happened at all (by a Chinese manufacturer, incidentally) is cause for concern, regardless of Lenovo’s apparent dithering when confronted with the truth. Previously bloatware was easy to remove, but as seen in the Superfish case, this isn’t enough. That piece of malicious software was impossible to remove with the usual Windows uninstaller tool.
The last thing you expect when you buy a new computer is for the manufacturer to be facilitating a breach in your security. After all, you just handed over a lot of cash to them!
Preinstalled Software on Your Smartphone or Tablet
It isn’t just desktop computers, routers and servers that are at risk from manufacturer interest in your activities. Android smartphones and tablets invariably ship with horrendous pieces of bloatware, many of which have been previously demonstrated to leak data (when they’re not slowing everything down).
If that wasn’t bad enough, we now know that Siri voice data is sent to third party organizations using humans to assess the accuracy of the digital assistant’s responses, which isn’t exactly secure (although it would seem necessary in order for the service to be improved).
Fact: You Don’t Know if Your New PC is Secure
While Cisco (we expect others to join them) have established a means of blocking alphabet spy agency involvement in shipping hardware to customers, there is, I’m afraid, only one way to deal with preinstalled software, bloatware and malware that might be leaking your personal data, and that is by wiping the system before use.
For Windows users, this would mean installing a fresh copy of the operating system; restoring from the recovery partition is not really an option here as the same bloatware is likely to be restored. For better results and a more secure (and in some cases, stable) experience, the answer is to first perform a complete wipe of your HDD (or for the very security-conscious, install a brand new HDD) and then freshly install Windows or even a Linux distro, such as Linux Mint.
What steps do you take when switching on a new computer or smartphone for the first time? Are you concerned about NSA taps on your hardware? Tell us in the comments.