Lenovo Service Disables Laptops With a Text Message

narramissic writes "Lenovo plans to announce on Tuesday a service that allows users to remotely disable a PC by sending a text message. A user can send the command from a specified cell phone number — each ThinkPad can be paired with up to 10 cell phones — to kill a PC. The software will be available free from Lenovo's Web site. It will also be available on certain ThinkPad notebooks equipped with mobile broadband starting in the first half of 2009. 'You steal my PC and ... if I can deliver a signal to that PC that turns it off, hey, I'm good now,' said Stacy Cannady, product manager of security at Lenovo. 'The limitation here is that you have to have a WAN card in the PC and you must be paying a data plan for it,' Cannady added."

Frist psot?

[h4x354x0r (1367733)]

From a stolen lapt

Interesting

[by Anonymous Coward]

Pretty interesting security feature but not if your buddies get a hold of your cell phone.

Re:

[sgbett (739519)]

I think you need to find different friends

Re:

[Abstrackt (609015)]

I think you need to find different friends

I think almost everyone has an asshole "friend" that would pull a stunt like that.

Re:Interesting

[AmigaMMC (1103025)]

>I think almost everyone has an asshole "friend" that would pull a stunt like that.

I think you stopped being my friend a long time ago. :-p

Re:Interesting

[chrb (1083577)]

Hardly. You can regain access to the laptop just by typing in a recovery password.

Re:Interesting

[LandDolphin (1202876)]

IF the person who stole your laptop knows their way around a computer, sure. But the average person still is barely capable of navigating MySpace. If they press the power button, and it does not log on, it is going to be useless to them.

Re:

[kill -9 $$ (131324)]

And then like any good thief they'll go and throw out or use your laptop for target practice. I think laptop LoJack for Laptop would probably be a better service if they're going through the trouble of putting a WAN card in and what not.

They must have something like that already, right?

Re:Interesting

[SanityInAnarchy (655584)]

Acid?

Real Men use Thermite [hackaday.com].

Bonus: If the thief is holding it in their lap at the time, they have been REMOVED from the gene pool.

Re:

[smellsofbikes (890263)]

I saw that when hackaday originally wrote it up and was curiously intrigued, let's put it that way. Their setup seems to be lit off by hand rather than remotely. (It just says they used sparklers to light it.) It'd be nice if it were A: automated, so it could be triggered by a remote alarm system, and B: pretty foolproof. Were I to do this, one thing I'd consider is using an external hard drive, or at least a bank of relays on the power to the system, that cut out when the thermite dumps, so you wouldn'

Re:

[feronti (413011)]

An Estes igniter probably couldn't do it unless you dipped it in extra pyrogen. A Daveyfire electric match, on the other hand would probably be able to do it, though... they're used to ignite AP composite motors in high power rockets. Or, you could use the exhaust from a small (say a D or an E) AP motor... it has the benefit of lasting a lot longer than the match would, and doesn't need a LEP to get a hold of (Daveyfires are also used to ignite pyrotechnic displays, and other low-explosives, so IIRC, you ne

Re:Interesting

[theaveng (1243528)]

Even if they don't, this gives a false sense of security.

"if I can deliver a signal to that PC that turns it off, hey, I'm good now." Um, no, you're not. The thief can remove the hard drive and connect it to another PC to read its content.

Re:Interesting

[RMH101 (636144)]

Not if you're using the built-in hardware encryption, it can't.
And IBM are not going to give anyone a recovery password without proof of ownership.

Re:

[efuzed (540985)]

Not IBM; Lenovo, and will the Chinese government be able to now stop noisy bloggers better?

Re:

[poot_rootbeer (188613)]

IBM are not going to give anyone a recovery password without proof of ownership.

And even if they did, it wouldn't do the thief much good, as these laptops are sold and supported by Lenovo, not IBM.

Re:

[redxxx (1194349)]

This is not about data protection. It is about making the device unusable. Just like you can block your phone when it is stolen.

It will not stop thiefs of stealing your device. It will not protect your data. As far as I read it does not even claim to do that.

So, all the talk about how this forces the drive encryption to activate by requiring a shutdown rather than a suspend/hibernate wasn't about protecting data?

from TFA:

Since hard disk drive encryption will not work properly if the PC is running or in hibernation mode, this disable feature ensures that the data is secure by shutting the machine down and allowing the hard disk drive encryption to work. If and when the ThinkPad laptop is recovered, the user can restore the notebook, its settings and the data contained on the PC by entering a password.

So, there is nothing about protecting the data? Carry on.

Useless

[mentaldingo (967181)]

Things a thief can still do:

• Jammers
• Reflash the BIOS
• Remove the GSM chip
• Or if they're after your data, open it up and take out the HDD

Honestly, this is completely useless against even a moderately sophisticated thief.

Re:

[sgbett (739519)]

Depends what you mean by useless.

Having been in this position, the thing that bother me is not the material loss of the laptop (though It would be nice to know they stole junk) but the data contained on it. So long as your drive is encrypted, then this thing is a bonus

Re:

[digitalchinky (650880)]

While it may be some comfort that ones encrypted data gets to stay secret, and this might be enough for many, I'm on the side of the fence where I'd want to tasar the theif, in the neck, in the guts, in the arm pits, in the groin, in the mouth, and so on and so forth. Even if it is just a crappy old work laptop.

Maybe there's some way to rig it up so that the phone call can activate a bit of a hot power button, push it and it triggers the zapping goodness.

Re:Useless

[billcopc (196330)]

Just use a Sony battery. It will explode in their lap, sooner or later!

Re:Useless

[chrb (1083577)]

The vast majority of thieves aren't even going to realise that this service is enabled. They certainly won't be deploying GPS jammers or reflashing the BIOS or opening the laptop up. And TFA article mentions that the whole point is to protect data by allowing users to shutdown access to an encrypted HDD that might still be open.

Re:Useless

[Lumpy (12016)]

Thieves typically dont have the IQ to do any of that. When I was robbed, we nailed the thief not only from the video cameras that he looked right at to give us a awesome face shot, but he stole my daughters cellphone. He left it on all the time reporting his position. The cops had his ass in less than 24 hours.

Honestly thieves barely know how to use a screwdriver outside of prying a door or window with it. You seriously think one would do the delicate task of opening a laptop or flashing the bios? That's plain old funny.

Re:Useless

[Thelasko (1196535)]

Thieves typically dont have the IQ to do any of that.

Remember, there are two kinds of thieves. There are amateurs and there are pros.

Amateurs are desperate people, usually because of an addiction of some sort, who steal whenever an opportunity presents itself. They see a car with an unlocked door, or an open window and they act. These people are the most common type of thieves, and will be caught with this technology.

Professionals steal things for a living. They are very calculated and know all of the security measures people use, and how to avoid them. This technology will not stop a professional. In fact, nothing will stop a professional. Professionals are why you buy insurance.

Fortunately, there aren't many professional thieves. When you think about it, it's very difficult to become a professional thief. This is because a pro cannot be desperate. They need to have time to study their target and come up with a plan of attack. This requires a person with a certain personality, that doesn't steal out of last resort, but steals for some other reason. There aren't many people like this in the world, and most of them are caught before they become very good at stealing.

My favorite piece of information about stopping thieves can be found here. [hulu.com] (Warning, link contains flash video)

Re:Useless

[Kent Recal (714863)]

Exactly. Smart thieves perform a thorough risk/reward calculation and a lot of planning before they go for target. They are near impossible to catch.

I, for one, regularly steal rolls of toilet paper from work.
I'll never get caught because I put a lot of forethought into each coup and perfectionized my strategy over years. I only lift one roll at a time so it doesn't get noticed and so I can at any time pretend to be just carrying it around because I need to "clean my desk or something". Plus, I always drop the roll into my bag while sitting at my desk and without looking down. Eyes must be focussed on screen, innocent facial expression - nobody would ever notice from a distance that I'm performing a felony under the table in just that moment!

Bare the occassional accident (when I miss the bag and have to crawl under the table to recover the loot) I think I can safely claim that the perfect crime is possible and I have mastered it.

Superficial?

[DigitalisAkujin (846133)]

How exactly are they disabling the laptop? It can't be something superficial but with the amount of time a program has to work it probably has to be superficial to work. Will a program have enough time to do anything more then clear the cmos or erase the drive mbr? Even if it's a hardware disable the whole thing becomes parts worthy and the data on the hard drive essentially remains in it's entirety.

Re:

[chrb (1083577)]

The shutdown is supposed to be utilised with hard disk encryption - the whole point is that your data is better protected. The disabling is carried out by the BIOS; presumably it checks the disable bit before booting the OS and allows the legal user to enter a recovery password.

of course

[WindBourne (631190)]

it would NEVER make sense to part out their new brick into say a cheap display, harddisk, dvd drive, ram, cpu, etc. on ebay.

To the guy who just stole my laptop...

[hyades1 (1149581)]

I've got a pretty good idea what that message would likely be. Or at least the general sentiments expressed (hopefully on the screen) right before its tiny heart goes pfft.

Hmmm

[TheSpoom (715771)]

My normal Slashdot cynicism wants to find a problem with this technology, but I can't so far, other than that a smart thief would just make sure to remove the WAN card and flash the BIOS (possibly with a new serial number or the remote disable, uh, disabled).

You win this time, Lenovo. *shakes fist*

Implementation?

[number17 (952777)]

The article is pretty slim on how this is actually going to work. Do I assume that I make the phone call once and Lenovo will constantly try to connect with it until it is successful? If not, how many times do I call it until I cut off my data plan?

I would like to be able to turn this off in the future when attempting to sell the laptop as well.

Re:Implementation?

[chrb (1083577)]

It looks like the disable is handled in the BIOS, so either the GPS hardware is capable of receiving SMS texts while the laptop is hibernating, or the text is received when the BIOS boots up. Either way, you just have to send one text - your cell network provider will store and forward it to the receiver, it's just a regular text.

Meh...

[Lurker2288 (995635)]

This would excite me more if I could send a remote command that would detonate a small brick of C4 in the laptop. Why disable the computer when you can disable the thief?

Re:Meh...

[couchslug (175151)]

"You could always mod your laptop to generate a spark when the kill signal is received. Then all you need to do is pack it with C4."

So much for being allowed to carry lappies on airliners, thank you very much! :)

Always assuming ...

[overshoot (39700)]

that the thief doesn't reimage the thing first off.

It's like the "LoJack for Laptops" that they'll sell you -- strictly part of the installed Microsoft setup.

Re:Always assuming ...

[RMingin (985478)]

Yes, it'll probably be as secure as the Lenovo BIOS supervisor passwords.

(Hint: Supervisor password? Get a paperclip. The data pin goes to ground, boot laptop. Enter bios. Remove paperclip, set [new] supervisor password. It overwrites the old one. Which chip to mess with and which pins are which I leave to you and Google. Shouldn't take long.)

Hmm

[saintm (142527)]

'You steal my PC and ... if I can deliver a signal to that PC that turns it off, hey, I'm good now,'

Apart from not having a laptop or your data anymore.

I'm not sure that can be described as being 'good'.

Wait, What?

[meist3r (1061628)]

So you're telling me there will be a GSM module in the laptop that is constantly connecting to my network to wait for such a kill signal? Like say, a tracing bug? I know it'll be a pain for the thief but what about me? What a craptacular idea. Having my laptop become my personal GSM tracking device. Where have I been? Wait lets ask my "anti theft"-device.

Re:

[by Anonymous Coward]

I am sure that if the government wanted to track you, they would use your cell phone which is on GSM/CDMA network nearly-100% of the time, or iPhone which has the added flexibility of GPS. If you are the type of person to care about you being tracked here or there, than don't purchase a Lenovo laptop with this feature.

However what all the tin-foil crowd seems to forget is one fact: No one cares about 99.999% of you to date you, much less follow your every movement. Especially a Chinese laptop manufacturer

Most criminals are stupid anyway

[hellion0 (1414989)]

This feature doesn't seem to be aimed at stopping blackhats or organized criminals, two of the more "intelligent" varieties. No, this thing is meant to royally screw Joe Crackhead.

The feature doesn't appear as if it's ever going to stop a sophisticated high-tech criminal, naturally. Nor does this seem the intent. Identity thieves and data miners don't even need possession of the laptop, so no good there. Even then, the new feature is easily defeated. Organized criminals tend to know what they're doing as well, and any safety measure can be defeated by competence and planning. Still, they're both rare enough.

No, this sounds perfect for the two-bit junkie, the most common of criminals. Brick the laptop, especially remotely, and suddenly it's worthless for him to offload for his fix.

Perfect.

[GWLlosa (800011)]

This is exactly what we need in terms of laptop security. To you nay-sayers out there spinning doom and gloom scenarios about friends pranking your laptop with text messages, I can only assume that there is some secret passcode that you must send as part of the text-message to disable the machine. In fact, it should be convoluted, and hard to remember. Fortunately, as the proud owner of a brand-new Lenovo laptop, you can keep information like that stored right on the laptop, which you take everywhere.

DIY

[wytcld (179112)]

How about setting up a simple script that periodically polls a remote site - say a web page under your control? If it can't reach it, or it reaches it and gets a default response, no action's taken. If on the other hand the page returns an innocuous looking kill code, a small program is run that disables the BIOS? On the server side, you'd be mailed the IP your stolen laptop connected from, which might give you some location info.

Even better

[horza (87255)]

Why not install Windows Vista, iTunes and the game Spore. That way you don't even need to send an SMS, just wait until code is activated progressively making the computer useless.

Phillip.

Devils advocate.

[cemaco (665884)]

Any time you provide a tool like this, it has the potentiall to be used against the owner as well, especially if someone else with access to the equipment understands the tool better than the owner does.

I can see several scenarios, some more plausible than others where another party might be inclined to use it to lock the owner out of access to his own data.

Yes if the other party has access to the machine, they can always cripple it by other means but the beauty of this is that it can be used even after that party apparently no longer has access.

Sprints doing something similar.

[SMS_Design (879582)]

Sprint offers a similar service with some of their WAN cards. The difference is that the Sprint card acts as a key to full-drive crypto. No card, no data. If the card is remotely disabled, no data. Really seems like a great way to lock down your laptops containing sensitive info.

Re:

[chrb (1083577)]

TFA says the disabling is handled in the BIOS - so it would be independent of the OS.

Re:

[NovaHorizon (1300173)]

and dismantling the entire laptop to reset the BIOS is actually FASTER than an OS reinstall..

Re:reinstall?

[chrb (1083577)]

It isn't quite that simple on a ThinkPad [sodoityourself.com] - the BIOS password is tied in to the TPM chip. And I really doubt your average thief is going to be building custom hardware and soldering it to the laptop mainboard...

Re:

[billcopc (196330)]

If you think Phoenix is that smart, well I have a bunch of bridges to sell you.

This isn't the first security gimmick they've deployed. They've had the internet version of this sort of thing for years now (Computrace / Lojack). It's a software client that runs in the taskbar, Windows-only, that triggers the BIOS kill bit.

I wouldn't be surprised if this "new" cell-based feature were just a new client app working with the same kill bit as the old ones. That makes it easier to develop and deploy, since it wo

Re:

[schnikies79 (788746)]

It's not meant to discourage theft, it's meant to protect your data.

If the HDD is encrypted, you can lock the thief out.

Re:

[zymurgyboy (532799)]

I think the best idea is to start tracking the laptop. Send out GPS coordinates, send out IP addresses, send out _fingerprints_, take screen shots, etc.

If it has a webcam, add mugshot. Compare the image on a local mugshot database, get some likely culprits and their last known address. Then maybe automate the search warrant, police report, and insurance claims process and you've got a real solution. Of course, the search warrant part is now optional, I believe.