[OLPC Security] Some anti-theft questions

Chris Ball cjb at laptop.org
Tue Jan 22 11:06:10 EST 2008 

Hi Alexander,

   > Hello, I've read the Bitfrost specs on the wiki but still don't
   > quite understand two things. Here are my concerns:

I'm not on the security team, so please read my answers as my
understanding of Bitfrost rather than a direct elaboration.

   > <quote> In so doing, it is able to securely use NTP to set the
   > machine RTC to the current time, and then obtain a cryptographic
   > lease to keep running for some amount of time, e.g. 21 days.
   > </quote>

   > 1. Is there a way that a stolen laptop can be modified in such a
   > way that the cryptographic lease doesn't expire? (setting RTC
   > backwards if that's possible, Is it? I don't really know.)

No.  Write access to the RTC will be protected by the firmware and
kernel (this code is not yet in place), and only a cryptographically
signed firmware and kernel can be loaded without a developer key
(this code is already in place).

   > <quote> After receiving the matching laptop batch, the school's
   > project handler will be tasked with giving a laptop to each child
   > at the school. When a child receives a laptop, it is still
   > disabled. The child must power on the laptop within wireless range
   > of the school's activation server. When this happens, the laptop
   > will securely communicate its (SN, UUID) tuple to the server, which
   > will return the activation code for the laptop in question,
   > provided the tuple is found in the activation list, or an error if
   > it isn't.  </quote>

   > 2. Is there some kind of control over the shipped laptops and
   > activation numbers to prevent fraudulent activities from school
   > administrators?

There is, but this is a much easier problem than fradulent activities
from one of the groups of people in contact with the laptops between
them arriving at a port in the target country and getting to the school,
which is what activation to designed to protect against.  It's easy (as
you say later) to compare expected vs. actual laptops logging on through
the school on an ongoing basis.

   > e.g. A batch of 1000 laptops arrives at the school with the USB key
   > containing 1000 activation codes. All machines are activated (as
   > stated above) but only half of them go to children, the other half
   > goes to a reseller. If the machines stay hidden for some time the
   > cryptographic lease will expire and they will be disabled. But what
   > happens if they are sold right away and used by customers? (in
   > which case they will communicate to the servers and renew the
   > lease)

I think the part you're missing is that the leases will only continue to
be available from the school server that gave them out.  It's unlikely
that the laptops would be sold to an outsider, but would then continue
to remain within wireless range of the school server.

Also, note that the 1000 activation codes are keyed to the 1000
*specific* laptops that were sent to the school.  They only allow the
school administrators to unlock the laptops that are already theirs.

   > 3. Another version on the above: only the half of laptops are
   > activated and other half stays hidden instead of being activated?
   > Counting the number of machines phoning home vs. the amount of
   > shipped items can reveal such a fraud.

The launch team at the school would be helping with the activation,
so this sounds unlikely.  In any case, I presume we would report the
missing number of laptops to the government, who would investigate.

Thanks,

- Chris.
-- 
Chris Ball   <cjb at laptop.org>

More information about the Security mailing list