LoJack for laptops

With more data security breaches involving stolen mobile devices, it's time to seriously consider remote tracking technologies

I just love some of these security news stories. For example: Police in Bellevue, Washington have been fighting a large car theft crime spree. One of the tools in their arsenal is remote-controlled, life-sized cars, including a regular-looking Honda Civic with a few tricks up its sleeve. (The Honda Civic was the natural choice because it is one of the favorite targets of car thieves.)

[ RogerGrimes's column is now a blog! Get the latest IT security news from the Security Adviser blog. ]

Bellevue police simply park the dummy car on the side of the road in a location known to be frequented by car thieves and then wait. When a car thief steals the car, the vehicle sends a signal to police notifying them of the theft. It contains a GPS-tracking device so the police can locate the car and its new possessor.

When the police think the car, with its illegal occupant, is in a safe location, they send a satellite signal to remotely shut down the car’s engine. The even bigger surprise to the thief comes when the car doors are remotely locked and cannot be opened. The cornered and gift-wrapped perpetrator is so stunned that although they could easily break the window glass, they normally sit there astounded until the arresting police arrive to extricate them. It’s like LoJack on steroids. What a great idea.

And it’s an idea not lost on computer security vendors, although I don’t think I’ve read of a product that entraps computer thieves (laptop handcuffs, anyone?).

Many laptops, including my new Dell Latitude D820, come with a "dial-home" feature. My laptop includes Computrace Agent by Absolute Software, which is also available on many other major laptop brands, including HP, Gateway, Fujitsu, Lenovo, and Panasonic.

Enabled in the BIOS, the laptop's owner must enable the security feature and subscribe to a monitoring service; subscription fees range from a few dollars monthly to more than $100 for an annual contract. Absolute claims it recovers three out of every four service-covered laptops that were stolen. To back up its statement, it offers a $1,000 money-back guarantee with the Computrace Agent service if it doesn't recover a stolen laptop in 60 days.

With Computrace Agent, the laptop connects to the service whenever it connects to the Internet and every 15 minutes thereafter. The IP Address, MAC address, gateway address (and telephone number if detectable) are sent to the monitoring site, which researches the laptop's physical location, working with law enforcement agencies to obtain a legal search warrant compelling the source ISP to reveal the user's physical address.

Stolen laptops have already been recovered and the thieves arrested because of services like these. In real life, though, Lojack isn't a complete deterrent to wannabe criminals. Even if the car is equipped with Lojack and displays a Lojack sticker, the car thief knows that most owners won't notice the car missing for a few hours or more. The thief steals the car and then parks it a large, nearby public parking lot. He waits one or two days, and if the car is still there, comes back and takes it for good. Gotta slightly appreciate criminal adaptability....

In the case of the laptop tracking service, a knowledgeable thief could rewrite the BIOS to turn off the dial-home feature (because once enabled or disabled, you can't change its status), intercept the dial-home connection between the laptop and the Internet, or never connect the laptop to the Internet. But like Lojack, and nearly every home alarm system, the idea is to convince the thief to bypass your hardened target in favor of easier prey. Of course, to create that incentive in the laptop scenario, the owner would have to post a large sticker on the laptop saying, "Don't Steal This Laptop, It Notifies the Owner Of Its Physical Location" or something like that.

Other laptop-security offerings realize that the majority of the value is not in the stolen hardware, but in the data it contains. Many vendors offer remote data delete services; Absolute calls its service Data Delete, and Microsoft has a similar feature in Exchange Server 2003 Service Pack 2. Many tape backup and storage companies have these types of services as well, and there must be more than 100 similar products for PDAs, cell phones, and other mobile computers.

Essentially, remote data delete services place a piece of agent software on the device to protect either the entire storage medium or selected pieces of data. The deletion agent software is designed so that it dials home as well, and if given the appropriate signal, starts deleting (or encrypting) data.

Many of the products include a feature that allows the data owner to enable automatic data deletion if the mobile device hasn't contacted the remote management site in x number of days. However, that's one to be cautious with. You might get sick for three weeks or stuck on vacation during a hurricane and could end up with your data deleted. Fortunately, many remote delete agent programs have a local password override.

With nearly half of all data theft incidents now involving stolen mobile computer devices, expect services like these to become the norm in the next few years. I encourage readers to investigate similar products and vendor offerings. It's great peace of mind.