Intel recently announced a new laptop processor with a “poison pill” feature that allows devices to be remotely terminated via SMS. How does the technology work, and should enterprises consider this as a cheaper and easier alternative to laptop encryption?
Features to remotely disable or wipe data from smartphones have become commonplace, but until now, disabling a lost or stolen laptop required it to be connected to the Internet first. However, Intel Corporation's 2010 Intel Core vPro processors, when combined with their Anti-Theft Technology, only require a laptop to check-in with a 3G tower to remotely disable it.
Intel's Anti-Theft Technology (AT) is built into the processor, so once it has been enabled it is active when the laptop is switched on, providing protection of data at the pre-boot level. This means it can stop the operating system from loading and the security features will continue to work even if the BIOS is overwritten or the CMOS battery removed. The AT can block access to encrypted data on the drive even if the drive is moved to a different system, as it disables access to a master encryption key stored in the chipset.
The AT has to be enabled in the BIOS and activated through a service subscription from an Intel AT software and service provider. Enrollment is straightforward and involves obtaining a license key for each installation from the supplier and connecting to Intel's Capability Licensing Service. Once activated, if a user reports a missing laptop, an administrator can send an encrypted SMS text message to the laptop, which will disable the laptop as soon as it is powered on in range of a 3G tower. Although the SMS message is referred to as a “poison-pill,” administrators can in fact easily restore the laptop's state and data with a single-use recovery code. Locked laptops can also display contact and reward information to aid laptop recovery.
Hardware-based theft-detection mechanisms add additional security for laptops that can prompt it to enter theft mode and lock down. For example, the laptop can be set to disable itself after a set number of failed login attempts or if it doesn't log on to the corporate network within a specified period, even if it isn't reported stolen. Policy options allow you to specify the detection mechanism and threshold that triggers theft mode and the actions to take.
These features add much-needed protection for data stored on laptops, but should be seen as additional layers of defense, not an alternative to encryption. There will always be a time gap between a laptop reported missing or stolen and activation of the laptop remote wipe. The laptop may also be out of range of a 3G tower to pick up the SMS message. The fact that the critical encryption key is stored in the chipset instead of in the hard drive provides tamper resistance and greatly improves the overall security of key data, helping to mitigate the risks of lost and stolen laptops.
The legal and financial penalties for compromised data make this technology a serious consideration for any organization whose users have to carry sensitive data on their laptops. It even allows an organization to prevent access to data by a user who has legitimate access to the laptop, but comes under suspicion for some reason. Intel’s anti-theft technology website provides good insight into which laptops and services support the feature.
This was first published in September 2011