Ubuntu – How to secure the laptop so that hacking by physical access is not possible


I messed up my system earlier, I was greeted with a black screen, when booting in to Ubuntu. When I started up my laptop, I selected the recovery option from the grub menu, and chose fallback at root terminal. I saw that I was able to use the add user command, with it, I probably could use to create a privileged user on my machine.

Isn't that a security issue?

One could have stolen my laptop and at startup chose recovery and add another user, I'm fudged then. Including my data.

Come to think of it, even if you somehow remove that entry, one could boot from a live-CD, get a chroot up and running and then add another user, with the right privileges that allows it to see all my data.

If I set the BIOS to boot at my HD only, no USB, CD/DVD, Network startup, and set a BIOS password, it still wouldn't matter, because you'd still have that grub recovery startup entry.

I am fairly certain that someone from China, Russia can't hack my Ubuntu Trusty Tahr, from the network, because it's secure like that. But, if one has physical access to my – your – machine, then, well, that's why I'm asking this question. How can I secure my machine so that hacking through physical access is not possible?

Bug Report:

Best Answer

My guess is that only full disk encryption using a strong algorithm and, most important, good password is the only thing that can secure your locally stored data. This gives you probably 99.99% security. Please refer to one of the many guides on how to do this.

Besides than that, it is NOT possible to secure your machine from an experienced hacker with physical access.

  • User/account passwords:
    It's easy to create a new admin user if you boot into recovery mode, as you described yourself, because you get a root shell without being asked for passwords this way.
    That might look like an accidental security issue, but is intended for (who would have thought that?) recovery cases, where you e.g. lost your admin password or messed up the sudo command or other vital stuff.

  • root password:
    Ubuntu has not set any root user password by default. However, you can set one and will be asked for it if you boot in recovery mode. This seems pretty secure, but is still no ultimately secure solution. You can still add the kernel parameter single init=/bin/bashthrough GRUB before booting Ubuntu that starts it in single user mode - which is in fact a root shell without password too.

  • Securing the GRUB menu with a password:
    You can secure your GRUB menu entries to be only accessible after authentication, i.e. you can deny booting the recovery mode without password. This also prevents from manipulating the kernel parameters. For more information, refer see the Grub2/Passwords site on help.ubuntu.com. This can only be bypassed if you boot from an external medium or connect the HDD to another machine directly.

  • Disable booting from external media in BIOS:
    You can set the boot order and usually exclude devices from boot in many current BIOS/UEFI versions. Those settings are not secured though, as everybody can enter the setup menu. You have to set a password here too, but...

  • BIOS passwords:
    You can usually bypass BIOS passwords as well. There are several methods:

    • Reset CMOS memory (where BIOS settings are stored) by opening the computer case and physically removing the CMOS battery or temporarily setting a "Clear CMOS" jumper.
    • Reset BIOS settings with a service key combination. Most motherboard manufacturers describe key combinations in their service manuals to reset messed up BIOS settings to default values, including the password. An example would be to hold ScreenUp while turning on the power, which, if I remember right, unlocked an acer motherboard with AMI BIOS once for me after I messed up my overclocking settings.
    • Last but not least, there are a set of default BIOS passwords that seem to always work, independent of the real set password. I did not test it, but this site offers a list of them, categorized by manufacturer.
      Thanks to Rinzwind for this information and link!
  • Lock the computer case/deny physical access to the motherboard and hard disk:
    Even if everything else fails, a data thief can still open your laptop/computer, take the HDD out and connect it to his own computer. Mounting it and accessing all unencrypted files is a piece of cake from thereon. You have to put it into a securely locked case where you can be sure nobody is able to open the computer. This however is impossible for laptops and difficult for desktops. Maybe you can think of owning an action film like self-destructing device that blows up some explosives inside if somebody tries to open it? ;-) But make sure you'll never have to open it yourself for maintenance then!

  • Full disk encryption:
    I know I advised this method as secure, but it also is not 100% safe if you lose your laptop while it is on. There is a so-called "cold boot attack" that allows the attacker to read the encryption keys from your RAM after resetting the running machine. This unloads the system, but does not flush the RAM contents of the time without power is short enough.
    Thanks to kos for his comment about this attack!
    I'm also going to quote his second comment here:

    This is an old video, but explains the concept well: "Lest We Remember: Cold Boot Attacks on Encryption Keys" on YouTube; if you have a BIOS password set, the attacker can still remove the CMOS battery while the laptop is still on to enable the custom crafted drive to boot without losing any crucial second; this is scarier nowadays due to SSDs, as a custom crafted SSD will probably be capable to dump even 8GB in less than 1 minute, considering a write speed of ~150MB/s

    Related, but still unanswered question on how to prevent Cold Boot Attacks: How do I enable Ubuntu (using full disk encryption) to call LUKSsupend before sleeping/suspending to RAM?

To conclude: Currently nothing really protects your laptop from getting used by someone with physical access and malicious intent. You can only fully encrypt all your data if you're paranoid enough to risk losing everything by forgetting your password or a crash. So encryption makes backups even more important than they're already are. However, they should then be encrypted too and located in a very safe place.
Or just don't give your laptop away and hope you'll never lose it. ;-)

If you care less about your data but more about your hardware, you might want to buy and install a GPS sender into your case though, but that is only for the real paranoid people or federal agents.