Why it’s time to get physical with your computer

Physical security is often undervalued in the computer security world. In the absence of strong cryptography, you can pretty much bypass any computer security by grabbing the box and working on it "offline". Even cryptography doesn't remove the need for physical security completely, it just reduces the scope to the all important key material, which still has to be protected from physical attack (such as attacks mounted against pay-per-view smartcards for satellite TV).

It is also often assumed that it is easier to assess physical security measures than their electronic equivalents. This is hardly surprising, as we are all familiar with the reassuring "clunk" of a heavy-duty lock, whereas the intricacies of a firewall rulebase or an authentication protocol often appear as a black art.

Of course, in real life things are seldom so simple. Supposedly secure doors with expensive locks can be defeated by removing external hinges. High security car locks can be defeated by a quick twist of externally accessible cabling. Physical security should be subject to the same sort of regular assessment and "patching"as software security.

Unfortunately, it can be difficult to find companies with both physical and electronic penetration testing skills. Also, while proving a computer vulnerability might cause no lasting damage, demonstrating physical weaknesses often involves loud and expensive cracking noises.

Many users may protect their laptops from theft using one of the range of laptop cable locks, secured to the now ubiquitous "security slot" on the laptop. Recently, Marc Weber Tobias, author of the locksmithing bible Locks, Safes and Security, released an advisory on his website (www.security.org) showing just how easy it is to defeat many such devices, including the market leader, with simple tools such as a ballpoint pen, a toilet roll and a tie wrap.

Personally, I've always treated laptop cable locks as casual protection only, but it was still a surprise to see just how easily they could be removed and with such common tools.

So if you are relying on cable locks for any real security, think again. My recommendation would be to purchase an appropriate laptop safe and use that instead. Hopefully, we'll start to see physical security advisories such as those from Tobias becoming as commonplace as software vulnerability warnings. All we have to do then is ensure they get taken seriously.