I would second this. We know for a fact that the NSA uses BIOS malware. I don't believe we know for a fact that such malware is routinely installed by border guards, but it's not a very far-fetched worry at this point.

The technical expertise required to do so is very limited as long as you don't password-protect the BIOS: Basically, they only need to be able to plug in a USB stick and reconfigure the BIOS to boot from it.

In other words: If you leave your laptop outside of your physical control for even a few minutes, you may have to assume that it is totally compromised as long as you don't have a BIOS password.

If the laptop is outside of your control for a longer period of time, you probably have to assume that it has passed through the hands of somebody with sufficient technological know-how to work around the BIOS password as well.

Isn't BIOS passwords useless?

For non-soldered but socketed BIOSes I think one can just take chip out and put it into your wallet, possibly, covering some pins with some dissolvable insulating substance. For soldered SPI EEPROM chips with known pinout, I think one can reflash the chip afterwards.

BIOS passwords are not always useless, depending on model.

I had a Thinkpad T42 on which I managed to set a password for editing BIOS settings that I did not remember.

I the laptop into IBM for repairs to the monitor, and as part of their repairs they needed to get into the BIOS settings (I believe to run a diagnostic). Their solution was to replace the entire motherboard.

Well, guess it were hardware types, who performed the repairs, or they just didn't have necessary equipment (an AVR board like Arduino or PC with an old parallel "LPT" port will suffice, hardware-wise) at hand, so it was easier for them to solve it that way. :)

I was 99% positive the same could be achieved by messing with EEPROM. And, indeed, less than 10 minutes of searching yielded this unsurprising result: http://arduino.ada-language.com/recovering-ibm-thinkpad-t42-...

tl;dr: Nope, T42's BIOS password is not secure if you allow anyone with necessary hardware to touch the motherboard for a minute. TPM may (depending on the laptop model and firmware revision) prevent password recovery but will likely not prevent anyone from resetting them - at least this seems to be the case with Thinkpads. Next time I'll clean dust from my X300, maybe I'll remember this thread and check its EEPROM too. :)

So, do not rely on BIOS passwords as a strong security measure.

Do MacBooks have the option to password protect the BIOS?

Yes, you can set an EFI password on Macbooks: https://support.apple.com/kb/HT1352

Thanks. But it looks like the "Firmware Password Utility" is not available by default in OSX 10.9, and those instructions only describe how to get it for OSX 10.5 and below. Thoughts?

You have to boot into your recovery partition (Cmd+R on boot), then there's a menu option to set the firmware password, which will be active on the next reboot.

> Who is responsible then for paying for this damage?

Craigslist.

Or eBay, or Kijiji, or the Classified section of your local newspaper. Whatever lets you get rid of your possibly contaminated device while recouping at least part of the cost.

The difference between the price of the new device and the amount you can recoup by selling it secondhand, multiplied by the probability that your device will indeed be seized, should be considered an integral part of your budget for any international trip. It's just one of the many ways in which tyrannical governments increase friction in their citizens' daily lives.

Would you disclose that it is possibly tainted or are you ok with possibly screwing over the next owner of the device?

By the very fact of the device being pre-owned, it is inherently possibly tainted.

Like most people on craigslist would think of that.

That's why I never let my laptop out of my sight after I watch it be given live birth to by a laptop in the wild - I just don't trust some factory or government or my apartment.

Do you have a pamphlet?

I wonder if there isn't a fledgling niche business opportunity here for security-minded but not tech-saavy business travelers?

Rather than leaving it at home, a trusted third-party service could supply a image/reimaging service at popular travel endpoints.

A lot of risk in it I suppose.

> a trusted third-party service

That's a big problem.

Doesn't secure boot help with this? Unless you believe that the DHS has somehow convinced Intel (etc.) to break the TPM in some way that is quickly exploitable at the border and that nobody has noticed.

reimage it again when you get home?

edit: To those below: True. I thought about hardware after I posted; didn't even think about the BIOS thing but that's a great point.

Re-imaging your hard drive will not help with BIOS malware. Re-installing the BIOS yourself may help.

Your data should stay at home and a VPN connection to your home PC would be a good first step.

Is there a reliable backup utility for your BIOS? I've come across this, but don't know how to judge it's viability.

Hardware keylogger.

That autonomously phones home so they don't even have to borrow your laptop next time you fly in order to dump the data.