I wrote a post a couple of weeks ago called 7 security tips for travelling with your laptop. The seventh tip was “Don’t suspend”: in other words, when you’re finished doing what you’re doing, either turn your laptop off, or put it into “hibernate” mode. I thought it might be worth revisiting this piece of advice, partly to explain the difference between these different states, and partly to explain exactly why it’s a bad idea to use the suspend mode. A very bad idea indeed. In fact, I’d almost go as far as saying “don’t suspend your laptop”.
So, what are the three power modes usually available to us on a laptop? Let’s look at them one at a time. I’m going to assume that you have disk encryption enabled (the second of the seven tips in my earlier article), because you really, really should.
This is what you think it is: your laptop has powered down, and in order to start it up again, you’ve got to go through an entire boot process. Any applications that you had running before will need to be restarted, and won’t come back in the same state that they were before. If somebody has access to your laptop when you’re not there, then there’s not immediate way that they can get at your data, as it’s encrypted. See the conclusion for a couple of provisos, but powering down your laptop when you’re not using it is pretty safe, and the time taken to reboot a modern laptop with a decent operating system on it is usually pretty quick these days.
It’s worth noting that for some operating systems – Microsoft Windows, at least – when you tell your laptop to power down, it doesn’t. It actually performs a hibernate without telling you, in order to speed up the boot process. There are (I believe – as a proud open source user, I don’t run Windows, so I couldn’t say for sure) ways around this, but most of the time you probably don’t care: see below on why hibernate mode is pretty good for many requirements and use cases.
Confusingly, hibernate is sometimes referred to as “suspend to disk”. What actually happens when you hibernate your machine is that the contents of RAM (your working memory) are copied and saved to your hard disk. The machine is then powered down, leaving the state of the machine ready to be reloaded when you reboot. When you do this, the laptop notices that it was hibernated, looks for saved state, and loads it into RAM. Your session should come back pretty much as it was before – though if you’ve moved to a different wifi network or a session on a website has expired, for instance, your machine may have to do some clever bits and pieces in the background to make things as nice as possible as you resume working.
The key thing about hibernating your laptop is that while you’ve saved state to the hard drive, it’s encrypted, so anyone who manages to get at your laptop while you’re not there will have a hard time getting any data from it. You’ll need to unlock your hard drive before your session can be resumed, and given that your attacker won’t have your password, you’re good to go.
The key difference between suspend and the other two power modes we’ve examined above is that when you choose to suspend your laptop, it’s still powered on. The various components are put into low-power mode, and it should wake up pretty quickly when you need it, but, crucially, all of the applications that you were running beforehand are still running, and are still in RAM. I mentioned in my previous post that this increases the attack surface significantly, but there are some protections in place to improve the security of your laptop when it’s in suspend mode. Unluckily, they’re not always successful, as was demonstrated a few days ago by an attack described by the Register. Even if your laptop is not at risk from this particular attack, my advice just not to use suspend.
There are two usages of suspend that are difficult to manage. The first is when you have your machine set to suspend after a long period of inactivity. Typically, you’ll set the screen to lock after a certain period of time, and then the system will suspend. Normally, this is only set for when you’re on battery – in other words, when you’re not sat at your desk with the power plugged in. My advice would be to change this setting so that your laptop goes to hibernate instead. It’s a bit more time to boot it up, but if you’re leaving your laptop unused for a while, and it’s not plugged in, then it’s most likely that you’re travelling, and you need to be careful.
The second is when you get up and close the lid to move elsewhere. If you’re moving around within your office or home, then that’s probably OK, but for anything else, try training yourself to hibernate or power down your laptop instead.
There are two important provisos here.
The first I’ve already mentioned: if you don’t have disk encryption turned on, then someone with access to your laptop, even for a fairly short while, is likely to have quite an easy time getting at your data. It’s worth pointing out that you want full disk encryption turned on, and not just “home directory” encryption. That’s because if someone has access to your laptop for a while, they may well be able to make changes to the boot-up mechanism in such a way that they can wait until you log in and either collect your password for later use or have the data sent to them over the network. This is much less easy with full disk encryption.
The second is that there are definitely techniques available to use hardware and firmware attacks on your machine that may be successful even with full disk encryption. Some of these are easy to spot – don’t turn on your machine if there’s anything in the USB port that you don’t recognise – but others, where hardware may be attached or even soldered to the motherboard, or firmware changed, are very difficult to spot. We’re getting into some fairly sophisticated attacks here, and if you’re worried about them, then consider my first security tip “Don’t take a laptop”.
1 – some of them automatically, either as system processes (you rarely have to remember to have to turn networking back on, for instance), or as “start-up” applications which most operating systems will allow you to specify as auto-starting when you log in.
2 – this isn’t actually quite true for all applications: it might have been more accurate to say “unless they’re set up this way”. Some applications (web browsers are typical examples) will notice if they weren’t shut down “nicely”, and will attempt to get back into the state they were beforehand.
3 – you did enable disk encryption, right?
4 – assuming it’s there, and hasn’t been corrupted in some way, in which case the laptop will just run a normal boot sequence.
5 – and don’t just use random USB sticks from strangers or that you pick up in the carpark, but you knew that, right?