How safe are employee laptops in China against International corporate espionage?

I recently took a business trip to China. Our IT department told me I could not take my normal machine, and instead gave me a loaner.

That may not have helped you at all. The reason I'm saying this is because you connected that laptop to the corporate network after you brought it back to your country.

This loaner had MS Outlook and was linked to my normal company e-mail account. I logged into the corporate network using the same VPN and token (Mobile Pass on my iPhone) that I would have used had I taken my normal machine. I should note that I did take my normal iPhone, not a loaner.

You shouldn't ever reconnect that computer to your corporate network. You need a clear separation of concerns.


International Corporate Espionage and You

Do you have a company that does important business in China? You may have been hacked on arrival. Unfortunately, since you also connected to the corporate email and other accounts, you may have had all of your email addresses and contacts exfil'd.

Why would they need that information? For phishing attacks, for information on clients, contacts, et al.

Unfortunately, most of the hotel internet service that I've encountered have had significant problems with their login portals, such as drive-by-download exploits in Javascript, Flash, and Java. If you had any of those enabled, and your machine was vulnerable, then it's quite possible you're infected without realizing it.

I've personally come across hotel WiFi that "doesn't work," which requires "IT staff" in the hotels who will personally come in and set up your connection properties (IPv4, IPv6, DNS, et al) to connect through a malicious server. Sometimes they even try to download files on my laptop while "fixing" it.


Firmware attacks are possible

The primary difference from the normal machine seems to be that upon my return, the loaner would be reimaged, and presumably used as a loaner on the next trip someone took.

Unfortunately, this won't help against firmware-based attacks. It can be as simple as inserting a BadUSB device when you're away. Walk in, insert, wait for confirmation of flashed hardware, leave. If you're working for a government contractor, or have important company secrets to protect, I wouldn't even trust a re-imaged drive.

Full disk encryption doesn't protect you against flashed firmware, or even hidden device implants. They can simply turn on the laptop, insert a piece of media that contains malware, flash your bios without even touching the drive, and then install bios-based malware.


But firmware attacks aren't absolutely necessary

Did you leave the laptop alone in the hotel while you went shopping, or when to an important meeting? It may have been broken into physically while you weren't there.

One good way to defend against this is by ensuring that your hard drive was encrypted, and then shutting it off when you're gone. But this isn't perfect either; they can physically implant things in your laptop faster than you think. You could also try placing few warranty/void seals on the laptop edges before visiting China. If they're broken, assume the hardware is compromised.

Again, keep in mind that full-disk encryption won't save you from hardware-based attacks. If they copied your hard drive contents and then installed a hardware-based keylogger, then they could retrieve your hard-drive contents easily.


What about my phone? Is it safe?

Since you mentioned your phone in your post, I thought I'd add this little tidbit. It's possible to replace your phone's charging equipment with a malicious doppelganger while you're gone, or even while you're asleep.

If you spend enough time in hotels, you may run even into hotel employees who actually enter your hotel while you're asleep. Even if you've bolted the doors and locked them.


Should I connect to my normal corporate network while in China?

I was never asked not to place the loaner on the company network on my return, and I never tried so I do not know if it would connect to the network or not. There were also no restrictions on moving files from the loaner onto my normal machine. I also used my normal logins on the loaner (user id, passwords, etc.).

I would suggest that your IT Security staff spends a bit more time learning about foreign attackers. Using your normal logins is pretty much a huge no-no in China, or in any other high-risk area.


Are there any security benefits of your laptop policy?

My question is: does this loaner laptop policy provide significant security benefit over taking the user's normal machine?

Nope. The reason is that you ended up connecting to your corporate network's VPN. I took a lot of disposable tech to China, and it ended up getting hacked every single time. I reformatted afterwards, and the infection persisted. Had I connected that to an important network where I had read/write access to critical things, I'd be in for a world of trouble.

If you want an Advanced Persistent Threat spreading everywhere, go for it. Personally, I want all the infections so I can reverse-engineer them! :-) However, considering your company likely has secrets to protect, I would not trust this laptop policy.

In fact, what you're describing - the way you used the computer - sounds like a goldmine to a skilled hacker, or even a script kiddie who can automate the attack. What would you do at this point if you considered your data breached? It could just be the early stages of a breach, getting the data ready for a phishing attack, or you might've had more important information available potential attackers.


But what about the corporate VPN?

Keep in mind, as I've stated several times, if you connected to your company through the corporate VPN, and someone in China or elsewhere infected your machine, then anything you're allowed to do on that corporate network is also accessible to them. Are you allowed to create/read/write critical files and folders? So could they.

Again, whatever you're allowed to do on your corporate network, so can they if they control your computer. This could be done silently without you realizing it, even while you're on the system.


Industrial espionage is unfortunately very common in China.

There are cases where spyware was installed on computing devices (allegedly by hotel staff) and in some cases even hardware spying devices were put into notebooks.

Wiping every loaned notebook is a good way to get rid of any spyware. Some advisories suggest to weight any hardware before and after a business trip and investigate if it somehow gained a few grams. Your IT department might or might not do this when receiving a loaner.

However, this does not prevent any spying which happens during the business trip.


You should be provided with a laptop with no company information on it that isn't absolutely essential. Where possible, access to secure company internals should be prevented. Rather than your regular corporate email account, your company should provide you with a web based email account which is not part of their normal internal system - Gmail, Outlook.com, etc.

Upon return to the company, the computer should be returned immediately to the IT department. A routine virus scan will not be of use here, because they would almost certainly be using custom crafted exploits that aren't actively scanned for.

The company should erase the computer, REFLASH ALL FIRMWARE, and then reimage the computer.

For forensic purposes, performing a full SHA hash scan of the computer drives and firmware before and after the trip might provide useful information about what attacks took place.

Last but not least, make CERTAIN that whatever passwords you use on this trip are in no way similar to the passwords you normally use.