Search for military installed backdoors on laptop

If the device left your sight for any amount of time, replace it. It can no longer be trusted.

The cost to assure it can still be trusted significantly exceeds the cost of getting a new one


There is effectively no way to verify that the hardware has not been tampered with without significant expertise and employing non-trivial resources. The only solution is to replace the laptop and all associated components. Without knowing your country or other aspects of the situation you are in, there is no way for me to comment on the likelihood of this, only on the technical feasibility.

If you do need to verify the integrity of the laptop, there are a few things to check (non-exhaustive):

  • Weight distribution - Verify the precise weight of each component (ICs, PCB, etc). Weight distributions can be analyzed using gyroscopic effects. This requires having uncompromised equipment nearby for comparison. Extremely precise measuring equipment is required. You'll need to be aware of the different tolerances each part has in order to know what is anomalous.

  • Power consumption - Verify the power consumption of each component over time. Backdoors often use power, and their presence can sometimes be detected with a power analysis attack. Do not rely on this however, as integrated circuits can use extremely little power nowadays.

  • PCB X-ray inspection - Use X-rays to view the circuit board internals. This requires expensive equipment for a multi-layer printed circuit board such as a laptop motherboard. It also requires many man hours of intensive inspection of each square micrometer of the device. This is probably the easiest to do, although still takes specialized equipment and skills.

  • IC inspection - Physically remove the various layers on integrated circuits ("decapping") and analyze the internal die. For anything much more complicated than an 8051 microcontroller, this will require significant expertise and is not possible without a high level of domain knowledge and a lab. But this would have to be done for everything from the main chipset to every CPLD on the board. Do you have a full-face respirator and a fume hood for all the acid you'll need to use?

Sounds excessive? It is, but this is what you would have to do to have a good level of confidence that no malicious hardware modifications have been made. It will be cheaper just to buy a new laptop. Note that this is not intended to be practical advice, and it is not even close to complete even if it was. It's meant only to illustrate this near-impossibility of searching for sophisticated hardware implants.


I nuked it from orbit but I just realised that it was on sleep state for 2 days and not in shutdown state, so it was connected to my modem via wifi. Does it need to be worried about?

In theory, compromised hardware or firmware would be made to compromise your wireless access point or other devices listening in. While a suspended state (sleep mode) normally also disables the NIC, you cannot make that assumption if the hardware is compromised. However, while this is theoretically possible, it would require a far more targeted attack, and most military groups will not want to give away their 0days by shooting them at any random nearby wireless devices.

Unfortunately, it is also theoretically possible that your modem has been compromised. If that is the case though, I think it'd be incredibly unlikely that it was done by your exploited laptop, as they could have just taken over your modem through your internet connection (TR-069 is a bitch), assuming they can control or compromise your ISP. If they have tampered with your hardware, it's much more likely that they have only done so for surveillance purposes, not to spread some silly worm.

I have double checked the laptop physically and there is no sign of screw or plastic deformation. Is that still possible that they have compromised its hardware?

Absolutely. There are many ways to open a laptop without that fact being apparent. While many sophisticated chassis intrusion detection mechanisms exist (some that even detect small changes in air pressure that would indicate a person messing with it), there are some "ghetto" techniques which you may be able to use in the future. One technique is to sprinkle nail polish with glitter on the joints of the system, inside and out. Take a high-resolution photo of this (and don't store the photo on the computer!). If the device is opened, the precise layout of the glitter will be disrupted, and it will become exceptionally difficult to put it back in place. You can compare it with the stored photo and look for subtle differences. This is sufficient to detect tampering by most adversaries, if done right.

The term for this is tamper-evidence, which is any technique that makes it difficult to tamper with a device without that fact being noticeable. More professional options would include bespoke tamper-evident security tape or holographic stickers. There are lots of epoxy potting solutions too (but beware of overheating!). Unfortunately, this can only help you in the future and will obviously be incapable of protecting your system retroactively. But consider how likely it is that they really compromised it.


The main information we are lacking is your threat model.

Is it likely that the military targets you specifically, and would be willing to expend some resources on you? We don't need to know the details, but the answer changes depending on whether what happened is more or less standard procedure for your country, or you are being singled out.

And we don't know what secrets you are protecting. If you have personal data and communications, that's a different game than being an active element in a political opposition movement or other activity that might get you murdered if they get the data. There are countries in the world where being a human rights activist can get you on a death list.

If this is standard procedure, and your data isn't life-or-death, you can take the usual precautions, complete OS reinstall, firmware flashing, if you want to go the extra mile, replace components such as the Ethernet port and whatever else is replaceable. Then operate under the assumption that you might have missed something more deeply embedded, but your chances are better than average that you are clear.

The same is true for the active network connection. It is likely that your adversary did standard attack patterns. If your network is secured, and you don't see any signs of intrusion on the inside (firewall logs, IDS if you have, etc.) you could be fine.

If it is more likely that you received special attention, I would strongly suggest using the machine in some innocent ways (surfing the web, etc.) somewhere and then leaving it out in the open when you go to the toilet. Or in other words: Make it get stolen. That way nobody can blame you, the adversary cannot tell for sure if you intentionally "lost" the device and in any case can't prove it, and it's the only way to be sure. Even if you had it sitting nearby powered off, there could still be a microphone hidden inside that monitors you. So getting rid of it is the only safe option.

For the details, I can't do better than forest in his answer to show how deeply stuff could be hidden inside. They could've even switched out components with seemingly identical ones, plus backdoors. There are things you can do to hardware that the manufacturer would have trouble finding.

The same is unfortunately true for your network. There is always one more 0-day out there, and backdoors in network devices aren't exactly unheard of as well. If you are a high-profile target, you need to assume that the network has been compromised.

However, all of this advanced stuff isn't free or cheap. That is why the threat model is important. It is unlikely the military would use its best stuff on a random search.


Methodology aside, just assume that the laptop and anything within audio and visual reach of the laptop is compromised and therefore subject to monitoring as well as the activity on the computer itself.

Searching for, tampering with, or removal of the computer/monitoring devices might well be detected and seen as a criminal act. Also, complete destruction of the laptop or pointedly not being used can also be viewed with extreme suspicion.

All you can really do is continue to use the laptop, but with the knowledge that activity is being monitored (so only do "legal" stuff on it). Visual/audio monitoring devices need not involve the laptop being powered up.

Invest in a nice, secure, padded (and soundproof) laptop bag to store the laptop in when not in use.