Privacy International has raised security concerns that innocuous PC chips and components including the keyboard, trackpad and monitor, could retain significant amounts of data even after the power has been switched off.
The privacy watchdog’s concerns stem from a “troubling and puzzling” incident which occurred when GCHQ entered The Guardian’s offices last year demanding that the paper either hand over or destroy classified documents lifted by Edward Snowden.
When The Guardian agreed to destroy the documents, the two officials sent to oversee the process were not interested in the hard drives, nor did they demand the wholesale destruction of key hardware, according to Privacy International technologist, Richard Tynan.
“During our investigation, we were surprised to learn that a few very specific components on devices, such as the keyboard, trackpad and monitor, were targeted along with apparently trivial chips on the main boards of laptops and desktops,” he continued.
“Initial consultation with members of the technology community supported our identification of the components and that the actions of GCHQ were worth analyzing further.”
The NGO said it examined all of the destroyed components and claimed that GCHQ had very deliberately targeted the keyboard encoder, which is responsible for “communicating over the USB and interpreting key presses on its various I/O pins”.
Also targeted was a serial flash chip fitted inside the trackpad of a MacBook Air and an “inverting converter” component in the same device.
Tynan said that “due to the generality of the component” it’s difficult to work out exactly what function the inverting converter has in the device, although it’s believed to be similar to the chip detailed here.
“By getting answers to these questions, we can get a glimpse into GCHQ's understanding of IT security threats, but also give individuals the information to better understand the devices they use everyday and how they can protect their personal information,” he added.
“For instance, people and organizations may need to re-evaluate how they dispose of their computing devices, given the very specific hardware components destroyed by GCHQ.”
Privacy International has contacted several PC and component manufacturers for more technical details in a bid to promote greater transparency.
Infosecurity Magazine has also reached out to HP and Apple for comment but did not hear back at the time of writing.