Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

Could a Built-in Tracking Device in My Laptop Detect My Tor Browsing History?

The risks of malicious trackers.

Eye Spy
(Image: canva.com)
Malware can do anything, but malicious hardware can do even more.

Yes.

I’m assuming by “built-in tracking device” you mean that someone has actually added a hardware device of some sort to your laptop.

Such a device would share all the capabilities of malware and perhaps even more.

Become a Patron of Ask Leo! and go ad-free!

TL;DR:

Malicious Trackers?

As a general rule, malicious software, or hardware, can do anything, at any time, as you use your computer. Malicious hardware, specifically, can evade detection and persist no matter what you do, until the hardware itself is removed. Running tools like Tor adds no value, as malicious hardware could potentially see every keystroke you type, everything displayed on your screen, and access any and all information kept on your computer, including your browsing history.

Malware can do anything

Once malware is on your machine, it can do anything. That’s one of the reasons prevention is so critical.

The addition of hardware to your machine is no different. Be it a physical keystroke logger or a device that monitors your CPU activity in some way, it has the exact same capability: it can do anything.

Chances are it could do more than traditional malware. I can envision a tracking device installed on your laptop that is relatively impervious to detection, for example. Anti-malware tools don’t look for rogue hardware, so it would be unlikely to be found.

Using Tor on your computer

Tor — The Onion Router — is a privacy and anonymization service that allows you to hide your internet activity in two ways:

  • The sites you visit have no idea who you are or where you come from (unless, of course, you explicitly tell them).
  • The path that data travels between your computer and that site is also impervious to detection, cementing your inability to be located.

What Tor doesn’t do, however, is hide your activity from your own computer. When you think about it, that makes no sense —  to use Tor at all implies using your computer to do so.

Can your ISP track you on Tor?

In general, no, your ISP cannot track you on Tor. It will see only that you are connecting to a node in the Tor network. Anything that happens across Tor is opaque and unseeable to anyone with the ability to snoop on your connection, including your ISP.

Traditional bypasses are ineffective

One of the traditional approaches to using Tor (or any privacy and security-centric solution), is to never assume that the installed operating system is trustworthy. Instead, one might boot from an optical disc that can’t be compromised, or a USB device you’re certain has not been. The result is to run a custom, perhaps single-purpose, operating environment.

For example, if you’re concerned about malware on your machine, you might boot from such a disk in order to perform online banking.

If you have malicious hardware installed on your machine, however, that approach is ineffective: the hardware is still there. It can continue to do — and monitor — anything.

It’s rare, but…

Now, you might think that someone actually going through the trouble to install malicious hardware on your laptop or desktop computer is highly unlikely.

And, unless you’re some kind of high-value target, it almost certainly is.

However…

This is one reason I’ll never use a shared computer (such as at an internet cafe or a library) for anything even remotely personal. One of the simplest devices to install would be a malicious keystroke logger. It would be virtually undetectable.

If you can’t trust the hardware, don’t use it

And that’s the bottom line: if for some reason you have cause not to trust the hardware, don’t use it. That’s the only pragmatic way to avoid the risk you seem to be concerned about.

Since this type of compromise requires physical access to your computer, the only step to prevent this from happening at all is to always and completely physically secure your machine when it’s not in your possession.

Assuming you think this is likely to happen to you, of course. Maybe you are a “high-value target” to someone after all.

Do this

Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.

I'll see you there!

13 comments on “Could a Built-in Tracking Device in My Laptop Detect My Tor Browsing History?”

  1. Generally i would say no assuming the questioner is referring to Computrace or similar (“built in”) , it only monitors location for recovery purposes in the event of theft.

    Reply
    • The article isn’t saying that every tracking device contains a keylogger. It’s simply saying that it’s possible. and therefore, something to be aware of when using a company or someone else’s computer.

      Reply
  2. What does the malicious hardware read…the subject line..or email the contents..I often down load pdf books..200 – 500 pages long..on health and philosophical issues…thanks…are some browsers safer than others…

    Reply
    • Malicious hardware could read anything. There’s no way to know exactly what it does read if it’s present.

      Most mainstream browsers are pretty much equally secure. Extensions can reduce that security, so only install those that you trust.

      Reply
  3. The bottom line…

    “Computer Forensics” isn’t.

    What do I mean by that? Every person using a computer should know there is virtually nothing that cannot be spoofed/faked or placed on someones computer without their knowing consent for any number of reasons to include malicious purposes. This goes well beyond “Juniors Favorites” taking space on the neighbors computer. Today even more than in the past the most popular Operating Software treats our Computers and us more like “Short Bus Terminal” Riders than ever before (Ok everyone put on your “Bump Helmets”. The OS Proprietors feel free to install “updates” that the user literally has no control or any idea of the actual content contained therein. .Encryption programs and files which we have no idea of the password to access or content residing on your machine (a feature “not active” in your version (eyes roll as they should) . Updates ( have you every asked yourself where are these magical updates coming from?. Why is their not a master database where you can check the checksums and dates of those updates you receive before they are installed (still opaque of course). These are not the only means by which these files are uploaded/downloaded transferred to your machine…. remote management software is all the rage for Manufacturers of Machines, Video Card Manufacturers. Software you purchase many/most? feel they need such Remote Install Capabilities without your knowing consent or ability to verify the files/source as well (They magically appear and you sometimes can consent to the installation of some..LOL)… All are more than capable of installing any number of New Features and Files on anyone’s computer at any time.

    If the most “Expert” Experts were actually Experts they would shout from the roof tops and state clearly up front what ever they or anyone else “discovers” on any computer. From Files,bookmarks to Search Records is just what is there the day they looked and they would need more data than is available to even come anywhere close to demonstrating where and when and what was put where by whom. They would refuse to let themselves be used a props for Security Theater…. be it in the Courts or Business. Criminal or Civil.

    Don’t expect that to happen anytime soon .. but now you know.. and can inform your friends…

    Finally For the Record..

    Leo remains a most excellent and reasonable source for IT information even for “Experts” I have enjoyed the journey and Leo as one of my favorite Tour Guides for a long time. Many thanks

    Reply
  4. “This is one reason I’ll never use a shared computer (such as at an internet cafe or a library) for anything even remotely personal. One of the simplest devices to install would be a malicious keystroke logger. It would be virtually undetectable.”

    I guess that’s a reasonable warning but I would hope that computers in libraries, at least, would be locked down to prevent this. If you can’t physically access the case and ports are disabled, is there any other way a miscreant could install rogue hardware?

    Reply
    • The short answer is, you can never be sure. There’s no such thing as 100% perfect security. I’ll give an unrelated example of poor library security. I was checking my email and my time ran out and my session was automatically closed. I ask the guy at the desk if that logged me out of my email account. He said it didn’t so he let me back into the system so I could close my email session. If I hadn’t asked, the next user could have gotten into my email account. Libraries don’t always have the best security.

      Reply
  5. A well-known computer maker IBM had “malware” in their Lenovo computers built into the operating system. No customer knew about this when they purchased these computers. It was some computer geeks that found the “malware,” and they informed the “world” about it. So, we even have to be careful when purchasing new computers that are supposed to be “malware” free. I am not talking about all of the “bloatware” that all computer makers add to the machines. I feel that what IBM did was utterly disgusting and beyond the pale to their customers.

    So, Leo, since this has already happened with a major computer maker, how are we to know when they have put “malware”, on your brand new machine? I know that I was quite surprised when I read the news and am so glad that I have personally built many of my computers from scratch. When you do it yourself, you know what you are putting in though, in all honesty, any of the new components can be full of “malware” by the company putting in “malware,” for their reasons.

    Reply
    • Unless you wrote your BIOS from scratch even the computer you build yourself could still start with malware.

      How do we know the computer we just bought doesn’t have malware in it? We don’t. There’s risk in everything. While occasionally “reputable” companies make mistakes (intentionally or accidentally) that’s still the best way for most people to stack the deck in their favor.

      Reply
    • The basis of your story is true, but you presumption is wrong. IBM did not do that. Lenovo did. They are 2 different companies that just happen to have a business relationship. Many years ago, IBM got out of the laptop and PC business and sold it to Lenovo, making Lenovo one of the largest PC companies in the world. As part of the sale. IBM continued to provide warranty support on the machines, but IBM had nothing to do with the design or manufacturing of the machines. That was entirely Lenovo, which is controlled by the Communist Chinese government. Why so many US consumers continue to trust this company is beyond me. But IBM has never been accused or suspected of putting any malware in their machines.

      Reply
  6. Both Google and Amazon track every keystroke. Amazon and Alexis were in the national news last night.
    I do not like to be profiled, nor do I like “them” knowing everything I do.
    Our daughter sent us, years ago, a list of 200 websites that do Not profile. The one I use is DuckDuckGo.com.
    After only using it a few times, your computer will learn to send you there first. Just the way I roll. Good luck.
    Those of us who have programmed think of Windows and Google as Viruses.

    Reply
    • To be clear, Google and Amazon don’t track “every keystroke”. They may know what websites you’ve visited, and what you’ve clicked on, depending on those sites and your own personal security settings. It’s “Alexa” not “Alexis”. I have 4. They’re awesome. DuckDuckGo is great, but your computer doesn’t “learn” to send you there, you need to go there yourself, either by typing it into the browser address bar, setting a bookmark, setting it as your browser’s search engine, or perhaps setting it as your browser home page. It’s not something that will happen magically on its own.

      And finally, as a professional computer programmer and software engineer myself — for decades — I can assure you that not all of us consider Google and Windows as viruses.

      Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.