Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

BIOS "Rootkit" Preloaded In 60% of New Laptops

kdawson posted more than 4 years ago | from the hijacking-lojack dept.

Security 236

Keldrin_1 writes "Researchers Alfredo Ortega and Anibal Sacco, from Core Security Technologies, have discovered a vulnerability in the 'Computrace LoJack for Laptops' software. This is a BIOS-level application that calls home for instructions in case the laptop is ever lost or stolen. However, what the application considers 'home' is subject to change. This allows the creation of malware capable of 'infecting the BIOS with persistent code that survive reboots and reflashing attempts.' Computers from Dell, Lenovo, HP, Toshiba, Asus, and others may be affected."

Sorry! There are no comments related to the filter you selected.

Hmmm (4, Funny)

Anonymous Coward | more than 4 years ago | (#28897061)

P.C. Phone Home.

Are Sony Vaio's using this? (5, Insightful)

motherpusbucket (1487695) | more than 4 years ago | (#28897063)

Sounds like it's right up Sony's alley.

No,not sony for once, here is a list (5, Informative)

leuk_he (194174) | more than 4 years ago | (#28897385)

From the Lojack compatibility list [absolute.com] here is a list of company:

          ASUS, Dell Fujitsu, GammaTech, Gateway, GD Itronix, Getac, HP, Lenovo,,Motion, Panasonic, Toshiba

You can find a list of models on the "bios compatibility list"

Something doesn't sound right, here. (5, Informative)

Khyber (864651) | more than 4 years ago | (#28898027)

They have every DV/TC-model of HP Laptop listed - I used to specifically work on all DV/TC/NC/NX models, I've NEVER ONCE seen this in BIOS during any of my repairs. NEVER. Also, this software was never listed in part of HP's troubleshooting guides, and that usually means that feature is not there.

I rebooted my laptop (DV9000, full featured loaded with every possible thing offered) and this 'rootkit' in BIOS is nowhere to be found, at all. Not on my friend's DV2000. Not on the new TC4400 I have in my art room.

Re:No,not sony for once, here is a list (2, Funny)

dogfolife69 (1005455) | more than 4 years ago | (#28898029)

Yea, but sony does sell the "Computrace LoJack for Laptops" for their notebooks in their Sony branded VIP Protection Suite (which include Norton NIS, Online backup and Computrace LoJack for Laptops).... But i guess in this case, you can optionally chose for this Sony RootKit.... lol

Re:Are Sony Vaio's using this? (1)

Like2Byte (542992) | more than 4 years ago | (#28898037)

Don't worry about Sony Vaios. I've owned 2; however, I've only purchased 1. The second is a warranty-replacement after the first died (after 1 year of gentle use). The second died (like clockwork) every six months after and only lasted for two years (when the video board died - software rendering only (even MS-Word (aside from the normal pain) was painful!). It has since been replaced by another LT.

So, bottom line - I don't imagine people owning Vaios long enough for them to be too problematic. They'll be in the shop being repaired every six months!

60%? Really? (2, Interesting)

doctor_nation (924358) | more than 4 years ago | (#28897069)

60% seems awfully high for a program I've never heard of. Not that I've been laptop shopping lately, but still.

Re:60%? Really? (5, Interesting)

cachimaster (127194) | more than 4 years ago | (#28897135)

I know it's hard to believe. When doing our research (I'm Alfredo, hi!) we couldn't find a notebook *without* the Computrace agent. It's bad.

Re:60%? Really? (5, Interesting)

_bug_ (112702) | more than 4 years ago | (#28897255)

Any way to tell if your laptop has this "feature"?

And is there any way to disable it?

Re:60%? Really? (2, Informative)

scout-247 (1127737) | more than 4 years ago | (#28897461)

You'll have to load your laptop into BIOS, it's one of the options listed. I set the option to completely disable it. That doesn't mean that someone could somehow modify code to turn it on, and report it to their site.

Re:60%? Really? (4, Insightful)

somecreepyoldguy (1255320) | more than 4 years ago | (#28897465)

Go into the BIOS setup, you can choose to activate the feature if you paid for the license, or deactivate a previously activated agent. Choosing disable removes the feature completely. it can NEVER come back. TFA is hype. If it is never enabled in the bios NOTHING is installed on windows.

Re:60%? Really? (5, Informative)

QuantumRiff (120817) | more than 4 years ago | (#28897727)

Disable only works if the product was never activated. if the BIOS is set to active, AND the client software on the machine contacts the servers for Computrace, and verifies it should be licensed, then it "flips a switch" in that BIOS setting, and you can NEVER disable it again.

They need to write to the software, or else the software will always try to contact them, and then anyone could track any laptop with a supeana, ruining their business model.. Instead, it has to be "turned on".

Also, this software in the BIOS does not actually contact anyone directly. All the BIOS level crap does is forcibly try to re-install the agent software under windows. This could get ugly, if you update the BIOS, to try to force it to install a different program every time someone reloads windows...

Of course, I wonder what happens if I buy an "off lease" laptop, that was at one point activated...

Re:60%? Really? (1)

Peet42 (904274) | more than 4 years ago | (#28897769)

Are you saying that this is a BIOS-level process that only introduces a Windows vulnerability? So Linux users and Hackintoshers are safe?

Re:60%? Really? (1)

Lou57 (78812) | more than 4 years ago | (#28897285)

1. How can I determine if a laptop has this?
2. Are their any workarounds? Fixes? Can it/Should it be disabled?

Re:60%? Really? (1)

thePowerOfGrayskull (905905) | more than 4 years ago | (#28897611)

It is indeed hard to believe. As far as I've been able to tell, even in the laptops where it ships, it defaults to disabled. You must actively enable it in the BIOS for it to do anything at all. And it is certainly easily possible to get laptops without it - I just did from HP, two different ones.

Re:60%? Really? (1, Informative)

Anonymous Coward | more than 4 years ago | (#28897851)

When doing our research we couldn't find a notebook *without* the Computrace agent.

You didn't look very hard then, did you? Acer don't have CompuTrace [absolute.com] and finding one of their notebooks is hardly challenging. According to the most recent data [displaysearch.com] from NPD's DisplaySearch, Acer has the second largest unit-volume market share, with 16% of the global notebook shipments (excluding netbooks) to themselves.

Obviously you know that, because as the ZDNet article based on your presentation stated, fully 40% of all new notebooks don't include Computrace. With nearly half of notebooks not including the technology, it's obviously pretty darned easy to find a notebook without Computrace. Polemic statements like that still don't do your credibility any good, though.

Re:60%? Really? (1)

Tx (96709) | more than 4 years ago | (#28897171)

I was just thinking the same thing. Considering that the list of models [absolute.com] with this stuff in the BIOS doesn't include Acer, who ship more laptops than anyone else, or HP, or several other big players, I'm a bit sceptical of that figure. Still the list is quite extensive, I'm a bit surprised I haven't heard of this.

Re:60%? Really? (1)

Tx (96709) | more than 4 years ago | (#28897203)

Ok, so it does include HP. It's been a long day, and I go home in 3 minutes.

Re:60%? Really? (0)

Anonymous Coward | more than 4 years ago | (#28897263)

Just to let you know my position;
I have a dell laptop and every laptop I have had for the last three years has had the Computrace option in the bios. It comes neither active or deactivated once you make a choice its irreversible (the Bios alerts you to it). Once activated no matter if you rebuild the laptop it will reapply the 'Feature', what is alarming is that the feature as of late is Geolocation aware in some incarnations. I would like the option to have a BIOS patch remove the feature for good as it appears that it may be compromised.

It also doesnt seem to be too hard to circumvent for the professional thief who may just use Dells service tools to change the asset tag.

It is time (2, Interesting)

2names (531755) | more than 4 years ago | (#28897071)

Can someone with some knowledge please explain to me why we can't build a machine with simple boot code that does not EVER need to be modified for the life of the hardware?

Re:It is time (4, Insightful)

betterunixthanunix (980855) | more than 4 years ago | (#28897125)

What if a bug is discovered in the boot code?

Re:It is time (1)

echucker (570962) | more than 4 years ago | (#28897645)

They should be able to email the owner who registered the original purchase.

Re:It is time (3, Funny)

Chris Mattern (191822) | more than 4 years ago | (#28898043)

That's nice. "Hello, customer. There's a fatal bug in your BIOS. Of course, there's not a damn thing you can do about it, since the BIOS on this model isn't changable, but at least you know about it now."

Re:It is time (0, Troll)

Yvanhoe (564877) | more than 4 years ago | (#28897765)

Fire the guy. BIOS do the same function on every computer and are a very simple program of a few K. Bugs in there are totally avoidable.

Re:It is time (0)

Anonymous Coward | more than 4 years ago | (#28897981)

No matter how simple your code is, it will never be perfect.

Re:It is time (0)

Anonymous Coward | more than 4 years ago | (#28897997)

Just by mentioning that writing a bug free bios is even remotely easy tells me that you haven't really thought about it.

The only times I have seen the word "bug free" is in theory (text book).

Even if you do have a bug free bios, you might want to add support for newer hardware.

Re:It is time (1, Informative)

Anonymous Coward | more than 4 years ago | (#28898147)

I take it your not a BIOS developer? Because that answer is completely WRONG.

BIOS controls the base hardware, and is different on different machines. SOME need LBA some dont, some have higher/lower bus speeds than others. It changes frequently (not as frequent as an OS, but frequent) to support new hardware such as Faster ram support, larger HD support, etc.

Non changing BIOS is not a reality. Period.

Re:It is time (1)

rattaroaz (1491445) | more than 4 years ago | (#28897983)

What if a bug is discovered in the boot code?

Recommend buy a new computer. The bug would be a feature, not a bug at all.

Re:It is time (4, Funny)

$RANDOMLUSER (804576) | more than 4 years ago | (#28897129)

Busg happen. Consider the /. "write once" paradigm.

Re:It is time (0, Redundant)

heritage727 (693099) | more than 4 years ago | (#28897205)

Busg happen.

See? Case in point.

Re:It is time (4, Funny)

$RANDOMLUSER (804576) | more than 4 years ago | (#28897353)

Woosh

Re:It is time (1)

motherpusbucket (1487695) | more than 4 years ago | (#28897147)

I'm still waiting for someone to market an OS in the BIOS.

Re:It is time (0)

Anonymous Coward | more than 4 years ago | (#28897307)

Hey dawg, I herd you liek OS so I put some OS in your BIOS .. buy it nao!

Re:It is time (3, Interesting)

DadLeopard (1290796) | more than 4 years ago | (#28897665)

Been there, had that, in the 80s! Atari 1040ST had TOS (Tramiel Operating System) on EPROMs! Have yet to se a virus or rootkit that carried an EPROM eraser around with it, so as long as you booted up without media in the drives machine was guaranteed clean! God I miss That machine!! GEM was sweet!

Re:It is time (1)

Sancho (17056) | more than 4 years ago | (#28897749)

They already do. High end motherboards can boot to a simple OS with basic features that let you browse the web, watch DVDs, use popular instant messaging services, and read e-mail. The boards often promote "from boot to web in 5 seconds!"

Re:It is time (0)

Anonymous Coward | more than 4 years ago | (#28897897)

In fact, its already happened.

High-end ASUS motherboards come with the "Splashtop" Linux-based OS built into the BIOS. they aren't particularly feature-rich operating systems (boot, basic network capability, browser and skype) but they exist. In my experience (yes, I bought one, I'm a sucker for gadgets) isn't really worth it; ASUS advertises it as something you use to quickly log-on to your computer to check your mail or browse a website, but in practice Splashtop took almost as long to load up as WindowsXP.

I'm sure there are other examples of BIOS-OS as well.

Re:It is time (1)

Culture20 (968837) | more than 4 years ago | (#28897297)

Can someone with some knowledge please explain to me why we can't build a machine with simple boot code that does not EVER need to be modified for the life of the hardware?

Some big shops love sending out bios settings changes to their computers (a la dell dccu type program). ie "on next boot only, pxe boot for a reimage" read-only bios is easy, just like kiosk machines, but the money's in configurable multi-use systems.

Re:It is time (1)

prgrmr (568806) | more than 4 years ago | (#28897377)

They did. It was called the TI-99.

Re:It is time (1)

sottitron (923868) | more than 4 years ago | (#28897511)

Things are happening too fast and there are too many components out there for this. Imagine you did develop this technology. The next day or week or quarter Intel or AMD ships a new processor and the hardware you developed can't use it. So all the time and money you spent developing this *FINAL* boot code is now obsolete. If you did have customers, they will move on to some other platform that can use the 'latest and greatest' because that is what the end user eventually demands. And this isn't just in the high end. Just about everything Intel sells now - even on this low end - is from 45nm process and requires a relatively new chipset to run it. Its why you can probably only find one new socket 478 motherboard on the market...

Re:It is time (2, Insightful)

darksabre (250838) | more than 4 years ago | (#28898165)

Because booting a PC is not simple. DRAM init is complicated. PCI init is complicated. Supporting suspend to RAM is complicated. etc etc.

From Mogwai to Gremlin (3, Funny)

CrimsonKnight13 (1388125) | more than 4 years ago | (#28897073)

LoJack swiftly changes to HiJack with a good splash of water

Re:From Mogwai to Gremlin (5, Funny)

trevorrowe (689310) | more than 4 years ago | (#28897141)

LoJack swiftly changes to HiJack with a good meal after midnight

There, fixed that for you. A splash of water would give you more laptops... if only ...

Re:From Mogwai to Gremlin (2, Funny)

TinBromide (921574) | more than 4 years ago | (#28897201)

LoJack swiftly changes to HiJack with a good meal after midnight

There, fixed that for you. A splash of water would give you more laptops... if only ...

Yeah, but they'd all run windows ME

Re:From Mogwai to Gremlin (1)

$RANDOMLUSER (804576) | more than 4 years ago | (#28897551)

Heh. Parent is "flamebait"; like the masses are going to rise up and hotly defend Windows ME.

Besides, Windows ME was more like Aliens than Gremlins.

Re:From Mogwai to Gremlin (1)

CrimsonKnight13 (1388125) | more than 4 years ago | (#28897229)

Thanks. I knew I got something "fuzzy" about it all...

Re:From Mogwai to Gremlin (0)

Anonymous Coward | more than 4 years ago | (#28897389)

A splash of water would give you more laptops... if only ...

Indeed... the only time I ever tried that, I wound up with fewer laptops. Fewer working ones, anyway.

Problem solved (-1, Offtopic)

Anonymous Coward | more than 4 years ago | (#28897081)

I use a Macbook.

You 'solve' problems by creating worse problems? (0)

Anonymous Coward | more than 4 years ago | (#28897117)

Macbooks will give you teh gay, which I guess is not a problem if you already smoke teh cock.

Re:Problem solved (1)

Robin47 (1379745) | more than 4 years ago | (#28897187)

I use a Macbook.

Really? My Macbook has it installed. Not that worried yet.

Re:Problem solved (3, Informative)

alen (225700) | more than 4 years ago | (#28897239)

http://store.lojackforlaptops.com/store/absolute/DisplayProductDetailsPage/productID.104509100 [lojackforlaptops.com]

Congrats, there is a Mac version available as well. PC's and Mac's are all the same parts made by the same slaves chained together. there is a few companies in the world that make a basic computer and then Dell, HP, Apple and others add a few things and brand it for themselves.

Re:Problem solved (1)

Alrescha (50745) | more than 4 years ago | (#28897703)

"Congrats, there is a Mac version available as well."

The Mac version appears to be software install only, not the BIOS-resident version. Apple is not listed as a partner on the web site.

A.

Re:Problem solved (1)

sexconker (1179573) | more than 4 years ago | (#28898073)

EFI
Learn to macfag

Re:Problem solved (0)

Anonymous Coward | more than 4 years ago | (#28897977)

PC's and Mac's

The apostrophe is not used for pluralization. You meant "PCs and Macs."

together. there

You are missing capitalization on the first letter of a new sentence.

there is a few companies

Since "companies" is plural, you need to say "there are a few companies."

Re:Problem solved (4, Insightful)

oahazmatt (868057) | more than 4 years ago | (#28897271)

I use a Macbook.

As do I, but that does not mean that I have any delusions as it relates to security.

There are quite a bits of exploitable code available that, if properly engineered, can do quite a bit of damage to an Apple computer. Simply because there is no Mac version of the "Melissa" virus does not mean that as a Mac user I should assume that there will never be one.

And let's not forget the iLife torrent that had something special added to it. There are plenty of individuals attempting to prove to the general public that a Mac is no more secure than it's Windows counterpart, and it will be not a false sense of security, but a lack of personal responsibility that will assist in that.

Opinion, obviously. Results may vary.

Re:Problem solved (1)

schmidt349 (690948) | more than 4 years ago | (#28898149)

Anyone who thinks that the Darwin-BSD codebase and XNU kernel are as prone to exploitation as Windows kernelspace is dreaming. For one thing Darwin-XNU is open source, so anyone who likes can peek under the hood and suggest improvements. Now XNU isn't perfect, but the Windows kernel is a train wreck at 35,000 feet.

The problem is that Mac users think their computers are invulnerable to exploits and then don't practice safe hex. But if you think your Windows box is just as safe as your Mac box you're going to get a nasty wakeup call at some point in the near future.

Re:Problem solved (3, Insightful)

clone53421 (1310749) | more than 4 years ago | (#28897341)

We're talking about a BIOS rootkit. The BIOS runs directly on the hardware. It doesn't really care what OS you're loading, unless it has some specific reason to.

Re:Problem solved (1)

aristotle-dude (626586) | more than 4 years ago | (#28897525)

We're talking about a BIOS rootkit. The BIOS runs directly on the hardware. It doesn't really care what OS you're loading, unless it has some specific reason to.

Uh, yeah, we are talking about a BIOS feature that some companies choose to install. Macs do not come with a BIOS but rather use EFI. Have you heard of Google?

Apple would have to deliberately include an EFI compatible version of this feature in order for this to be applicable.

Re:Problem solved (2, Interesting)

clone53421 (1310749) | more than 4 years ago | (#28897577)

So? EFI = not-so-basic basic input/output system.

There's a mac version of LoJack. Whether or not it is installed on a Macbook would depend on whether Apple chose to preload it, I suppose. A hackintosh, OTOH, might be more likely to have it.

Re:Problem solved (1)

BitZtream (692029) | more than 4 years ago | (#28897601)

Its even easier to add this feature to EFI than it is to BIOS since EFI was designed to be Extensible.

Re:Problem solved (0)

Anonymous Coward | more than 4 years ago | (#28897663)

Flame bait, I just call it attracting the "homosexual Mac crowd"

Obligatory (0)

Anonymous Coward | more than 4 years ago | (#28898123)

Successful Slashdot troll is, err, successful.

Its almost time to upgrade anyways. (1)

Monkeedude1212 (1560403) | more than 4 years ago | (#28897085)

Seriously, why did I get a Gateway in the first place?

Not a "rootkit" when I want it (4, Insightful)

Anonymous Coward | more than 4 years ago | (#28897095)

Just like SPTD is not a rootkit when it hides my emulated dvd from copy protection software.

This is a popular piece of software that happens to have a potentially serious bug that the vendors and users should be demanding be fixed, but it doesn't make it a rootkit.

OFFS.... (1)

Em Emalb (452530) | more than 4 years ago | (#28897137)

Cmon, it's a rootkit BY DESIGN, so it can't be wiped off the laptop easily.

Sheesh.

Someone should do a car analogy for this...

Re:OFFS.... (1)

Culture20 (968837) | more than 4 years ago | (#28897375)

Someone should do a car analogy for this...

If only there were a "Computrace lojack for laptops" for cars.

Re:OFFS.... (0)

Anonymous Coward | more than 4 years ago | (#28897397)

This is like an OnStar system that can not be removed from your car, has the ability to call home, and has the ability to disrupt the functionality of the car.

Re:OFFS.... (1)

Sancho (17056) | more than 4 years ago | (#28897811)

Exactly. The problem, of course, is that someone found a vulnerability for it. Now this thing that's running at higher privileges than your OS can be subverted. And you can't remove it. By design.

Name change (0)

Anonymous Coward | more than 4 years ago | (#28897197)

Recommending changing name to MIOS.

Malicious Input Output System.

persistent code that survive reboots (1)

viralMeme (1461143) | more than 4 years ago | (#28897215)

"the duo demonstrate methods for infecting the BIOS with persistent code that survive reboots and reflashing attempts"

Where exactly is the code stored, that survives reboots?

Re:persistent code that survive reboots (2, Informative)

Daniel_Staal (609844) | more than 4 years ago | (#28897265)

With the rest of the BIOS code, in the special flash-pram on the motherboard designed especially to store just that code.

Re:persistent code that survive reboots (1)

John Hasler (414242) | more than 4 years ago | (#28897395)

Which should be protected from writing by a jumper or switch.

Re:persistent code that survive reboots (1)

sexconker (1179573) | more than 4 years ago | (#28898163)

Wrong.
That shit can only be removed by a hardware flasher or a hammer.

Computrace is saved in an area that is never allowed to be overwritten.

Re:persistent code that survive reboots (2, Informative)

value_added (719364) | more than 4 years ago | (#28897649)

Where exactly is the code stored, that survives reboots?

Start here [howstuffworks.com] . For more info, you can read the Wiki article [wikipedia.org] .

Alternatively, try opening your computer and actually looking at what's inside. ;-)

Okay.. maybe I'm missing something (1)

Broken scope (973885) | more than 4 years ago | (#28897247)

Don't people specifically BUY low jack for laptops, or does it come pre installed and you pay to activate it?

It clearly has bugs, but I thought the hard/impossible to remove was considered a feature of the software?

Re:Okay.. maybe I'm missing something (1)

tlhIngan (30335) | more than 4 years ago | (#28897339)

Don't people specifically BUY low jack for laptops, or does it come pre installed and you pay to activate it?

It clearly has bugs, but I thought the hard/impossible to remove was considered a feature of the software?

YOu can buy it, but you can also get it pre-installed. Dell offers it as part of the extended warranty in Canada for their laptops. I presume other manufacturers have similar things going where either you get service "prepaid" or discounted service rates.

The reason for the BIOS part is that if you reinstall Windows, LoJack automatically reinstalls itself. Not too sure how it does it, but the BIOS does something to put it back on the hard disk...

Re:Okay.. maybe I'm missing something (1)

SkimTony (245337) | more than 4 years ago | (#28897485)

With most Dell notebooks, it's part of the bios, and there's a screen to activate it. It saves a lot of time when you have to use on 200 corporate laptops. It also saves compatibility headaches, since CompuTrace works with the vendors (initial versions had to be verified for work with specific bios versions on specific vendors and models, and you'd install it and it'd flash itself into the bios).

Re:Okay.. maybe I'm missing something (1)

Broken scope (973885) | more than 4 years ago | (#28897643)

Huh, I've always had to install it at work. Then again I'm not sure of the specifics of installing it on our dells. We use lite touch to deploy it along with a ton of other stuff.

Great, why don't we just give them our laptops! (1)

Algorithmn (1601909) | more than 4 years ago | (#28897295)

So, the idea was to load "sleeper" software by default on all these machines? Is the URL associated with this "service" always at the same memory location? It shouldn't be that hard for a Malware author to check for this BIOS and try to change the address. Who feels like being monitored by criminals? 10% off sale price?

Signature (5, Insightful)

Spazmania (174582) | more than 4 years ago | (#28897313)

The pair recommended a digital signature scheme to authenticate the call-home process.

How's that going to help? If you can replace the IP address then you can replace the certificate and signature too. If you have access to modify the BIOS flash, it's game over.

Re:Signature (0)

Anonymous Coward | more than 4 years ago | (#28897519)

You weren't paying attention. The "call-home" is where the security issue is. They won't be able to replace the cert and sig without first pretending to be the "home".

Re:Signature (1)

scubamage (727538) | more than 4 years ago | (#28897733)

Except its not able to be overwritten by a bios flash. It's stored elsewhere. While it would be possible to flash the RAM where it IS stored, the people who have the skill to do so are hardly likely to be the ones stealing laptops to make money. If its stolen by a foreign government, its fooked anyways.

Re:Signature (1)

Yvanhoe (564877) | more than 4 years ago | (#28897805)

The only reasonable thing to do seems to get rid of this piece of software. Are the free open source BIOSes reliable now ?

Re:Signature (1)

DigitalCrackPipe (626884) | more than 4 years ago | (#28898173)

Note that you DON'T have easy access to modify all of the BIOS, that's the point of this. Even after flashing the bios, the rootkit remains. It's just the configuration info that is left wide open.

The concept here is to update the first-install version of the rootkit to be more robust against IP address changes, and to be more secure about the way updates are accepted. So, even if the IP address is spoofed or somehow updated, the download could be verified. Allowing unverified updates is just asking for malware injection.

A good signing scheme wouldn't be so easy to spoof - think asymetric encryption not web site certificates.

Unsigned BIOS replacement is the problem (5, Insightful)

ral (93840) | more than 4 years ago | (#28897403)

Please tell me if I'm missing something, but isn't the real vulnerability that the BIOS can be modified with unsigned code? A BIOS that allows this can be infected with a rootkit regardless of whether the LoJack code was there.

Re:Unsigned BIOS replacement is the problem (1)

camperdave (969942) | more than 4 years ago | (#28897489)

True, but a regular BIOS can be reflashed. This LoJack stuff survives BIOS flashings.

Re:Unsigned BIOS replacement is the problem (2, Insightful)

gmuslera (3436) | more than 4 years ago | (#28897513)

The real vulnerability is the "phone home" part, specially because it dont use strong authentication. What if something in your path redirects that fixed IP it contacts to one with a fake set of instructions? Suddently router hacking, open hotspots, arp poisoning and other things could be lethal to your notebook, or even be used to bypass your well built firewall and make your pc part of an ever growing communit... i mean, botnet.

Re:Unsigned BIOS replacement is the problem (2, Interesting)

coreboot (1607489) | more than 4 years ago | (#28898153)

You are assuming that the signed code can be trusted, which is a bad assumption. The signed code is from a vendor; how many vendors ship code with broken security; how many vendors would you expect to happily sign code with broken security, in the PC world? Answer: all of them :-)
This development should not be a surprise to anyone, but evidently it is. We've been trying to warn people about this possibilty for 10 years; nobody seemed to care. I am hoping they care more now.
I still feel the only solution to building PC systems you can trust is to turn to open code bases for ALL BIOS code. It's just too easy to hide some very nasty things in a 1 Mbyte binary blob.
BTW, this BIOS exploit is the tip of the iceberg. Check this one out: http://en.wikipedia.org/wiki/Intel_Active_Management_Technology [wikipedia.org] . How can your work around that one? It may be the only way to build machines we can trust is to get ouf of the x86 world entirely.
ron

Persistant Advertising... (2, Funny)

Xin Jing (1587107) | more than 4 years ago | (#28897415)

I'm surprised that hardware manufacturers haven't made better use of persistant on-chip data. A huge opportunity exists for device firmware developers to embed advertising. Imagine installing a Sony DVD drive that detects non-proprietary discs and popups a suggestion to purchase Sony discs. It isn't too hard to imagine Sony including a special bit string on their blank DVDs that their players look for each time a disc is inserted. Or several advertising partners with products that, when present, can create an "advertising opportunity": Sony DVD, Intel cpu, Microsoft OS and D-Link router trigger a cross-market moment.

Re:Persistant Advertising... (1)

Merls the Sneaky (1031058) | more than 4 years ago | (#28897571)

Sony would be just the kind of douchebags to try this.

Re:Persistant Advertising... (1)

aztracker1 (702135) | more than 4 years ago | (#28897857)

Thanks, I'm pretty sure I'm going to have nightmares about this now... I'm actually serious. I tend to be a little paranoid about security, not nearly as much as some, but still.

Good thing (1)

Darkness404 (1287218) | more than 4 years ago | (#28897503)

Good thing this doesn't come on the cheap models, I bought a cheap-as dirt ($300 new, not a netbook) Toshiba laptop that is a L305-S5955 and thankfully it doesn't have this "feature" but I feel like I dodged a bullet with this one.

What's with all the extra "features" no one wants? (1, Insightful)

Anonymous Coward | more than 4 years ago | (#28897559)

Why can't computer manufacturers just sell clean working laptops with clean Windows installs plus drivers on a basic BIOS that just includes a few items like which drive to boot from and a hard drive corruption check? It's getting a little bit ridiculous. There are several dozen crapware programs on most mass-market laptops, then you've got the root-kit BIOS, apparently, and the trusted computing module (And to this day no one has really been able to adequately explain to me what features the TCM gives me despite it's ubiquity). I know laptops are getting cheaper, but they are also getting more and more aggravating in some ways.

This BIOS issue is more annoying than the crapware thing, really, because at least crapware can be removed in the control panel (Well, usually, I've seen a program or two refuse to uninstall) or through my computer, but a BIOS flashing is beyond most people's level of technical expertise. It's not anything else technological these days, it seems like, from software to hardware, we're told what we want and then "given" it and have no say in the matter, even if we like the old way better.

Re:What's with all the extra "features" no one wan (1)

Darkness404 (1287218) | more than 4 years ago | (#28897791)

Some get money for putting crapware on their systems. However, the one thing I hate more are the annoying OEM branded programs. Ok, sure, I want a CD burner that can burn ISOs, however I don't want a TOSHIBA (R) DISK BURNER, even though its a decent disk burning program, I hate OEM branded stuff, I buy a computer, I'm smart enough to know theres very little difference between this Toshiba and a similarly equipped Compaq. The OEM branded wallpapers also annoy me, yes, I know what computer I bought. It says so everywhere on the machine, it doesn't matter. I don't need OEM wallpapers.

But, that is what happens when you get a system designed by a marketing department...

Re:What's with all the extra "features" no one wan (1)

BitZtream (692029) | more than 4 years ago | (#28898007)

They do. Its not enabled from the factory. You have to pay extra to get it to actually work. It is completely hidden to the OS unless enabled in the BIOS at boot time.

I realize you just read some FUD kdawson forwarded for us, but you have to take extra steps to make this software work. Out of the box there is nothing to do, you don't have to 'remove it', when the BIOS transfers control it is for all intents and purposes not available.

It is an optional feature, like traction control on your car or overdrive, you just turn it off.

If you don't want it enabled the solution is REAL simple, don't buy a laptop with computrace installed. There are plenty out there without it.

To use a car analogy, can you go to a dealership and buy a car without an engine? No. But you can find a car without air conditioning, if you put a little effort into it (depending on where you live, air conditioning may be an option rather than standard so bear with the analogy).

When you buy mass market cookie cutter products in order to get a lower price than you don't get to specify the exact specifications yourself, you take one of the options you are given as you have to choose what most people want.

If you want to pick anything you want then you have to build it yourself, which is FAR more expensive.

Computrace - can't get rid of it. (1, Informative)

Anonymous Coward | more than 4 years ago | (#28897567)

Computrace comes loaded in the bios of all of my Dell Latitudes. It is "inactive" until you turn it on in the BIOS. Once activated, there is no way to disable it.

There is a one time license fee to register the Computrace machine on their website. It uses IP based location. Windows will recognize the computrace hardware and install a "Generic USB HUB" driver for it (thanks MS). It must also interface with WMI in some way, as the website will also pull up some details on the computer's specs.

Once you flag the machine as stolen, Computrace (the company) tries to track it down. If they are unable to return your laptop within a certain amount of time (30 days I believe) they pay out 70% of the value of the laptop.

Re:Computrace - can't get rid of it. (1)

BitZtream (692029) | more than 4 years ago | (#28897615)

You might want a BIOS update, I have no problem turning mine on and off.

Re:Computrace - can't get rid of it. (1)

BitZtream (692029) | more than 4 years ago | (#28897641)

Theres no reason WMI needs to be involved, its part of the BIOS, it already knows everything about the hardware and doesn't need much effort to read a little info off the windows disk.

FUD FOR THE WIN! (4, Informative)

BitZtream (692029) | more than 4 years ago | (#28897837)

First off, the 'feature' comes on a lot of laptops. Doesn't mean its enabled. You have to request it to be enabled in order for it to come from factory with it actually turned on.

If you don't turn it on, it doesn't do anything, no phone home, no remote wipe, no tracking.

Guess what, same thing applies to Blackberrys, and iPhones, and cars with LoJack that have remote shutoff. For every feature there is a potential risk, thats the way the world works.

If you want the potential to remotely locate/track and wipe a laptop or PC, then you also get the potential that someone else can do it as well.

Actually, isn't it more like 95%? (1)

rickb928 (945187) | more than 4 years ago | (#28897847)

Since most laptops come with Windows, and, well, you get my drift...

oh, that's right, those aren't BIOS rootkits, nevermind. Makes all the difference.

Though I don't much care if my nachine is compromised in pre-execution or later. All the same crap to me.

I wonder if the bad guys have bothered to monitor LoJack transmissions for cars. At least you'd know where the cops are, and could plan to be elsewhere...

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?