Slashdot Mirror
BIOS "Rootkit" Preloaded In 60% of New Laptops
Keldrin_1 writes "Researchers Alfredo Ortega and Anibal Sacco, from Core Security Technologies, have discovered a vulnerability in the 'Computrace LoJack for Laptops' software. This is a BIOS-level application that calls home for instructions in case the laptop is ever lost or stolen. However, what the application considers 'home' is subject to change. This allows the creation of malware capable of 'infecting the BIOS with persistent code that survive reboots and reflashing attempts.' Computers from Dell, Lenovo, HP, Toshiba, Asus, and others may be affected."
Sounds like it's right up Sony's alley.
"You can't really dust for vomit" --Nigel Tufnel
Just like SPTD is not a rootkit when it hides my emulated dvd from copy protection software.
This is a popular piece of software that happens to have a potentially serious bug that the vendors and users should be demanding be fixed, but it doesn't make it a rootkit.
What if a bug is discovered in the boot code?
Palm trees and 8
I use a Macbook.
As do I, but that does not mean that I have any delusions as it relates to security.
There are quite a bits of exploitable code available that, if properly engineered, can do quite a bit of damage to an Apple computer. Simply because there is no Mac version of the "Melissa" virus does not mean that as a Mac user I should assume that there will never be one.
And let's not forget the iLife torrent that had something special added to it. There are plenty of individuals attempting to prove to the general public that a Mac is no more secure than it's Windows counterpart, and it will be not a false sense of security, but a lack of personal responsibility that will assist in that.
Opinion, obviously. Results may vary.
Those who believe the Internet is private,
find their privates are on the Internet.
The pair recommended a digital signature scheme to authenticate the call-home process.
How's that going to help? If you can replace the IP address then you can replace the certificate and signature too. If you have access to modify the BIOS flash, it's game over.
Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion.
We're talking about a BIOS rootkit. The BIOS runs directly on the hardware. It doesn't really care what OS you're loading, unless it has some specific reason to.
Alexander Peter Kristopeit bought his basement from his mommy for one dollar.
Please tell me if I'm missing something, but isn't the real vulnerability that the BIOS can be modified with unsigned code? A BIOS that allows this can be infected with a rootkit regardless of whether the LoJack code was there.
Go into the BIOS setup, you can choose to activate the feature if you paid for the license, or deactivate a previously activated agent. Choosing disable removes the feature completely. it can NEVER come back. TFA is hype. If it is never enabled in the bios NOTHING is installed on windows.
Why can't computer manufacturers just sell clean working laptops with clean Windows installs plus drivers on a basic BIOS that just includes a few items like which drive to boot from and a hard drive corruption check? It's getting a little bit ridiculous. There are several dozen crapware programs on most mass-market laptops, then you've got the root-kit BIOS, apparently, and the trusted computing module (And to this day no one has really been able to adequately explain to me what features the TCM gives me despite it's ubiquity). I know laptops are getting cheaper, but they are also getting more and more aggravating in some ways.
This BIOS issue is more annoying than the crapware thing, really, because at least crapware can be removed in the control panel (Well, usually, I've seen a program or two refuse to uninstall) or through my computer, but a BIOS flashing is beyond most people's level of technical expertise. It's not anything else technological these days, it seems like, from software to hardware, we're told what we want and then "given" it and have no say in the matter, even if we like the old way better.
Because booting a PC is not simple. DRAM init is complicated. PCI init is complicated. Supporting suspend to RAM is complicated. etc etc.
Are you sure your compiler doesn't have any bugs that might be exacerbated by, say, a main that doesn't take any arguments?
Or maybe there's a bug in the startup code generated by the compiler, but it triggers only in very unusual situations, so it wasn't yet detected. That bug would be in any program generated by the compiler, including the empty one.
The Tao of math: The numbers you can count are not the real numbers.
It's offered really cheaply on a bunch of Dells. The program calls home and reports its IP address when activated after being stolen. I doubt if the police are going to do anything with the report of an IP address on a stolen used computer that might be worth $1000 (probably less). All the cops are going to tell you to do is a) use a cable lock in the future b) don't leave the machine in your (car, house, office, etc.) in plain sight and c) call your insurance company. In most cities, cops don't even investigate stolen cars. The original lojack for cars (identifier beacons) might have been useful in a couple of cases, but lojact for computers is almost a complete waste of money. Better off investing in a) a cable lock, b) computer cover and c) insurance.
Yeah, it's pretty funny that a piece of software that has nothing to do with Microsoft that gets loaded on hardware that Microsoft has nothing to do with by the OEMs themselves through a deal with a completely different company is not mentioned in a Microsoft commercial about Windows. Or actually, it's really not.
Please explain to me how this works.
This BIOS 'switch' - how exactly is that flipped? CMOS is not permanent, NVRAM is not permanent, RAM is not permanent. The only permanent storage are removable devices such as hard drives, and the BIOS itself. The BIOS is usually protected physically (jumper) and isn't a 'volatile' storage means anyways. Also, from my understanding, this isn't something that can be reprogrammed on the fly - it has to be done in "real mode" and is done on a block level, rather than bit level (just like programming any other chip).
I just either lack the magic clue that tells me how this is possible, or this isn't possible at all.
For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
Which is a lot better than something bad happening with no clue as to why.
Even if it wasn't fixable, I would like to know.
For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
But the context of the discussion was that the object code should be flawless. In that case, whether the tools that turn source code into object code have bugs turns out to be relevant.
And I didn't say int main(void) was wrong or bad; what I intended to imply was that some compiler might have only been properly tested for the more common argc/argv prototype. Heck, it might not have been tested at all; as another poster mentions it might be a bug in all code the compiler generates.
You're not missing any clues; it's just impossible.
My Dell Inspiron 6000's last BIOS update (several years ago) came with some Computrace back-end stuff, with the aforementioned options for on, off, and disable. On and disable are both "permanent" options.
Which is really interesting, if you follow the timeline: The feature wasn't wasn't there at all to begin with. And then, I flashed it in. And now, it says its permanent. Uh - yeah, right.
If I set it to "on" or "disable", it'll just flip a bit somewhere, and/or do some magic crypto, and flash that result into a region of BIOS.
But, it's still all just flash. It can still be erased, and then it can be rewritten. The BIOS might not support doing this on its own (for reasons which might range from management to marketing), but that doesn't mean that it's something that cannot be accomplished with other tools.
Kid-proof tablet..
Sorry but the BIOS has not been small and simple for about 20 years. It does far more than simply launch a bootloader. New technologies have constantly been added to the BIOS and each one has added to the complexity. APM, PnP, PCI, ACPI, EPP/ECP, BBS, UEFI, PCIe etc etc. The 4MB ROM is not yet full of BIOS code, that's still only about 1.5MB give or take. However Intel boards also have code in there for their manageability engine etc. With a reasonable amount of headroom in the ROM manufacturers are looking to add value by using that available space to include new features hence this Lojack fiasco.
OSS doesn't stand much of a chance of producing a BIOS until it has a suitably open hardware platform to go with it. So much of a BIOS is intimately connected to the hardware that without access to the full specs the hardware would be obsolete before it could be reverse engineered.
And then, I flashed it in. And now, it says its permanent. Uh - yeah, right.
If I set it to "on" or "disable", it'll just flip a bit somewhere, and/or do some magic crypto, and flash that result into a region of BIOS.
Of course you could disable it. But that's not the point.
There seems to be a prevalent view on /. that because a security system can be disabled, it always will be and is therefore pointless. But anyone who's got enough knowledge to know about the existence of this is probably not a junkie that steals laptops left alone for a minute on the train. And that's what the great majority of petty theft is.
This is a very bad thing. A "security" product should not allow downloading of software. This is even worse. It allows hidden downloading of software not visible to the user.
Supposedly it's delivered "turned off"? But how do you know it's turned off at startup? How do you know it wasn't turned on during operating system loading, or wasn't turned on by any of the preloaded crap that the "major PC manufacturers" preload? How do you know there isn't some way to turn it on remotely?
No computer with this software in ROM should be used for proprietary material, legal documents, medical records regulated by the HIPPA, financial records regulated by the SEC, or anything else that might attract an opponent. If you just play WoW, go ahead.