Slashdot Mirror
BIOS "Rootkit" Preloaded In 60% of New Laptops
Keldrin_1 writes "Researchers Alfredo Ortega and Anibal Sacco, from Core Security Technologies, have discovered a vulnerability in the 'Computrace LoJack for Laptops' software. This is a BIOS-level application that calls home for instructions in case the laptop is ever lost or stolen. However, what the application considers 'home' is subject to change. This allows the creation of malware capable of 'infecting the BIOS with persistent code that survive reboots and reflashing attempts.' Computers from Dell, Lenovo, HP, Toshiba, Asus, and others may be affected."
P.C. Phone Home.
Sounds like it's right up Sony's alley.
"You can't really dust for vomit" --Nigel Tufnel
60% seems awfully high for a program I've never heard of. Not that I've been laptop shopping lately, but still.
Can someone with some knowledge please explain to me why we can't build a machine with simple boot code that does not EVER need to be modified for the life of the hardware?
"I'm just here to regulate funkiness."
LoJack swiftly changes to HiJack with a good splash of water
Libera te ex Inferis!
Just like SPTD is not a rootkit when it hides my emulated dvd from copy protection software.
This is a popular piece of software that happens to have a potentially serious bug that the vendors and users should be demanding be fixed, but it doesn't make it a rootkit.
I know it's hard to believe. When doing our research (I'm Alfredo, hi!) we couldn't find a notebook *without* the Computrace agent. It's bad.
http://store.lojackforlaptops.com/store/absolute/DisplayProductDetailsPage/productID.104509100
Congrats, there is a Mac version available as well. PC's and Mac's are all the same parts made by the same slaves chained together. there is a few companies in the world that make a basic computer and then Dell, HP, Apple and others add a few things and brand it for themselves.
Any way to tell if your laptop has this "feature"?
And is there any way to disable it?
With the rest of the BIOS code, in the special flash-pram on the motherboard designed especially to store just that code.
'Sensible' is a curse word.
I use a Macbook.
As do I, but that does not mean that I have any delusions as it relates to security.
There are quite a bits of exploitable code available that, if properly engineered, can do quite a bit of damage to an Apple computer. Simply because there is no Mac version of the "Melissa" virus does not mean that as a Mac user I should assume that there will never be one.
And let's not forget the iLife torrent that had something special added to it. There are plenty of individuals attempting to prove to the general public that a Mac is no more secure than it's Windows counterpart, and it will be not a false sense of security, but a lack of personal responsibility that will assist in that.
Opinion, obviously. Results may vary.
Those who believe the Internet is private,
find their privates are on the Internet.
The pair recommended a digital signature scheme to authenticate the call-home process.
How's that going to help? If you can replace the IP address then you can replace the certificate and signature too. If you have access to modify the BIOS flash, it's game over.
Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion.
We're talking about a BIOS rootkit. The BIOS runs directly on the hardware. It doesn't really care what OS you're loading, unless it has some specific reason to.
Alexander Peter Kristopeit bought his basement from his mommy for one dollar.
From the Lojack compatibility list here is a list of company:
ASUS, Dell Fujitsu, GammaTech, Gateway, GD Itronix, Getac, HP, Lenovo,,Motion, Panasonic, Toshiba
You can find a list of models on the "bios compatibility list"
Please tell me if I'm missing something, but isn't the real vulnerability that the BIOS can be modified with unsigned code? A BIOS that allows this can be infected with a rootkit regardless of whether the LoJack code was there.
I'm surprised that hardware manufacturers haven't made better use of persistant on-chip data. A huge opportunity exists for device firmware developers to embed advertising. Imagine installing a Sony DVD drive that detects non-proprietary discs and popups a suggestion to purchase Sony discs. It isn't too hard to imagine Sony including a special bit string on their blank DVDs that their players look for each time a disc is inserted. Or several advertising partners with products that, when present, can create an "advertising opportunity": Sony DVD, Intel cpu, Microsoft OS and D-Link router trigger a cross-market moment.
You'll have to load your laptop into BIOS, it's one of the options listed. I set the option to completely disable it. That doesn't mean that someone could somehow modify code to turn it on, and report it to their site.
Go into the BIOS setup, you can choose to activate the feature if you paid for the license, or deactivate a previously activated agent. Choosing disable removes the feature completely. it can NEVER come back. TFA is hype. If it is never enabled in the bios NOTHING is installed on windows.
So? EFI = not-so-basic basic input/output system.
There's a mac version of LoJack. Whether or not it is installed on a Macbook would depend on whether Apple chose to preload it, I suppose. A hackintosh, OTOH, might be more likely to have it.
Alexander Peter Kristopeit bought his basement from his mommy for one dollar.
Where exactly is the code stored, that survives reboots?
Start here. For more info, you can read the Wiki article.
Alternatively, try opening your computer and actually looking at what's inside. ;-)
Disable only works if the product was never activated. if the BIOS is set to active, AND the client software on the machine contacts the servers for Computrace, and verifies it should be licensed, then it "flips a switch" in that BIOS setting, and you can NEVER disable it again.
They need to write to the software, or else the software will always try to contact them, and then anyone could track any laptop with a supeana, ruining their business model.. Instead, it has to be "turned on".
Also, this software in the BIOS does not actually contact anyone directly. All the BIOS level crap does is forcibly try to re-install the agent software under windows. This could get ugly, if you update the BIOS, to try to force it to install a different program every time someone reloads windows...
Of course, I wonder what happens if I buy an "off lease" laptop, that was at one point activated...
What are we going to do tonight Brain?
First off, the 'feature' comes on a lot of laptops. Doesn't mean its enabled. You have to request it to be enabled in order for it to come from factory with it actually turned on.
If you don't turn it on, it doesn't do anything, no phone home, no remote wipe, no tracking.
Guess what, same thing applies to Blackberrys, and iPhones, and cars with LoJack that have remote shutoff. For every feature there is a potential risk, thats the way the world works.
If you want the potential to remotely locate/track and wipe a laptop or PC, then you also get the potential that someone else can do it as well.
Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
They have every DV/TC-model of HP Laptop listed - I used to specifically work on all DV/TC/NC/NX models, I've NEVER ONCE seen this in BIOS during any of my repairs. NEVER. Also, this software was never listed in part of HP's troubleshooting guides, and that usually means that feature is not there.
I rebooted my laptop (DV9000, full featured loaded with every possible thing offered) and this 'rootkit' in BIOS is nowhere to be found, at all. Not on my friend's DV2000. Not on the new TC4400 I have in my art room.
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
Yea, but sony does sell the "Computrace LoJack for Laptops" for their notebooks in their Sony branded VIP Protection Suite (which include Norton NIS, Online backup and Computrace LoJack for Laptops).... But i guess in this case, you can optionally chose for this Sony RootKit.... lol
LOLjack
I will not be pushed, filed, stamped, indexed, briefed, debriefed or numbered. My life is my own.
Well, once upon a time, that was the case :
In case of bug you needed either to move the BIOS chip to a separate flasher, or at least use a hardware switch on the motherboard to switch between 5v and 12v to enable BIOS chip flashing.
Nowadays, even Windows applications can write to the BIOS without any peculiar form of control. No switch at all involved.
BIOS rootkits were just bound to happen. What makes it even easier for rootkits, is that 90% of all PC uses the same brands of BIOS and those BIOS are designed in a modular fashion making it easy to add a "rootkit" modules without needing the re-create a whole new BIOS (see example of how to add an embed FreeDOS inside an Award BIOS).
That pretty much stupid : Most motherboard have a couple of bugs fixed during the first couple of months. Then there's mostly no need to reflash the BIOS, except for supporting newer CPUs, etc... which would require opening the case and accessing the motherboard anyway. But for the whole lifetime of the BIOS, it remains completely writeable even from user-space application from within highly insecure OSes.
Hardware "write-protection" switches for BIOSes should be reintroduced. Simple fix for a simple problem.
Instead you can stay sure that the manufacturers and Microsoft are going to require several layers of TPM and similar forms of DRM in BIOS which won't even guaranty that BIOSes would be protected from bugs.
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
60% may be vulnerable, but it is a bald faced lie to say that 60% are preloaded with a rootkit.
A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
It's offered really cheaply on a bunch of Dells. The program calls home and reports its IP address when activated after being stolen. I doubt if the police are going to do anything with the report of an IP address on a stolen used computer that might be worth $1000 (probably less). All the cops are going to tell you to do is a) use a cable lock in the future b) don't leave the machine in your (car, house, office, etc.) in plain sight and c) call your insurance company. In most cities, cops don't even investigate stolen cars. The original lojack for cars (identifier beacons) might have been useful in a couple of cases, but lojact for computers is almost a complete waste of money. Better off investing in a) a cable lock, b) computer cover and c) insurance.
Yeah, it's pretty funny that a piece of software that has nothing to do with Microsoft that gets loaded on hardware that Microsoft has nothing to do with by the OEMs themselves through a deal with a completely different company is not mentioned in a Microsoft commercial about Windows. Or actually, it's really not.
Actually this could be built into EFI. Apple don't, but if a laptop manufacturer wanted to they could. It's even easier than BIOS - an EFI ROM is a structured filesystem containing all the drivers and commands required to boot.. things like the display and keyboard drivers. Adding this software could be done after the fact without even having to touch the original code.
Please explain to me how this works.
This BIOS 'switch' - how exactly is that flipped? CMOS is not permanent, NVRAM is not permanent, RAM is not permanent. The only permanent storage are removable devices such as hard drives, and the BIOS itself. The BIOS is usually protected physically (jumper) and isn't a 'volatile' storage means anyways. Also, from my understanding, this isn't something that can be reprogrammed on the fly - it has to be done in "real mode" and is done on a block level, rather than bit level (just like programming any other chip).
I just either lack the magic clue that tells me how this is possible, or this isn't possible at all.
For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
You're not missing any clues; it's just impossible.
My Dell Inspiron 6000's last BIOS update (several years ago) came with some Computrace back-end stuff, with the aforementioned options for on, off, and disable. On and disable are both "permanent" options.
Which is really interesting, if you follow the timeline: The feature wasn't wasn't there at all to begin with. And then, I flashed it in. And now, it says its permanent. Uh - yeah, right.
If I set it to "on" or "disable", it'll just flip a bit somewhere, and/or do some magic crypto, and flash that result into a region of BIOS.
But, it's still all just flash. It can still be erased, and then it can be rewritten. The BIOS might not support doing this on its own (for reasons which might range from management to marketing), but that doesn't mean that it's something that cannot be accomplished with other tools.
Kid-proof tablet..
And then, I flashed it in. And now, it says its permanent. Uh - yeah, right.
If I set it to "on" or "disable", it'll just flip a bit somewhere, and/or do some magic crypto, and flash that result into a region of BIOS.
Of course you could disable it. But that's not the point.
There seems to be a prevalent view on /. that because a security system can be disabled, it always will be and is therefore pointless. But anyone who's got enough knowledge to know about the existence of this is probably not a junkie that steals laptops left alone for a minute on the train. And that's what the great majority of petty theft is.
This is a very bad thing. A "security" product should not allow downloading of software. This is even worse. It allows hidden downloading of software not visible to the user.
Supposedly it's delivered "turned off"? But how do you know it's turned off at startup? How do you know it wasn't turned on during operating system loading, or wasn't turned on by any of the preloaded crap that the "major PC manufacturers" preload? How do you know there isn't some way to turn it on remotely?
No computer with this software in ROM should be used for proprietary material, legal documents, medical records regulated by the HIPPA, financial records regulated by the SEC, or anything else that might attract an opponent. If you just play WoW, go ahead.
No, I don't think I can disable it. I can only issue an instruction to a computer which is described as disabling the function permanently, but that doesn't exactly mean anything important.
Here's the scenario:
I "disable" it, the appropriate bits are written into the flash ROM on the motherboard, and it appears to be disabled.
Later, something else comes along, and writes different bits into the flash ROM. And then it's not disabled anymore.
(And, whatever the case, the default is "off," which should at least forestall any white hat usage of the thing without user intervention. Emphasis on "should" and "white hat". It's Really Fucking Important to maintain a certain level of mistrust when it comes to considering such matters.)
And, whatever the case: I don't think it even matters at that point. The thing still needs some software support in order to work, and the package which includes that software can fairly easily modify the BIOS to include whatever small bit of code the programmer decides should be there.
There's well-documented, reliable, and easy methods for inserting your own code into BIOS to initialize a SCSI card, perform a network boot, or change the Energy Star logo, and there's no reason at all why these same methods cannot be used purposes other than those I just listed -- including, of course, quietly inserting malicious backdoors.
Kid-proof tablet..
Please read the paper. The configuration is saved in NVRAM and there are many ways to reverse it. We even found a software-only way.
Never say never.