BIOS "Rootkit" Preloaded In 60% of New Laptops

Keldrin_1 writes "Researchers Alfredo Ortega and Anibal Sacco, from Core Security Technologies, have discovered a vulnerability in the 'Computrace LoJack for Laptops' software. This is a BIOS-level application that calls home for instructions in case the laptop is ever lost or stolen. However, what the application considers 'home' is subject to change. This allows the creation of malware capable of 'infecting the BIOS with persistent code that survive reboots and reflashing attempts.' Computers from Dell, Lenovo, HP, Toshiba, Asus, and others may be affected."

Hmmm

P.C. Phone Home.

Are Sony Vaio's using this?

[motherpusbucket]

Sounds like it's right up Sony's alley.

Not a "rootkit" when I want it

Just like SPTD is not a rootkit when it hides my emulated dvd from copy protection software.

This is a popular piece of software that happens to have a potentially serious bug that the vendors and users should be demanding be fixed, but it doesn't make it a rootkit.

Re:It is time

[betterunixthanunix]

What if a bug is discovered in the boot code?

Re:It is time

[$RANDOMLUSER]

Busg happen. Consider the /. "write once" paradigm.

Re:60%? Really?

[cachimaster]

I know it's hard to believe. When doing our research (I'm Alfredo, hi!) we couldn't find a notebook *without* the Computrace agent. It's bad.

Re:From Mogwai to Gremlin

[trevorrowe]

LoJack swiftly changes to HiJack with a good meal after midnight

There, fixed that for you. A splash of water would give you more laptops... if only ...

Re:60%? Really?

[_bug_]

Any way to tell if your laptop has this "feature"?

And is there any way to disable it?

Re:Problem solved

[oahazmatt]

I use a Macbook.

As do I, but that does not mean that I have any delusions as it relates to security.

There are quite a bits of exploitable code available that, if properly engineered, can do quite a bit of damage to an Apple computer. Simply because there is no Mac version of the "Melissa" virus does not mean that as a Mac user I should assume that there will never be one.

And let's not forget the iLife torrent that had something special added to it. There are plenty of individuals attempting to prove to the general public that a Mac is no more secure than it's Windows counterpart, and it will be not a false sense of security, but a lack of personal responsibility that will assist in that.

Opinion, obviously. Results may vary.

Signature

[Spazmania]

The pair recommended a digital signature scheme to authenticate the call-home process.

How's that going to help? If you can replace the IP address then you can replace the certificate and signature too. If you have access to modify the BIOS flash, it's game over.

Re:It is time

[$RANDOMLUSER]

Woosh

No,not sony for once, here is a list

[leuk_he]

From the Lojack compatibility list here is a list of company:

          ASUS, Dell Fujitsu, GammaTech, Gateway, GD Itronix, Getac, HP, Lenovo,,Motion, Panasonic, Toshiba

You can find a list of models on the "bios compatibility list"

Unsigned BIOS replacement is the problem

[ral]

Please tell me if I'm missing something, but isn't the real vulnerability that the BIOS can be modified with unsigned code? A BIOS that allows this can be infected with a rootkit regardless of whether the LoJack code was there.

Re:60%? Really?

[somecreepyoldguy]

Go into the BIOS setup, you can choose to activate the feature if you paid for the license, or deactivate a previously activated agent. Choosing disable removes the feature completely. it can NEVER come back. TFA is hype. If it is never enabled in the bios NOTHING is installed on windows.

Re:60%? Really?

[QuantumRiff]

Disable only works if the product was never activated. if the BIOS is set to active, AND the client software on the machine contacts the servers for Computrace, and verifies it should be licensed, then it "flips a switch" in that BIOS setting, and you can NEVER disable it again.

They need to write to the software, or else the software will always try to contact them, and then anyone could track any laptop with a supeana, ruining their business model.. Instead, it has to be "turned on".

Also, this software in the BIOS does not actually contact anyone directly. All the BIOS level crap does is forcibly try to re-install the agent software under windows. This could get ugly, if you update the BIOS, to try to force it to install a different program every time someone reloads windows...

Of course, I wonder what happens if I buy an "off lease" laptop, that was at one point activated...

FUD FOR THE WIN!

[BitZtream]

First off, the 'feature' comes on a lot of laptops. Doesn't mean its enabled. You have to request it to be enabled in order for it to come from factory with it actually turned on.

If you don't turn it on, it doesn't do anything, no phone home, no remote wipe, no tracking.

Guess what, same thing applies to Blackberrys, and iPhones, and cars with LoJack that have remote shutoff. For every feature there is a potential risk, thats the way the world works.

If you want the potential to remotely locate/track and wipe a laptop or PC, then you also get the potential that someone else can do it as well.

Something doesn't sound right, here.

[Khyber]

They have every DV/TC-model of HP Laptop listed - I used to specifically work on all DV/TC/NC/NX models, I've NEVER ONCE seen this in BIOS during any of my repairs. NEVER. Also, this software was never listed in part of HP's troubleshooting guides, and that usually means that feature is not there.

I rebooted my laptop (DV9000, full featured loaded with every possible thing offered) and this 'rootkit' in BIOS is nowhere to be found, at all. Not on my friend's DV2000. Not on the new TC4400 I have in my art room.

LoJack is now

[Phizzle]

LOLjack