BIOS "Rootkit" Preloaded In 60% of New Laptops

Keldrin_1 writes "Researchers Alfredo Ortega and Anibal Sacco, from Core Security Technologies, have discovered a vulnerability in the 'Computrace LoJack for Laptops' software. This is a BIOS-level application that calls home for instructions in case the laptop is ever lost or stolen. However, what the application considers 'home' is subject to change. This allows the creation of malware capable of 'infecting the BIOS with persistent code that survive reboots and reflashing attempts.' Computers from Dell, Lenovo, HP, Toshiba, Asus, and others may be affected."

Are Sony Vaio's using this?

[motherpusbucket]

Sounds like it's right up Sony's alley.

Re:60%? Really?

[cachimaster]

I know it's hard to believe. When doing our research (I'm Alfredo, hi!) we couldn't find a notebook *without* the Computrace agent. It's bad.

Re:From Mogwai to Gremlin

[trevorrowe]

LoJack swiftly changes to HiJack with a good meal after midnight

There, fixed that for you. A splash of water would give you more laptops... if only ...

Re:60%? Really?

[_bug_]

Any way to tell if your laptop has this "feature"?

And is there any way to disable it?

Signature

[Spazmania]

The pair recommended a digital signature scheme to authenticate the call-home process.

How's that going to help? If you can replace the IP address then you can replace the certificate and signature too. If you have access to modify the BIOS flash, it's game over.

No,not sony for once, here is a list

[leuk_he]

From the Lojack compatibility list here is a list of company:

          ASUS, Dell Fujitsu, GammaTech, Gateway, GD Itronix, Getac, HP, Lenovo,,Motion, Panasonic, Toshiba

You can find a list of models on the "bios compatibility list"

Unsigned BIOS replacement is the problem

[ral]

Please tell me if I'm missing something, but isn't the real vulnerability that the BIOS can be modified with unsigned code? A BIOS that allows this can be infected with a rootkit regardless of whether the LoJack code was there.

Re:60%? Really?

[QuantumRiff]

Disable only works if the product was never activated. if the BIOS is set to active, AND the client software on the machine contacts the servers for Computrace, and verifies it should be licensed, then it "flips a switch" in that BIOS setting, and you can NEVER disable it again.

They need to write to the software, or else the software will always try to contact them, and then anyone could track any laptop with a supeana, ruining their business model.. Instead, it has to be "turned on".

Also, this software in the BIOS does not actually contact anyone directly. All the BIOS level crap does is forcibly try to re-install the agent software under windows. This could get ugly, if you update the BIOS, to try to force it to install a different program every time someone reloads windows...

Of course, I wonder what happens if I buy an "off lease" laptop, that was at one point activated...

Something doesn't sound right, here.

[Khyber]

They have every DV/TC-model of HP Laptop listed - I used to specifically work on all DV/TC/NC/NX models, I've NEVER ONCE seen this in BIOS during any of my repairs. NEVER. Also, this software was never listed in part of HP's troubleshooting guides, and that usually means that feature is not there.

I rebooted my laptop (DV9000, full featured loaded with every possible thing offered) and this 'rootkit' in BIOS is nowhere to be found, at all. Not on my friend's DV2000. Not on the new TC4400 I have in my art room.