Slashdot Mirror

← Back to Stories (view on slashdot.org)

Out-Of-the-Box Exploitation Possible On PCs From Top 5 OEMs (arstechnica.com)

Posted by msmash on from the security-woes dept.

According to a report published by two-factor authentication service Duo Security, third-party updating tools installed by Dell, HP, Lenovo, Acer, and Asus (the top five Windows PC OEMs) are exposing their devices to man-in-the-middle attacks. Dan Goodin, reports for Ars Technica: The updaters frequently expose their programming interfaces, making them easy to reverse engineer. Even worse, the updaters frequently fail to use transport layer security encryption properly, if at all. As a result, PCs from all five makers are vulnerable to exploits that allow attackers to install malware.Duo Security adds: Hacking in practice means taking the path of least resistance, and OEM software is often a weak link in the chain. All of the sexy exploit mitigations, desktop firewalls, and safe browsing enhancements can't protect you when an OEM vendor cripples them with pre-installed software.

9 of 81 comments (clear)

  1. OEM Rescue Kit by Anonymous Coward · · Score: 5, Interesting

    OEM Rescue Kit

  2. Re:Hmm.... by geekmux · · Score: 2

    You'd have to be a moron to buy anything from Dell or Lenovo by choice, after the root certificate crap they both pulled.

    Well, at least you described the average computer user accurately, who still believes a "root" problem is caused by dandelions growing in their yard.

    This would also imply that the average computer user knows or cares about computer security. They care about price when buying a computer, not security, hence the reason they go to the vendor with the most subsidized OEM crapware on the machine.

  3. It shouldn't be allowed by wonkey_monkey · · Score: 2

    The updaters frequently expose their programming interfaces

    The dirty beggars.

    --
    systemd is Roko's Basilisk.
  4. Re:Hmm.... by mlts · · Score: 2

    This has been a best practice for decades. It doesn't matter what the platform is, be it a Dell that was on special from Amazon, a Mac, an Oracle box, or a POWER8 that will be used for LPARs... it gets completely flattened and installed from scratch. Even my smartphones and tablets get erased and reflashed from scratch.

    The Dell cheapie I bought, I just bought OEM Windows install media, stuffed a SSD in there, and it works fine. With most drivers being from Windows or OEM stuff, there is no Dell specific upgrade utility on the system. I don't see why I should bother installing a vendor application, unless there is some specific functionality. For example, there was a year or two where HP had motherboard NICs from nVidia with hardware firewalling built in, which came in handy to block bad sites in hardware before they could even touch the OS, as well as protect the Web browser.

  5. Re: Hmm.... by Rosyna · · Score: 4, Interesting

    A clean install may not work. There is a hook in Windows 8 and later that allows OEM firmware to supply a list of software to install after a clean install.

    The feature was originally designed so Windows could automatically install necessary OEM-specific drivers without requiring a custom installer be used. Sadly, OEMs have used it to install vulnerable crapware.

    You just can't win against crapware.

  6. Re:Is Linux really any better? by macs4all · · Score: 2

    Now I think I'll just get a Mac. It's not my first choice, but thanks to how the major Linux distros have ruined themselves I have no choice.

    Come on in, the water's fine!

    Seriously, like many others, once you start digging into OS X, you will find that it is the "Linux" you always dreamed-of. "Linux" in quotes, because OS X is actually a Certified Unix.

    And you will also find out that, despite the shrill language of the Apple-Haters around here (the vast majority of whom have never even TOUCHED an OS X Mac), there is QUITE the serious OS going on under the hood.

  7. Re:Sensationalized news by omnichad · · Score: 4, Informative

    A) hack into the Internet back-end routers; or B) physically colocate on your private network

    Or just compromised DNS on your router. There are an awful lot of vulnerable router firmwares out there still in common use.

    Such an attack would need to connect to the local wifi, spoof ARP packets of the router at your particular device, spoof ARP packets of your device at the router, and interpose itself.

    You give coffee shops too much credit. Log into router after getting on free wifi, because the username and password are still set to the factory default. Change default DNS servers handed out on DHCP to your external host. No need to spoof anything.

    For that matter, if the coffee shop has a lower power AP, you can just bring in a discreet high-powered AP and use the same SSID. Laptops will just connect to the highest powered signal with the same SSID. Instant MITM.

  8. Re:Is Linux really any better? by mlts · · Score: 2

    I have fallen into the same hole as the grandparent. I'm not happy with the desktops on the major Linux distros, I could hack my own or use an off-brand distro, but then there is the issue of updates, and just spending time fiddling with it, when I have many other things to do. So, I went the OS X route because it is usable out of the box. Plus, I'm not liking the route MS is going with Windows, where they can do an update/forced restart anytime. That and the telemetry privacy concerns.

    All and all, I get about 95% of what I like with Linux on OS X. Ansible, borg, xz, and other utilities install with little issue with brew, and with proper ACL setting, /usr/local can be kept owned as root, while letting an admin user do updates. XCode isn't bad, as I've had to write Objective C code to watch the thermal and memory pressure of a machine, and have it throttle an app before either got out of hand. OS X Server's git server is decent, and eventually I may just buy a Mac Mini for running a LDAP server and VPN server, although I have no clue if it can support 2FA, which is a must. Plus, since Mac Minis support ESXi, I can use it for another compute node if I need.

  9. Re:Is Linux really any better? by macs4all · · Score: 2

    Been there, done that. That includes owning Macs and working with real Unix. If you are a power user, you will just find Macs annoying. If you are a serious old school Unix user, you will find it's certification laughable.

    Although the real problem with MacOS is not MacOS itself. It's the hardware. You get stuck with strange novelty form factors targeted to n00bs. They don't even have a proper workstation model any more.

    That's funny. I have been seeing more and more "power users" and "real Unix" users that are generally quite happy with their Macs and OS X.

    As for a "proper workstation", that definition is going by the wayside more and more with each passing year. If you really want to have a "tinkerer's box", then I suggest you build yourself a nice Hackintosh. Recommended hardware lists and help forums abound.

    Why do you think that Apple turns a blind eye to the Hackintosh Community? Do you really think they couldn't REALLY lock OS X to "genuine Apple Hardware?" Of COURSE they could. But they don't (and no, their little token "Do Not Copy OS X" file is obviously not the best they could do). Why?

    Because it probably only loses them a few thousand unit sales per year, and that is far more palatable to Apple than having to spec, design and spin-up a whole other product class that would only sell a few million units per year. Peanuts to a company the size of Apple.

    I can assure you, that if Apple saw the sales of Macs drop, and a simultaneous rise in the number of Hackintoshes, they would likely create a "slot-monster" box again.