Story 2015-05-26 9RJV Computrace backdoor exposes millions of PCs

Computrace backdoor exposes millions of PCs

by
Anonymous Coward
in security on (#9RJV)
Security researchers have discovered millions of PCs have Computrace software enabled. This software is enabled in the BIOS by default. It allows for a Windows PC to be taken over remotely. Computrace does not enforce encryption when it communicates and it does not verify the identity of the remote server from which it receives commands. Most users are not even aware that this software is installed and enabled in their BIOS.

Nearly every PC has an anti-theft product called Computrace embedded in its BIOS PCI Optional ROM or its unified extensible firmware interface (UEFI). Computrace (aka. Lojack for Laptops) is a legitimate, trusted application developed by Absolute Software. However, it often runs without user-consent, persistently activates itself at system boot, and can be exploited to perform various attacks and to take complete control of an affected machine.
Reply 16 comments

Windows only? (Score: 1, Informative)

by Anonymous Coward on 2015-05-26 13:37 (#9SBJ)

Back when I used to manage Windows laptops (mostly IBM/Lenovo), it seemed that:

(1) the Computrace thing was only capable of "hacking" your Windows install; wipe and install, say Ubuntu, and Computrace can't do anything.

(2) the BIOS usually offered three settings, forgive me that I'm fuzzy on the exact same wording, Inactive (meaning it hacks you and phones home but pretends it doesn't), Enabled (hacks you, phones home, if you've paid you can track it), Disabled (doesn't hack you, but doesn't un-hack you if you already are). The last two are permanent choices, once you pick either of those you can never undo it. Flashing the BIOS has no effect.

Anybody know if these are still true?

Re: Windows only? (Score: 0)

by Anonymous Coward on 2015-05-26 13:45 (#9SBK)

Good question. How could we check it.. if we don't know how this module works?

Re: Windows only? (Score: 2, Informative)

by evilviper@pipedot.org on 2015-05-26 21:35 (#9TBT)

It's public info how this thing works. They're trying to sell it to IT departments, so lots of info is right on their site.

It is based on a Windows application, and needs a FAT or NTFS file system on the hard drive to infect it, so non-Windows users are pretty safe.

Re: Windows only? (Score: 1)

by tanuki64@pipedot.org on 2015-05-26 22:51 (#9TFR)

It is based on a Windows application, and needs a FAT or NTFS file system on the hard drive to infect it, so non-Windows users are pretty safe.
All modern UEFI machines nowadays have at least one FAT file system. So, let's hope this is not enough and really a Windows is necessary.

Re: Windows only? (Score: 1)

by evilviper@pipedot.org on 2015-05-27 02:15 (#9TQH)

There's no need to "hope". All the firmware/BIOS does is drop an EXE and DLL on the file system. Maybe if WINE gets better, Linux users will be lucky enough to get infected, too.

New heights in hyperbole (Score: 2, Insightful)

by fnj@pipedot.org on 2015-05-26 13:56 (#9SCT)

"Nearly every PC" has this crap? Come on now. First of all, it sounds like it's almost entirely restricted to laptops. Certainly my laptops don't have it, and it's for damn sure none of my many desktops and servers do.

Re: New heights in hyperbole (Score: 2, Informative)

by gravis@pipedot.org on 2015-05-26 18:07 (#9SZF)

unless you looked at the firmware for each laptop you can't be sure. a lot of big vendors put it on their boards* and some vendors just remove the options from the "BIOS Setup Utility" but it's still there.
* #5-scale-of-potential-problem" rel="nofollow">https://securelist.com/analysis/publications/58278/absolute-computrace-revisited/#5-scale-of-potential-problem

Re: New heights in hyperbole (Score: 2, Interesting)

by billshooterofbul@pipedot.org on 2015-05-26 18:59 (#9T2F)

There needs to be a moderation option for "syntax Error"

Re: New heights in hyperbole (Score: 1)

by gravis@pipedot.org on 2015-05-27 15:15 (#9W09)

i reported the bug the other day. see: http://bugs.pipedot.org/view.php?id=51

Re: New heights in hyperbole (Score: 1)

by bryan@pipedot.org on 2015-05-27 20:11 (#9WJT)

Re: New heights in hyperbole (Score: 1)

by bryan@pipedot.org on 2015-05-27 20:23 (#9WKF)

Err, interesting, I was kinda expecting that link to get mangled as well since it contained a fragment. Seems it's only happens when the word boundary is preceded by slash, or similar character.

Re: New heights in hyperbole (Score: 1)

by evilviper@pipedot.org on 2015-05-28 03:48 (#9X6X)

FWIW, I think we could do without the regex entirely. A clever idea, but only extremely rarely does it come in handy. Even linking to stories and comments, people usually want link/alt text. And the false positives are significant. Probably lots of people wasting time wondering why would someone irretrievably link a serial number: Serial #87654321
etc.

Re: New heights in hyperbole (Score: 2, Insightful)

by evilviper@pipedot.org on 2015-05-26 21:33 (#9TBS)

If you buy from one of the 6 biggest manufacturers, you almost certainly have it, even if you don't know it.

Re: New heights in hyperbole (Score: 1)

by hyper@pipedot.org on 2015-05-26 22:29 (#9TEF)

Thanks, just checked. My laptop has it, and yes it was enabled. Good to know it is there.

Related (Score: 1, Informative)

by Anonymous Coward on 2015-06-11 07:47 (#AY0C)