BIOS Root Kit on 60% of New Laptops At Manufacture!

[stampeder]

This is really, really bad for anyone buying notebooks made by:

• HP
• Dell
• Lenovo
• Toshiba
• Gateway
• Asus
• Panasonic

It is a dangerous BIOS rootkit that can be hijacked and controlled:

Quote:

a malicious hacker can manipulate and control the call-home process. That’s because the technology uses a configuration method that contains the IP address, port and URL, all hard-coded in the Option-ROM. At first run, Sacco explained that the configuration method is copied in many places, including the registry and hard-disk inter-partition space.

The duo found that it’s trivial to search and modify the configuration, giving them the ability to point the the IP and URL to a malicious site, where un-authenticated payloads can be directed to laptop.

Because the rootkit is white-listed by anti-virus software, the malicious modifications will go unnoticed. On unsigned BIOSes, Sacco and Ortega aid modification of the configuration allows for a very persistent and dangerous form of rootkit.

http://blogs.zdnet.com/security/?p=3828

BIOS is OS-independent, but the security reports mention system registry entries and changes, so definitely it affects Windows. No word on Linux yet.

[BGY11]

I've looked in my HP Elitebook's BIOS and didn't see anything about LoJack (or CompuTrace in general) so I presume I'm fine.

Then again, my laptop uses EFI (instead of a traditional BIOS), so I don't know how secure that setup really is.

[stampeder]

I'm sensing another great "I'm a PC, I'm a Mac" commercial on the way

[GDX]

As near as I can tell, the BIOS feature is disabled by default (based on Computrace's description of the service on their website: this PDF has more info).

In order to get it activated, you need to have a) a supported laptop and b) purchase a subscription from Computrace. At that point, the BIOS phone-home feature would be activated. It sounds like it is theoretically possible for other software to activate the feature, but you need appropriate permissions (and if you have those, you could just install a standard trojan horse or rootkit).

It's unfortunate: the ZDNet article is pretty useless, and the actual presentation from BlackHat doesn't discuss anything in the way of mitigating factors. Although the authors do say that "more research is needed".

While it sounds like the implementation is flawed, it remains an interesting feature: I had no idea that Lojack could still work after a complete system reinstall (and flash of the system BIOS). There is apparently a Mac version available, but it doesn't have the BIOS/rootkit feature, so if you stole a Mac equipped with Lojack a full reinstall would cover your tracks.

[Rookie_One]

is it only the notebooks or all the laptops that are "victims" of this?

[BGY11]

Notebook, and Laptop are interchangeable terms - there is no difference between the two.

Granted, I'm almost certain it's only business laptops that have this feature (and not all of them). I haven't seen it on the HP consumer laptops I've dealt with, nor Dell.

[oilblue]

Main point is, the security researchers found shortcomings with the LoJack methodology that could allow malware authors to take advantage of the persistence and rootkit capabilities of the LoJack. Ouch. That's bad enough. Problem is bigger though given the prevalence of the Persistence Module...

So the LoJack is installed on most laptops in the BIOS (uh oh). And it's persistent by design (otherwise thieves could disable it, defeating its entire purpose). While the Persistence Module may well exist on most laptops, it's not necessarily active on many (phew). The question then becomes, how easily can rouge applications activate an otherwise dormant BIOS Persistence Module?

If the activation is easy enough to spoof, malware authors might well have a wide open door to a many, many laptops (see the list of partners).

Permissions sound like nothing beyond a web id and password. After activation, deactivation requires the "correct password" (presumably the web password). If activation was done without owner knowledge, that effectively locks out the owner from deactivating a rogue LoJack.

Quote:

Originally Posted by GDX

As near as I can tell, the BIOS feature is disabled by default (based on Computrace's description of the service on their website: this PDF has more info).

In order to get it activated, you need to have a) a supported laptop and b) purchase a subscription from Computrace. At that point, the BIOS phone-home feature would be activated. It sounds like it is theoretically possible for other software to activate the feature, but you need appropriate permissions (and if you have those, you could just install a standard trojan horse or rootkit).

Not entirely clear whether the Persistence Module is always dormant by default as the subscription could be included with the laptop (here's but one example). While activation may still be required, such a bundle removes the hurdle of extra money for a subscription.

BTW, this isn't necessarily restricted to business laptops. As the link shows, Dell included a subscription with CompleteCare on "select" Inspiron and XPS laptops. I suspect that even without CompleteCare, the option ROM with the Persistence Module is present (though dormant) on the select models.

In any case, this goes far beyond a "standard" trojan or rootkit as those can usually be eradicated with a clean OS install. Once activated, the Persistence Module survives even a hard drive swap. Maybe it's just me, but I think malware authors would find that enticing.

Could turn out that the only vulnerable laptops are those with the Persistence Module activated (Absolute Software would know how many laptops are in that state, as well as OEMs that bundled subscriptions). If the potential exists for rogue apps to activate the Persistence Module without user intervention (after writing new instructions to the option ROM), this is a massive hole.

As for Mac, well, it's apparently a supported OS. Whether it has the BIOS Persistence Module is another question. However, it's not entirely immune.

[Ashley_Absolute]

I work for Absolute Software. Our technical team reviewed the research paper and the claims that there’s a vulnerability in Computrace or Computrace LoJack for Laptops are without merit and systems are secure. Here's are some things that might address your concerns:

- The Computrace BIOS code alleged in the article to have this vulnerability is old code that was not officially released into a BIOS and, to Absolute’s knowledge, has never been active in the BIOS of any computer. (The link below goes into more detail about this.)

- The Computrace BIOS module does not allow a special undetected path into the operating system. It is not a rootkit.

- The module is shipped off by default. In order for the Computrace BIOS module to work, it is activated by the end-user customer, not the computer manufacturer, upon receipt of the computer and activation of Absolute Software’s products.

- If a malicious attacker were able to alter the BIOS code, any popular anti-virus software would alert the customer.

- The Computrace BIOS module currently on the market is not susceptible to the risks claimed in the article and therefore none of our customers are at risk for this specific type of attack.

Absolute has issued a statement to the public, refuting these claims and explaining their position

Thanks