Daily cyber threats and internet security news: network security, online safety and latest security alerts
July 31st, 2009

Insecure BIOS ‘Rootkit’ Found Pre-loaded In Major Manufacturers Laptops

A popular laptop theft-recovery service that ships on notebooks made by HP, Dell, Lenovo, Toshiba, Gateway, Asus and Panasonic is actually a dangerous BIOS rootkit that can be hijacked and controlled by malicious hackers.

The service — called Computrace LoJack for Laptops — contains design vulnerabilities and a lack of strong authentication that can lead to “a complete and persistent compromise of an affected system,” according to Black Hat conference presentation by researchers Alfredo Ortega and Anibal Sacco from Core Security Technologies.

Computrace LoJack for Laptops, which is is pre-installed on about 60 percent of all new laptops, is a software agent that lives in the BIOS and periodically calls home to a central authority for instructions in case a laptop is stolen. The call-home mechanism allows the central authority to instruct the BIOS agent to wipe all information as a security measure, or to track the whereabouts of the system.

For it to be an effective theft-recover service, Ortega and Sacco explained that it has to be stealthy, must have complete control of the system and must be highly-persistent to survive a hard disk wipe or operating system reinstall.

“This is a rootkit. It might be legitimate rootkit, but it’s a dangerous rootkit,” Sacco declared. The research team stumbled upon the rootkit-like technology in the course of their work on BIOS-based malware attacks. At last year’s CanSecWest security conference, the duo demonstrate methods for infecting the BIOS with persistent code that survive reboots and reflashing attempts.

The biggest problem, Ortega explained, is that a malicious hacker can manipulate and control the call-home process. That’s because the technology uses a configuration method that contains the IP address, port and URL, all hard-coded in the Option-ROM. At first run, Sacco explained that the configuration method is copied in many places, including the registry and hard-disk inter-partition space.

The duo found that it’s trivial to search and modify the configuration, giving them the ability to point the the IP and URL to a malicious site, where un-authenticated payloads can be directed to laptop.

Because the rootkit is white-listed by anti-virus software, the malicious modifications will go unnoticed. On unsigned BIOSes, Sacco and Ortega aid modifi cation of the confi guration allows for a very persistent and dangerous form of rootkit.

The pair recommended a digital signature scheme to authenticate the call-home process.

With the help of the U.S. Computer Emergency Response Team (US-CERT) and one major laptop manufacturer, Core Security has reported the problems to Absolute Corp., the company that makes the Computrace software.

Credit: Security Blogs

Update (Aug. 2): According to a representative of Absolute Software, the claims made by Alfredo Ortega and Anibal Sacco of Core Security at the BlackHat Security conference are without merit:

• The Computrace BIOS module does not allow a special undetected path into the operating system. It is not a rootkit.
• In order for the Computrace BIOS module to work, it is activated by the end-user customer, not the computer manufacturer, upon receipt of the computer and activation of Absolute Software’s products.
• The Computrace BIOS code alleged in the article to have this vulnerability is old code that was not officially released and, to Absolute’s knowledge, has never be active in the BIOS of any computer.
• If a malicious attacker were able to alter the BIOS code, any popular anti-virus software would alert the customer.
• The Computrace BIOS module currently on the market is not susceptible to the risks claimed in the article and therefore none of our customers are at risk for this specific type of attack.

Absolute has issued a statement to the public, refuting these claims and explaining their position at length:

Share this item with others:

More on CyberInsecure:
  • New BIOS Attack Might Allow Malware Survive Hard-disk Format And BIOS Reflashing
  • Bank of Ireland Lost Laptops Affect 10000 customers
  • Computer Worm Infects International Space Station Laptops
  • HP Instant Support ActiveX Control Multiple Vulnerabilities
  • Olympus Dsitributed Cameras With Malware-Infected Cards In Japan

  • If you found this information useful, consider linking to it from your own website.
    Just copy and paste the code below into your website (Ctrl+C to copy)
    It will look like this: Insecure BIOS ‘Rootkit’ Found Pre-loaded In Major Manufacturers Laptops

    Leave a Reply

    Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.

    To prove you’re a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.