Absolute Software downplays BIOS rootkit claims

Absolute Software downplays BIOS rootkit claims

Summary: Following a flood of calls from customers, the company behind the LoJack anti-theft service which researchers from Core Security Technologies recently portrait as a security threat, issued a statement downplaying the researchers' claims.According to the statement, LoJack is neither a rootkit, nor does it behave in such a way.

SHARE:

Following a flood of calls from customers, the company behind the LoJack anti-theft service which researchers from Core Security Technologies recently portrait as a security threat, issued a statement downplaying the researchers' claims.

According to the statement, LoJack is neither a rootkit, nor does it behave in such a way. Moreover, the company insists that the product is forced upon any user, and that even if someone attempts to use it as an infection vector for a BIOS-persistent malware, traditional antivirus software will detect the attempt.

More from the press release:

Our BIOS module allows no special undetected path into the operating system. Uncontrolled access to a computer system may allow some BIOS images to be tampered with by an expert. Attempting to alter the Computrace BIOS module for malicious purposes will not defeat conventional detection as claimed by the authors. Any alteration to the BIOS module will cause any popular antivirus software to alert the customer.

More importantly, if the BIOS of a computer has been compromised by an attacker, that machine is exposed to innumerable other vulnerabilities far beyond the scope of the Computrace BIOS module. The presence of the Computrace module in the BIOS in no way weakens the security of the BIOS.

To a certain extend, every anti-theft service operates like malware since you wouldn't want the thief to be able to basically uninstall it while he's offline and then conveniently connect online without worrying that the victim will be able to trace them back. And even though the probability that current LoJack customers are already infected with malware that didn't took advantage of LoJack since it basically doesn't need to, is very high, what the researchers really expose is an anti-theft service which is trivial to deactivate and take control of maliciously due to several points - flawed update mechanism and lack of advanced self-protection mechanisms.

Moreover, the company states that "Computrace is designed to be activated, deactivated, controlled and managed by the customer using encrypted channels." Long gone are the days when a plain simple HTTP update mechanism using domain names, lack of digital signatures, combined with 8-bit XOR obfuscated configuration block can be described as encrypted channels. Going through the research presented by Alfredo Ortega and Anibal Sacco, the "encrypted channels" mentioned suddenly disappear:

Unpacked, the con?guration block is easily modi?able. By simply changing the URL or IP, we can redirect the agent queries to our site. This is very easy to accomplish in the registry, but we don’t have persistence for merely modifying the registry. To modify the con?guration of the persistent agent we need to modify and re?ash the BIOS. This is possible in many systems at the date of publication for this article, as unsigned BIOS are common.

For years, malware authors have been conducing network reconnaissance in an attempt to automatically prevent infected users from reaching the hard-coded update locations of antivirus software. Conficker is the most recent example of this fairly simple but highly effective approach.

Should LoJack customers worry? Common sense in the current threatscape will position the practice of hijacking the service for malware serving purposes as highly exotic one. But yes, the flaw is there. What the customers of the service should be really concerned with, is the ease with which a potential thief can block it from phoning back his location.

Topics: Malware, Hardware, Security, Software

Dancho Danchev

About Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

12 comments
Log in or register to join the discussion
  • Denies any wrongdoing, surprise there ...

    Not likely they would come out and just admit that there software is a giant bleeding hole, would they?

    Every HP and Dell our company owns is on that list, and it's making our top management VERY UNHAPPY. And the fact that there seems to be no way to fix the problem without a BIOS update AND a reinstall has them FURIOUS.

    I'd say Absolute's days are numbered.
    terry flores
  • RE: Absolute Software downplays BIOS rootkit claims

    Would it be too difficult to proof-read your article and use spell/context check before publishing? Auto-complete is not a substitute for poor editing. Just a thought.

    "which researchers from Core Security Technologies recently portrait as a security threat"

    "Moreover, the company insists that the product is forced upon any user"

    "To a certain extend,"

    "malware that didn?t took advantage of LoJack"

    "have been conducing network reconnaissance"

    5red
    • Re spelling & proof reading

      The inability to write decent English makes reading an article an effort as the reader has to attempt to figure out what the author means. Re the article in question, I wonder whether English is the author's first language. If so, then there's no excuse. If not, he should get someone whose first language is English to proof read the article before publishing it. I agree with 5red's comments in this respect.
      JohnOfStony
  • RE: Absolute Software downplays BIOS rootkit claims

    Really I agree please Proof-Read. The lack of Professionalism is staggering. On another note, if they do not recover the machines at least you get up to $1000 for your trouble, which is if it?s going to be stolen anyway. You should use another solution such as encryption software to accompany the Absolute software.
    nfigs
    • $1,000 Guarantee a fraud - read the fine print

      You may want to read the fine print on that $1,000 guarantee. It is void if the device never connects to the companies server, or if they FEEL that you were negligent in protecting your laptop...such as leaving it in your car visible to a thief.
      ericthedestroyer
  • Shades of Sony !!!

    Isn't this what Sony said shortly before THEIR "non-root kit" root kit bombed?

    I would think that Dell and HP would help their customers (corporate or otherwise) by providing a patch to remove this "feature".
    Maybe their corporate legal bagels (not a typo) will warn them about potential liabilities if they don't.
    kd5auq
  • RE: Absolute Software downplays BIOS rootkit claims

    This story is so silly it is amazing and a perfect case of
    people will believe anything they read on the internet.

    1) Computrace is a service you must buy and install. It is
    not forced on anyone.

    2) Contrary to what you might read, it is not loaded into
    the BIOS of all these machines. What is there is a module
    to ensure legitimate computrace users have a persistent
    service. If there is no Computrace license installed, the
    module does nothing.

    3) If you actually read through the slides and whitepaper
    presented, it is pretty clear that this was funded by a
    competitor of Absolute looking to discredit the company.
    semper_fi_66
    • And where exactly is this module again?

      "What is there is a module to ensure legitimate computrace users have a persistent service."

      If it survives a hard drive wipe, then it's in the BIOS, no other place for it to hide.

      "If there is no Computrace license installed, the module does nothing."

      Microsoft and other vendors say the same thing, but all software is hackable. The article details an attack that allows a malicious use of the code not intended by the software supplier. No biggie on that, but the fact that this software is pre-installed without knowledge or consent of the user raises the bar, and the supplier has a high level of responsibility to AT LEAST deploy code that is most resistant to outside hacking. If they can't do that, then they have NO BUSINESS pre-installing it and exposing users to needless and incurable vulnerabilities.

      terry flores
  • Well, what do you expect?

    That is probably the only way they can survive on a stolen PC. That is the first thing I would do, nuke and pave the hard drive.
    mikifinaz1
  • RE: Absolute Software downplays BIOS rootkit claims

    Core has released all the resources, including tools and a sample of the *unencrypted* traffic here:

    http://corelabs.coresecurity.com/index.php?module=FrontEndMod&action=view&type=publication&name=Deactivate_the_Rootkit

    Downplay this Absolute.
    mongomongo
  • RE: Absolute Software downplays BIOS rootkit claims

    Great!!! thanks for sharing this information to us!
    <a href="http://www.yuregininsesi.com">seslisohbet</a> <a href="http://www.yuregininsesi.com">seslichat</a>
    birumut
  • Use of Computrace may be in violation with Norwegian law

    I've just blogged about Computrace myself;
    http://securitynirvana.blogspot.no/2012/09/spying-on-ex-employees-others-using.html

    It seems as if the BIOS persistent agent may be in violation with Norwegian law once it is activated (permanently) in BIOS.
    thorsheim