Researchers find insecure BIOS 'rootkit' pre-loaded in laptops

Researchers find insecure BIOS 'rootkit' pre-loaded in laptops

Summary: LAS VEGAS -- A popular laptop theft-recovery service that ships on notebooks made by HP, Dell, Lenovo, Toshiba, Gateway, Asus and Panasonic is actually a dangerous BIOS rootkit that can be hijacked and controlled by malicious hackers.

SHARE:
158

LAS VEGAS -- A popular laptop theft-recovery service that ships on notebooks made by HP, Dell, Lenovo, Toshiba, Gateway, Asus and Panasonic is actually a dangerous BIOS rootkit that can be hijacked and controlled by malicious hackers.

The service -- called Computrace LoJack for Laptops -- contains design vulnerabilities and a lack of strong authentication  that can lead to "a complete and persistent compromise of an affected system," according to Black Hat conference presentation by researchers Alfredo Ortega and Anibal Sacco from Core Security Technologies.

Computrace LoJack for Laptops, which is is pre-installed on about 60 percent of all new laptops, is a software agent that lives in the BIOS and periodically calls home to a central authority for instructions in case a laptop is stolen.  The call-home mechanism allows the central authority to instruct the BIOS agent to wipe all information as a security measure, or to track the whereabouts of the system.

For it to be an effective theft-recover service, Ortega and Sacco explained that it has to be stealthy, must have complete control of the system and must be highly-persistent to survive a hard disk wipe or operating system reinstall.

"This is a rootkit.  It might be legitimate rootkit, but it's a dangerous rootkit," Sacco declared.   The research team stumbled upon the rootkit-like technology in the course of their work on BIOS-based malware attacks.  At last year's CanSecWest security conference, the duo demonstrate methods for infecting the BIOS with persistent code that survive reboots and reflashing attempts.

[ SEE: Researchers demo BIOS attack that survives hard-disk wipe ]

The biggest problem, Ortega explained,  is that a malicious hacker can manipulate and control the call-home process.   That's because the technology uses a configuration method that contains the IP address, port and URL, all hard-coded in the Option-ROM.    At first run, Sacco explained that the configuration method is copied in many places, including the registry and hard-disk inter-partition space.

The duo found that it's trivial to search and modify the configuration, giving them the ability to point the the IP and URL to a malicious site, where un-authenticated payloads can be directed to laptop.

Because the rootkit is white-listed by anti-virus software, the malicious modifications will go unnoticed.   On unsigned BIOSes, Sacco and Ortega aid modifi cation of the confi guration allows for a very persistent and dangerous form of rootkit.

The pair recommended a digital signature scheme to authenticate the call-home process.

With the help of the U.S. Computer Emergency Response Team (US-CERT) and one major laptop manufacturer,  Core Security has reported the problems to Absolute Corp.,  the company that makes the Computrace software.

Topics: Laptops, Hardware, Malware, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

158 comments
Log in or register to join the discussion
  • The BIOS is really deep!

    You'll never get this virus out.Nobody will let you into the BIOS!
    BALTHOR
    • BIOS access

      So the Linux BIOS is sealed?
      Mihi Nomen Est
      • Yes it is!!

        But only after Feisty Fawn ...
        Too Old For IT
      • Linux BIOS !?!

        Can you say n00b. The BIOS is OS neutral so quit trying to start a flame war over something you OBVIOUSLY don't understand.

        Sheesh
        rjacksix
        • While BIOS is or rather should be OS Neutral (even EFI)

          There is sometimes a differences (and issues) between the Intel & MS Spec.
          Guess which one sometimes has issues with alternate systems?

          Anyway there is/was a LinuxBIOS, it is now called CoreBoot
          http://en.wikipedia.org/wiki/Coreboot

          Also there are things Like Splashtop/ExpressGate & Hyperspace
          While not actually BIOS they are a nearly instant-on Linux environment stored in the flash memory usually reserved for motherboard BIOS, and may even do device VM (run multiple systems concurrently)
          http://en.wikipedia.org/wiki/Splashtop
          http://en.wikipedia.org/wiki/HyperSpace_(software)
          LazLong
    • peel -n- eat

      BIOS should go back to the old days of a removable chip. I remember swapping BIOS around on 486 machines. By P-II is seemed this was abandoned.

      On a separate chip it would be a very simple matter to check for a rootkit or other problem. A separate reader could compare what exists against what should be, i.e peel the chip off, plug it in to a device and have at.
      pgit
      • And...

        That makes it pretty easy to "fix" a stolen laptop.
        bernalillo
    • take your pick the hacker or big brother

      "periodically calls home to a central authority"

      umm.. I no likee that partz. At least there should be an option to remove this or turn it off so it can only be turned on by a console user. If 'console" even means anything any more.

      The best thing to do is take measures to prevent the notebook from being stolen or to make it harder to steal in the first place. My employer's stays locked in a cabinet if it's not in my custody. Mine get the same treatment at home. If in the car, hidden. It's amazing how people just leave these things lying around to be taken by the thief of opportunity.
      Opcom_
      • Big Brudduh vs Hacker:

        [b]At least there should be an option to remove this or turn it off so it can only be turned on by a console user.[/b]

        The DELL laptops allow you to completely disable COMPU-PUKE-TRACE. UNFORTUNATELY, this option is irreversible, if you shut it off, you can never ever activate it again.

        Alternately, if you steal or otherwise acquire a DELL laptop that has Compu-Poop-Trace ACTIVATED, you also are prevented from DISABLING it.

        When the BIOS are opened for first use, you are given access to the COMPUPUKE feature and you are asked if you want to ENABLE or DISABLE it. I always choose DISABLE.

        Also, even if enabled, you have to pay even more MONEY to use the technology, as in you gotta have a Compu-Narc account to have yer missing computer located.

        That is the BIG problem with this tech:

        If I BUY a brand new computer that has theft-tracking tech BUILT IN? Then the SYSTEM BETTER DAMN WORK without HAVING TO PAY EXTRA DAMN MONEY to use it!

        That is where the freakin computer manufacturers get us over a barrel to nickle and dime us 2 deth: They insert tech that looks useful, but to USE it, ya gotta pay almost as much as you paid for the laptop!
        XweAponX
        • So what's your point?

          [i]If I BUY a brand new computer that has theft-tracking tech BUILT IN? Then the SYSTEM BETTER DAMN WORK without HAVING TO PAY EXTRA DAMN MONEY to use it![/i]

          You're saying they should not have the technology built in?

          Or that they should charge everyone for it (by increasing the purchase price), including those, like yourself, who don't want to use it?
          CarlS
  • You know, these things shouldn't be in the BIOS itself

    They should be on a SEPARATE chip with authentication
    necessary to write to it.
    Lerianis10
    • You are absolutely right

      Should be hardcoded into a chip, like you said, so IP and URL cannot be changed, but that will cost a few dollars more and all the manufacturers are going for cheaper. The "better mousetraps" always seem to lead to "better mice" -- and the wheels go round and round. Best practice -- don't lose your laptop in the first place!
      aandruli
      • No good!

        aandruli - re-read the article. Since the code phones home periodically, there's no need to have physical possession of the laptop to exploit it. If there exists any other exploitable flaw in the OS of the laptop, it can be compromised remotely. Plus, upstream routers can be programmed to route specific addresses to rogue servers masquerading as the legitimate security servers the code is supposed to report back to...

        Scary...
        NetArch.
      • Isn't this also...

        more what the TPM chips were for? Why is this in the BIOS in the first place?
        ShadowGIATL
    • there should be an option in the BIOS to turn it

      off, WOW, I cant believe the things I am seeing and hearing. I went to bed one day, and woke up to this...Unbelievable.
      theguru1995
  • RE: Researchers find insecure BIOS 'rootkit' pre-loaded in laptops

    pre-installed on 60 percent of all new laptops!?
    is it worldwide or just U.S.?

    I surf around for the source of this for a while, but couldn't find the source. Could you tell me something about this information?
    ishbash
  • RE: Researchers find insecure BIOS 'rootkit' pre-loaded in laptops

    Ho Ho HO HA HA HA Ha. I wonder of NSA knows this? Ya
    Think?

    Do all Computer systems have a BIOS?
    gertruded
    • BIOS Rootkit

      No, not all systems have BIOS. Some have EFI which is a different animal.
      toml_12953
  • RE: Who Knew!!!

    This is actually quit disturbing... If Computrace LoJack for Laptops is pre-installed on about 60 percent of all new laptops, how is this function even activated in case of laptop theft. Who knows how to activate it. Where is the manufacturers documentation for this function (in case of laptop theft)? Why is it even there if no one even knows how to use it for its intended purpose? How does one know if this rootkit is part of the machines BIOS? If the machine has this function, would it be stated as such when purchasing the laptop? Seriously, who allows such action in the industry? Obviously Absolute Corp. pulls in $$ from the manufaturers opening themselves up to possible litigation - some people better get on some BIOS updates real fast! Did Cheney have anything to do with this? LOL
    gizmo350
    • - some people better get on some BIOS updates

      The article says a re-flash of bios will NOT remove the root kit.
      gertruded