BIOS "Rootkit" Preloaded In 60% of New Laptops 236
Keldrin_1 writes "Researchers Alfredo Ortega and Anibal Sacco, from Core Security Technologies, have discovered a vulnerability in the 'Computrace LoJack for Laptops' software. This is a BIOS-level application that calls home for instructions in case the laptop is ever lost or stolen. However, what the application considers 'home' is subject to change. This allows the creation of malware capable of 'infecting the BIOS with persistent code that survive reboots and reflashing attempts.' Computers from Dell, Lenovo, HP, Toshiba, Asus, and others may be affected."
Re:Problem solved (Score:4, Informative)
http://store.lojackforlaptops.com/store/absolute/DisplayProductDetailsPage/productID.104509100 [lojackforlaptops.com]
Congrats, there is a Mac version available as well. PC's and Mac's are all the same parts made by the same slaves chained together. there is a few companies in the world that make a basic computer and then Dell, HP, Apple and others add a few things and brand it for themselves.
Re:persistent code that survive reboots (Score:3, Informative)
With the rest of the BIOS code, in the special flash-pram on the motherboard designed especially to store just that code.
No,not sony for once, here is a list (Score:5, Informative)
From the Lojack compatibility list [absolute.com] here is a list of company:
ASUS, Dell Fujitsu, GammaTech, Gateway, GD Itronix, Getac, HP, Lenovo,,Motion, Panasonic, Toshiba
You can find a list of models on the "bios compatibility list"
Re:60%? Really? (Score:2, Informative)
Computrace - can't get rid of it. (Score:1, Informative)
Computrace comes loaded in the bios of all of my Dell Latitudes. It is "inactive" until you turn it on in the BIOS. Once activated, there is no way to disable it.
There is a one time license fee to register the Computrace machine on their website. It uses IP based location. Windows will recognize the computrace hardware and install a "Generic USB HUB" driver for it (thanks MS). It must also interface with WMI in some way, as the website will also pull up some details on the computer's specs.
Once you flag the machine as stolen, Computrace (the company) tries to track it down. If they are unable to return your laptop within a certain amount of time (30 days I believe) they pay out 70% of the value of the laptop.
Re:persistent code that survive reboots (Score:3, Informative)
Where exactly is the code stored, that survives reboots?
Start here [howstuffworks.com]. For more info, you can read the Wiki article [wikipedia.org].
Alternatively, try opening your computer and actually looking at what's inside. ;-)
Re:60%? Really? (Score:5, Informative)
Disable only works if the product was never activated. if the BIOS is set to active, AND the client software on the machine contacts the servers for Computrace, and verifies it should be licensed, then it "flips a switch" in that BIOS setting, and you can NEVER disable it again.
They need to write to the software, or else the software will always try to contact them, and then anyone could track any laptop with a supeana, ruining their business model.. Instead, it has to be "turned on".
Also, this software in the BIOS does not actually contact anyone directly. All the BIOS level crap does is forcibly try to re-install the agent software under windows. This could get ugly, if you update the BIOS, to try to force it to install a different program every time someone reloads windows...
Of course, I wonder what happens if I buy an "off lease" laptop, that was at one point activated...
FUD FOR THE WIN! (Score:5, Informative)
First off, the 'feature' comes on a lot of laptops. Doesn't mean its enabled. You have to request it to be enabled in order for it to come from factory with it actually turned on.
If you don't turn it on, it doesn't do anything, no phone home, no remote wipe, no tracking.
Guess what, same thing applies to Blackberrys, and iPhones, and cars with LoJack that have remote shutoff. For every feature there is a potential risk, thats the way the world works.
If you want the potential to remotely locate/track and wipe a laptop or PC, then you also get the potential that someone else can do it as well.
Re:60%? Really? (Score:1, Informative)
You didn't look very hard then, did you? Acer don't have CompuTrace [absolute.com] and finding one of their notebooks is hardly challenging. According to the most recent data [displaysearch.com] from NPD's DisplaySearch, Acer has the second largest unit-volume market share, with 16% of the global notebook shipments (excluding netbooks) to themselves.
Obviously you know that, because as the ZDNet article based on your presentation stated, fully 40% of all new notebooks don't include Computrace. With nearly half of notebooks not including the technology, it's obviously pretty darned easy to find a notebook without Computrace. Polemic statements like that still don't do your credibility any good, though.
Something doesn't sound right, here. (Score:5, Informative)
They have every DV/TC-model of HP Laptop listed - I used to specifically work on all DV/TC/NC/NX models, I've NEVER ONCE seen this in BIOS during any of my repairs. NEVER. Also, this software was never listed in part of HP's troubleshooting guides, and that usually means that feature is not there.
I rebooted my laptop (DV9000, full featured loaded with every possible thing offered) and this 'rootkit' in BIOS is nowhere to be found, at all. Not on my friend's DV2000. Not on the new TC4400 I have in my art room.
Re:It is time (Score:1, Informative)
I take it your not a BIOS developer? Because that answer is completely WRONG.
BIOS controls the base hardware, and is different on different machines. SOME need LBA some dont, some have higher/lower bus speeds than others. It changes frequently (not as frequent as an OS, but frequent) to support new hardware such as Faster ram support, larger HD support, etc.
Non changing BIOS is not a reality. Period.
Re:It is time (Score:3, Informative)
Fire the guy. BIOS do the same function on every computer and are a very simple program of a few K. Bugs in there are totally avoidable.
No, they need to be adapted per chipset, especially for things like ACPI.
Re:FUD FOR THE WIN! (Score:3, Informative)
Exactly right. The company that made LoJack lobbied for the feature to be installed, but they want you to pay for it to be activated. If you don't give them money, it's dormant.
Now, if somebody hacked or appropriated their activation scheme, or compelled the company to activate it without your knowledge, that would be a cause for concern.
Once upon a time... (Score:4, Informative)
Well, once upon a time, that was the case :
In case of bug you needed either to move the BIOS chip to a separate flasher, or at least use a hardware switch on the motherboard to switch between 5v and 12v to enable BIOS chip flashing.
Nowadays, even Windows applications can write to the BIOS without any peculiar form of control. No switch at all involved.
BIOS rootkits were just bound to happen. What makes it even easier for rootkits, is that 90% of all PC uses the same brands of BIOS and those BIOS are designed in a modular fashion making it easy to add a "rootkit" modules without needing the re-create a whole new BIOS (see example of how to add an embed FreeDOS inside an Award BIOS).
That pretty much stupid : Most motherboard have a couple of bugs fixed during the first couple of months. Then there's mostly no need to reflash the BIOS, except for supporting newer CPUs, etc... which would require opening the case and accessing the motherboard anyway. But for the whole lifetime of the BIOS, it remains completely writeable even from user-space application from within highly insecure OSes.
Hardware "write-protection" switches for BIOSes should be reintroduced. Simple fix for a simple problem.
Instead you can stay sure that the manufacturers and Microsoft are going to require several layers of TPM and similar forms of DRM in BIOS which won't even guaranty that BIOSes would be protected from bugs.
Re:Something doesn't sound right, here. (Score:3, Informative)
Maybe it's available "optionally" on all those models?
Or maybe it's really really good at hiding itself from you....
Re:Unsigned BIOS replacement is the problem (Score:1, Informative)
Datasheet of my old BIOS FLASH:
http://www.atmel.com/dyn/resources/prod_documents/DOC1017.PDF (pdf datasheet)
>In the AT49F002(N)(T), once the boot block programming lockout feature is enabled, the contents of the boot block are permanent and cannot be changed.
Re:60%? Really? (Score:3, Informative)
60% may be vulnerable, but it is a bald faced lie to say that 60% are preloaded with a rootkit.
Re:Problem solved (Score:4, Informative)
Actually this could be built into EFI. Apple don't, but if a laptop manufacturer wanted to they could. It's even easier than BIOS - an EFI ROM is a structured filesystem containing all the drivers and commands required to boot.. things like the display and keyboard drivers. Adding this software could be done after the fact without even having to touch the original code.
Re:How would the malicious code initially installe (Score:3, Informative)
Re:It is time (Score:3, Informative)
Not everything is flash-based, yaknow.
Once upon a time, I had a 32x Plextor SCSI CD-ROM reader, back when such a thing was still a trendy thing to have for ripping audio CDs, which was generally problematic back then.
It worked pretty well, but eventually Plextor made a new firmware for it that improved a few things. They mailed it out to me for free, via USPS. After the package showed up, I found a small, square EEPROM inside of a static-resistant carrier and, IIRC, a brief instruction sheet.
The process was simple: Pull the drive, turn it over, remove old chip, insert new chip, reassemble, and done.
I mean, sheesh: BIOS wasn't always flashable, either, yaknow -- it used to be contained on socketed ROMs that could be swapped around fairly easily.
Re:60%? Really? (Score:3, Informative)
No, I don't think I can disable it. I can only issue an instruction to a computer which is described as disabling the function permanently, but that doesn't exactly mean anything important.
Here's the scenario:
I "disable" it, the appropriate bits are written into the flash ROM on the motherboard, and it appears to be disabled.
Later, something else comes along, and writes different bits into the flash ROM. And then it's not disabled anymore.
(And, whatever the case, the default is "off," which should at least forestall any white hat usage of the thing without user intervention. Emphasis on "should" and "white hat". It's Really Fucking Important to maintain a certain level of mistrust when it comes to considering such matters.)
And, whatever the case: I don't think it even matters at that point. The thing still needs some software support in order to work, and the package which includes that software can fairly easily modify the BIOS to include whatever small bit of code the programmer decides should be there.
There's well-documented, reliable, and easy methods for inserting your own code into BIOS to initialize a SCSI card, perform a network boot, or change the Energy Star logo, and there's no reason at all why these same methods cannot be used purposes other than those I just listed -- including, of course, quietly inserting malicious backdoors.
Re:60%? Really? (Score:2, Informative)
Please read the paper. The configuration is saved in NVRAM and there are many ways to reverse it. We even found a software-only way.
Never say never.