Forgot your password?
typodupeerror
Security Portables Hardware

BIOS "Rootkit" Preloaded In 60% of New Laptops 236

Posted by kdawson
from the hijacking-lojack dept.
Keldrin_1 writes "Researchers Alfredo Ortega and Anibal Sacco, from Core Security Technologies, have discovered a vulnerability in the 'Computrace LoJack for Laptops' software. This is a BIOS-level application that calls home for instructions in case the laptop is ever lost or stolen. However, what the application considers 'home' is subject to change. This allows the creation of malware capable of 'infecting the BIOS with persistent code that survive reboots and reflashing attempts.' Computers from Dell, Lenovo, HP, Toshiba, Asus, and others may be affected."
This discussion has been archived. No new comments can be posted.

BIOS "Rootkit" Preloaded In 60% of New Laptops

Comments Filter:
  • Hmmm (Score:4, Funny)

    by Anonymous Coward on Friday July 31, 2009 @11:47AM (#28897061)

    P.C. Phone Home.

  • by motherpusbucket (1487695) on Friday July 31, 2009 @11:47AM (#28897063)
    Sounds like it's right up Sony's alley.
    • by leuk_he (194174) on Friday July 31, 2009 @12:09PM (#28897385) Homepage Journal

      From the Lojack compatibility list [absolute.com] here is a list of company:

                ASUS, Dell Fujitsu, GammaTech, Gateway, GD Itronix, Getac, HP, Lenovo,,Motion, Panasonic, Toshiba

      You can find a list of models on the "bios compatibility list"

      • by Khyber (864651) <techkitsune@gmail.com> on Friday July 31, 2009 @12:53PM (#28898027) Homepage Journal

        They have every DV/TC-model of HP Laptop listed - I used to specifically work on all DV/TC/NC/NX models, I've NEVER ONCE seen this in BIOS during any of my repairs. NEVER. Also, this software was never listed in part of HP's troubleshooting guides, and that usually means that feature is not there.

        I rebooted my laptop (DV9000, full featured loaded with every possible thing offered) and this 'rootkit' in BIOS is nowhere to be found, at all. Not on my friend's DV2000. Not on the new TC4400 I have in my art room.

        • Re: (Score:3, Informative)

          by Anonymusing (1450747)

          Maybe it's available "optionally" on all those models?

          Or maybe it's really really good at hiding itself from you....

      • Re: (Score:2, Funny)

        by dogfolife69 (1005455)
        Yea, but sony does sell the "Computrace LoJack for Laptops" for their notebooks in their Sony branded VIP Protection Suite (which include Norton NIS, Online backup and Computrace LoJack for Laptops).... But i guess in this case, you can optionally chose for this Sony RootKit.... lol
    • by Like2Byte (542992)

      Don't worry about Sony Vaios. I've owned 2; however, I've only purchased 1. The second is a warranty-replacement after the first died (after 1 year of gentle use). The second died (like clockwork) every six months after and only lasted for two years (when the video board died - software rendering only (even MS-Word (aside from the normal pain) was painful!). It has since been replaced by another LT.

      So, bottom line - I don't imagine people owning Vaios long enough for them to be too problematic. They'll be i

  • 60%? Really? (Score:2, Interesting)

    by doctor_nation (924358)

    60% seems awfully high for a program I've never heard of. Not that I've been laptop shopping lately, but still.

    • Re:60%? Really? (Score:5, Interesting)

      by cachimaster (127194) on Friday July 31, 2009 @11:53AM (#28897135)

      I know it's hard to believe. When doing our research (I'm Alfredo, hi!) we couldn't find a notebook *without* the Computrace agent. It's bad.

      • Re:60%? Really? (Score:5, Interesting)

        by _bug_ (112702) on Friday July 31, 2009 @12:00PM (#28897255) Journal

        Any way to tell if your laptop has this "feature"?

        And is there any way to disable it?

        • Re: (Score:2, Informative)

          by scout-247 (1127737)
          You'll have to load your laptop into BIOS, it's one of the options listed. I set the option to completely disable it. That doesn't mean that someone could somehow modify code to turn it on, and report it to their site.
        • Re:60%? Really? (Score:4, Insightful)

          by somecreepyoldguy (1255320) on Friday July 31, 2009 @12:18PM (#28897465)
          Go into the BIOS setup, you can choose to activate the feature if you paid for the license, or deactivate a previously activated agent. Choosing disable removes the feature completely. it can NEVER come back. TFA is hype. If it is never enabled in the bios NOTHING is installed on windows.
          • Re:60%? Really? (Score:5, Informative)

            by QuantumRiff (120817) on Friday July 31, 2009 @12:36PM (#28897727)

            Disable only works if the product was never activated. if the BIOS is set to active, AND the client software on the machine contacts the servers for Computrace, and verifies it should be licensed, then it "flips a switch" in that BIOS setting, and you can NEVER disable it again.

            They need to write to the software, or else the software will always try to contact them, and then anyone could track any laptop with a supeana, ruining their business model.. Instead, it has to be "turned on".

            Also, this software in the BIOS does not actually contact anyone directly. All the BIOS level crap does is forcibly try to re-install the agent software under windows. This could get ugly, if you update the BIOS, to try to force it to install a different program every time someone reloads windows...

            Of course, I wonder what happens if I buy an "off lease" laptop, that was at one point activated...

            • Re: (Score:3, Insightful)

              by X0563511 (793323)

              Please explain to me how this works.

              This BIOS 'switch' - how exactly is that flipped? CMOS is not permanent, NVRAM is not permanent, RAM is not permanent. The only permanent storage are removable devices such as hard drives, and the BIOS itself. The BIOS is usually protected physically (jumper) and isn't a 'volatile' storage means anyways. Also, from my understanding, this isn't something that can be reprogrammed on the fly - it has to be done in "real mode" and is done on a block level, rather than bit lev

              • Re: (Score:3, Insightful)

                by adolf (21054)

                You're not missing any clues; it's just impossible.

                My Dell Inspiron 6000's last BIOS update (several years ago) came with some Computrace back-end stuff, with the aforementioned options for on, off, and disable. On and disable are both "permanent" options.

                Which is really interesting, if you follow the timeline: The feature wasn't wasn't there at all to begin with. And then, I flashed it in. And now, it says its permanent. Uh - yeah, right.

                If I set it to "on" or "disable", it'll just flip a bit somewher

                • Re: (Score:3, Insightful)

                  by jimicus (737525)

                  And then, I flashed it in. And now, it says its permanent. Uh - yeah, right.

                  If I set it to "on" or "disable", it'll just flip a bit somewhere, and/or do some magic crypto, and flash that result into a region of BIOS.

                  Of course you could disable it. But that's not the point.

                  There seems to be a prevalent view on /. that because a security system can be disabled, it always will be and is therefore pointless. But anyone who's got enough knowledge to know about the existence of this is probably not a junkie that steals laptops left alone for a minute on the train. And that's what the great majority of petty theft is.

                  • Re: (Score:3, Informative)

                    by adolf (21054)

                    No, I don't think I can disable it. I can only issue an instruction to a computer which is described as disabling the function permanently, but that doesn't exactly mean anything important.

                    Here's the scenario:

                    I "disable" it, the appropriate bits are written into the flash ROM on the motherboard, and it appears to be disabled.

                    Later, something else comes along, and writes different bits into the flash ROM. And then it's not disabled anymore.

                    (And, whatever the case, the default is "off," which should at leas

          • by Peet42 (904274)

            Are you saying that this is a BIOS-level process that only introduces a Windows vulnerability? So Linux users and Hackintoshers are safe?

        • A list of participating manufacturers is right there on the company's web site: http://www.absolute.com/partners/bios-compatibility [absolute.com]

          My company recently investigated the LoJack system after one of our laptops got stolen. It's impressive technology. The sales rep talked up how "fortunate" they were to get the cooperation of many BIOS implementations from the folks who make BIOSes. I don't think that's fortune at all -- it's a corporate deal. Whatever.

          It's common but not all-pervasive. (yet?) I looked for

      • It is indeed hard to believe. As far as I've been able to tell, even in the laptops where it ships, it defaults to disabled. You must actively enable it in the BIOS for it to do anything at all. And it is certainly easily possible to get laptops without it - I just did from HP, two different ones.
      • Re: (Score:3, Informative)

        by Lord Ender (156273)

        60% may be vulnerable, but it is a bald faced lie to say that 60% are preloaded with a rootkit.

    • by Tx (96709)

      I was just thinking the same thing. Considering that the list of models [absolute.com] with this stuff in the BIOS doesn't include Acer, who ship more laptops than anyone else, or HP, or several other big players, I'm a bit sceptical of that figure. Still the list is quite extensive, I'm a bit surprised I haven't heard of this.

      • by Tx (96709)

        Ok, so it does include HP. It's been a long day, and I go home in 3 minutes.

    • It's offered really cheaply on a bunch of Dells. The program calls home and reports its IP address when activated after being stolen. I doubt if the police are going to do anything with the report of an IP address on a stolen used computer that might be worth $1000 (probably less). All the cops are going to tell you to do is a) use a cable lock in the future b) don't leave the machine in your (car, house, office, etc.) in plain sight and c) call your insurance company. In most cities, cops don't even inv
  • It is time (Score:3, Interesting)

    by 2names (531755) on Friday July 31, 2009 @11:48AM (#28897071)
    Can someone with some knowledge please explain to me why we can't build a machine with simple boot code that does not EVER need to be modified for the life of the hardware?
    • Re:It is time (Score:5, Insightful)

      by betterunixthanunix (980855) on Friday July 31, 2009 @11:53AM (#28897125)
      What if a bug is discovered in the boot code?
      • by echucker (570962)
        They should be able to email the owner who registered the original purchase.
        • by Chris Mattern (191822) on Friday July 31, 2009 @12:54PM (#28898043)

          That's nice. "Hello, customer. There's a fatal bug in your BIOS. Of course, there's not a damn thing you can do about it, since the BIOS on this model isn't changable, but at least you know about it now."

          • Re: (Score:3, Insightful)

            by X0563511 (793323)

            Which is a lot better than something bad happening with no clue as to why.

            Even if it wasn't fixable, I would like to know.

          • Re: (Score:3, Informative)

            by adolf (21054)

            Not everything is flash-based, yaknow.

            Once upon a time, I had a 32x Plextor SCSI CD-ROM reader, back when such a thing was still a trendy thing to have for ripping audio CDs, which was generally problematic back then.

            It worked pretty well, but eventually Plextor made a new firmware for it that improved a few things. They mailed it out to me for free, via USPS. After the package showed up, I found a small, square EEPROM inside of a static-resistant carrier and, IIRC, a brief instruction sheet.

            The process w

      • Once upon a time... (Score:4, Informative)

        by DrYak (748999) on Friday July 31, 2009 @01:11PM (#28898307) Homepage

        Well, once upon a time, that was the case :

        In case of bug you needed either to move the BIOS chip to a separate flasher, or at least use a hardware switch on the motherboard to switch between 5v and 12v to enable BIOS chip flashing.

        Nowadays, even Windows applications can write to the BIOS without any peculiar form of control. No switch at all involved.
        BIOS rootkits were just bound to happen. What makes it even easier for rootkits, is that 90% of all PC uses the same brands of BIOS and those BIOS are designed in a modular fashion making it easy to add a "rootkit" modules without needing the re-create a whole new BIOS (see example of how to add an embed FreeDOS inside an Award BIOS).

        That pretty much stupid : Most motherboard have a couple of bugs fixed during the first couple of months. Then there's mostly no need to reflash the BIOS, except for supporting newer CPUs, etc... which would require opening the case and accessing the motherboard anyway. But for the whole lifetime of the BIOS, it remains completely writeable even from user-space application from within highly insecure OSes.

        Hardware "write-protection" switches for BIOSes should be reintroduced. Simple fix for a simple problem.
        Instead you can stay sure that the manufacturers and Microsoft are going to require several layers of TPM and similar forms of DRM in BIOS which won't even guaranty that BIOSes would be protected from bugs.

      • BIOS chips were rote ROM for a long time before writable BIOS was commonplace. Henceforth, I'm wondering if going old-school on this would be the best way to go.

        What about read-only, removable, replaceable BIOS chips? If there's a sufficiently serious bug in the firmware, the OEM mails BIOS chips to registered users. If it's just feature or performance or hardware enhancements, then the OEM charges a nominal fee for it.

        Alternatively, what about having twin BIOS chips and a USB BIOS reader? The removable B

    • by $RANDOMLUSER (804576) on Friday July 31, 2009 @11:53AM (#28897129)
      Busg happen. Consider the /. "write once" paradigm.
    • by Culture20 (968837)

      Can someone with some knowledge please explain to me why we can't build a machine with simple boot code that does not EVER need to be modified for the life of the hardware?

      Some big shops love sending out bios settings changes to their computers (a la dell dccu type program). ie "on next boot only, pxe boot for a reimage" read-only bios is easy, just like kiosk machines, but the money's in configurable multi-use systems.

    • by prgrmr (568806)
      They did. It was called the TI-99.
    • Re: (Score:2, Insightful)

      by darksabre (250838)

      Because booting a PC is not simple. DRAM init is complicated. PCI init is complicated. Supporting suspend to RAM is complicated. etc etc.

    • by BitZtream (692029)

      Because it takes effort to make it stable and reliable enough to put out a version that works well enough to not have to ever patch. BIOS isn't exactly 'standardized'. Well, thats not true, it is because Windows expects certain things out of the BIOS and there is a lose 'standard' but its not followed close enough that there is any standard test set that says if the software passes these tests its good to go.

      Doing all that takes money and time. We used to get this sort of effort out of console video game

  • by CrimsonKnight13 (1388125) on Friday July 31, 2009 @11:49AM (#28897073) Homepage
    LoJack swiftly changes to HiJack with a good splash of water
    • by trevorrowe (689310) on Friday July 31, 2009 @11:54AM (#28897141) Homepage

      LoJack swiftly changes to HiJack with a good meal after midnight

      There, fixed that for you. A splash of water would give you more laptops... if only ...

      • Re: (Score:3, Funny)

        by TinBromide (921574)

        LoJack swiftly changes to HiJack with a good meal after midnight

        There, fixed that for you. A splash of water would give you more laptops... if only ...

        Yeah, but they'd all run windows ME

        • Heh. Parent is "flamebait"; like the masses are going to rise up and hotly defend Windows ME.

          Besides, Windows ME was more like Aliens than Gremlins.
          • I think the mod who moderated him "flamebait" must be the ONE Windows user who actually liked Windows ME. What are the odds that that one person would be reading this thread? Go figure...
  • by Anonymous Coward on Friday July 31, 2009 @11:50AM (#28897095)

    Just like SPTD is not a rootkit when it hides my emulated dvd from copy protection software.

    This is a popular piece of software that happens to have a potentially serious bug that the vendors and users should be demanding be fixed, but it doesn't make it a rootkit.

  • "the duo demonstrate methods for infecting the BIOS with persistent code that survive reboots and reflashing attempts"

    Where exactly is the code stored, that survives reboots?
    • Re: (Score:3, Informative)

      by Daniel_Staal (609844)

      With the rest of the BIOS code, in the special flash-pram on the motherboard designed especially to store just that code.

      • Which should be protected from writing by a jumper or switch.

        • Wrong.
          That shit can only be removed by a hardware flasher or a hammer.

          Computrace is saved in an area that is never allowed to be overwritten.

    • Re: (Score:3, Informative)

      by value_added (719364)

      Where exactly is the code stored, that survives reboots?

      Start here [howstuffworks.com]. For more info, you can read the Wiki article [wikipedia.org].

      Alternatively, try opening your computer and actually looking at what's inside. ;-)

  • Don't people specifically BUY low jack for laptops, or does it come pre installed and you pay to activate it?

    It clearly has bugs, but I thought the hard/impossible to remove was considered a feature of the software?

    • by tlhIngan (30335)

      Don't people specifically BUY low jack for laptops, or does it come pre installed and you pay to activate it?

      It clearly has bugs, but I thought the hard/impossible to remove was considered a feature of the software?

      YOu can buy it, but you can also get it pre-installed. Dell offers it as part of the extended warranty in Canada for their laptops. I presume other manufacturers have similar things going where either you get service "prepaid" or discounted service rates.

      The reason for the BIOS part is that if yo

  • Signature (Score:5, Insightful)

    by Spazmania (174582) on Friday July 31, 2009 @12:05PM (#28897313) Homepage

    The pair recommended a digital signature scheme to authenticate the call-home process.

    How's that going to help? If you can replace the IP address then you can replace the certificate and signature too. If you have access to modify the BIOS flash, it's game over.

    • by scubamage (727538)
      Except its not able to be overwritten by a bios flash. It's stored elsewhere. While it would be possible to flash the RAM where it IS stored, the people who have the skill to do so are hardly likely to be the ones stealing laptops to make money. If its stolen by a foreign government, its fooked anyways.
    • by Yvanhoe (564877)
      The only reasonable thing to do seems to get rid of this piece of software. Are the free open source BIOSes reliable now ?
    • Note that you DON'T have easy access to modify all of the BIOS, that's the point of this. Even after flashing the bios, the rootkit remains. It's just the configuration info that is left wide open.

      The concept here is to update the first-install version of the rootkit to be more robust against IP address changes, and to be more secure about the way updates are accepted. So, even if the IP address is spoofed or somehow updated, the download could be verified. Allowing unverified updates is just asking
  • by ral (93840) on Friday July 31, 2009 @12:11PM (#28897403)
    Please tell me if I'm missing something, but isn't the real vulnerability that the BIOS can be modified with unsigned code? A BIOS that allows this can be infected with a rootkit regardless of whether the LoJack code was there.
    • True, but a regular BIOS can be reflashed. This LoJack stuff survives BIOS flashings.
    • Re: (Score:3, Insightful)

      by gmuslera (3436)
      The real vulnerability is the "phone home" part, specially because it dont use strong authentication. What if something in your path redirects that fixed IP it contacts to one with a fake set of instructions? Suddently router hacking, open hotspots, arp poisoning and other things could be lethal to your notebook, or even be used to bypass your well built firewall and make your pc part of an ever growing communit... i mean, botnet.
    • Re: (Score:2, Interesting)

      by coreboot (1607489)
      You are assuming that the signed code can be trusted, which is a bad assumption. The signed code is from a vendor; how many vendors ship code with broken security; how many vendors would you expect to happily sign code with broken security, in the PC world? Answer: all of them :-)
      This development should not be a surprise to anyone, but evidently it is. We've been trying to warn people about this possibilty for 10 years; nobody seemed to care. I am hoping they care more now.
      I still feel the only solution
  • I'm surprised that hardware manufacturers haven't made better use of persistant on-chip data. A huge opportunity exists for device firmware developers to embed advertising. Imagine installing a Sony DVD drive that detects non-proprietary discs and popups a suggestion to purchase Sony discs. It isn't too hard to imagine Sony including a special bit string on their blank DVDs that their players look for each time a disc is inserted. Or several advertising partners with products that, when present, can cre
    • Sony would be just the kind of douchebags to try this.

    • Thanks, I'm pretty sure I'm going to have nightmares about this now... I'm actually serious. I tend to be a little paranoid about security, not nearly as much as some, but still.

    • Wasn't there a DVD burner recently that did this?
      Every time you'd close the tray it would prompt you to install their shitware. (Under windows, of course)

  • Good thing this doesn't come on the cheap models, I bought a cheap-as dirt ($300 new, not a netbook) Toshiba laptop that is a L305-S5955 and thankfully it doesn't have this "feature" but I feel like I dodged a bullet with this one.
  • FUD FOR THE WIN! (Score:5, Informative)

    by BitZtream (692029) on Friday July 31, 2009 @12:43PM (#28897837)

    First off, the 'feature' comes on a lot of laptops. Doesn't mean its enabled. You have to request it to be enabled in order for it to come from factory with it actually turned on.

    If you don't turn it on, it doesn't do anything, no phone home, no remote wipe, no tracking.

    Guess what, same thing applies to Blackberrys, and iPhones, and cars with LoJack that have remote shutoff. For every feature there is a potential risk, thats the way the world works.

    If you want the potential to remotely locate/track and wipe a laptop or PC, then you also get the potential that someone else can do it as well.

    • Re: (Score:3, Informative)

      by GMFTatsujin (239569)

      Exactly right. The company that made LoJack lobbied for the feature to be installed, but they want you to pay for it to be activated. If you don't give them money, it's dormant.

      Now, if somebody hacked or appropriated their activation scheme, or compelled the company to activate it without your knowledge, that would be a cause for concern.

  • Since most laptops come with Windows, and, well, you get my drift...

    oh, that's right, those aren't BIOS rootkits, nevermind. Makes all the difference.

    Though I don't much care if my nachine is compromised in pre-execution or later. All the same crap to me.

    I wonder if the bad guys have bothered to monitor LoJack transmissions for cars. At least you'd know where the cops are, and could plan to be elsewhere...

  • by Phizzle (1109923) on Friday July 31, 2009 @01:05PM (#28898213) Homepage
    LOLjack
  • I have worked with Computrace at one of my previous companies, and I always knew it was total crap.

    It doesn't even work as advertised most of the time and defeating it is so simple a 5 year old with some skill could do it.

You can do more with a kind word and a gun than with just a kind word. - Al Capone

Working...