Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
Security HP

Out-Of-the-Box Exploitation Possible On PCs From Top 5 OEMs (arstechnica.com) 81

According to a report published by two-factor authentication service Duo Security, third-party updating tools installed by Dell, HP, Lenovo, Acer, and Asus (the top five Windows PC OEMs) are exposing their devices to man-in-the-middle attacks. Dan Goodin, reports for Ars Technica: The updaters frequently expose their programming interfaces, making them easy to reverse engineer. Even worse, the updaters frequently fail to use transport layer security encryption properly, if at all. As a result, PCs from all five makers are vulnerable to exploits that allow attackers to install malware.Duo Security adds: Hacking in practice means taking the path of least resistance, and OEM software is often a weak link in the chain. All of the sexy exploit mitigations, desktop firewalls, and safe browsing enhancements can't protect you when an OEM vendor cripples them with pre-installed software.
This discussion has been archived. No new comments can be posted.

Out-Of-the-Box Exploitation Possible On PCs From Top 5 OEMs

Comments Filter:
  • by Anonymous Coward

    Why that kind of crap happening on both smartphones and computers, is there anyone still surprised why Apple didn't want carriers to install their own crapware on iPhones?

    • Because it pays... At one point Dell was making more from bounties on preinstalled crap then they were from the margin on the computer itself. And people will give away all of there personal information for a $5 off coupon these days. https://www.pcdecrapifier.com/ [pcdecrapifier.com]
    • Apple is also a nice way to get a clean MS Windows environment via Boot Camp. Its an end user installation of Windows, like a build-your-own-PC, so its a fairly clean install.

      I've been building my own PCs from parts since 386 days. I've only had a small fraction of the Windows problems others complain about. Even good Linux compatibility. OK, it may help that the "No" and "Cancel" buttons are my friends, especially when someone is generously offering to install something for me. And I look out for those
  • OEM Rescue Kit (Score:5, Interesting)

    by Anonymous Coward on Wednesday June 01, 2016 @01:13PM (#52226415)

    OEM Rescue Kit [distrowatch.com]

  • You'd have to be a moron to buy anything from Dell or Lenovo by choice, after the root certificate crap they both pulled.

    So what Windows OEMs are left that don't fuck up their computers? Let's start by eliminating the five mentioned in TFS, and also Microsoft, Sony and Samsung because they have a history of abusing their customers and have terrible support. That leaves us with... LG, Toshiba and MSI. And a bunch of tiny companies.

    No wonder the PC market is declining so hard.
    • I am seeing a lot more of my commercial clients go back to WhiteBox PCs. It is cheaper, and when you buy enough, you do not have the support issues. "Since I am getting 50 PCs form you, can you throw in 2 extra motherboards for warranty hotswap?" Some even keep a few full desktops in the back for swapping out failures. At the lower prices, they can afford to! (Note: The "lower price" includes the cost of un-fucking each desktop from Dell or HP... Not just the hardware, which is only the beginning!)
    • You'd have to be a moron to buy anything from Dell or Lenovo by choice, after the root certificate crap they both pulled.

      Well, at least you described the average computer user accurately, who still believes a "root" problem is caused by dandelions growing in their yard.

      This would also imply that the average computer user knows or cares about computer security. They care about price when buying a computer, not security, hence the reason they go to the vendor with the most subsidized OEM crapware on the machine.

    • After a horrible defective rate with MSI motherboards back in the 90's, I haven't tended to consider them a decent company...
    • You'd have to be a moron to buy anything from Dell or Lenovo by choice, after the root certificate crap they both pulled. So what Windows OEMs are left that don't fuck up their computers? Let's start by eliminating the five mentioned in TFS, and also Microsoft, Sony and Samsung because they have a history of abusing their customers and have terrible support. That leaves us with... LG, Toshiba and MSI. And a bunch of tiny companies. No wonder the PC market is declining so hard.

      Except Lenovo only installed it on a select few consumer models. They are still the goto in the Corporate world. Dell however is complete garbage now.

  • made more from pre-installed software, especially games, than we did from the hardware, this problem will never go away. The closer to malware that the software is, generally the more profitable it is.

  • are the OEMs getting paid to put this crap on there, is it just that cheap to let someone else do it (and buy some liability insurance), or a combination of the two?

  • Step 1: buy the box Step 2: wipe, install clean OS

    I had had enough with bloatware years ago, so now it's nothing but OEM Windows (if not Linux) for me.
  • by wonkey_monkey ( 2592601 ) on Wednesday June 01, 2016 @01:39PM (#52226681) Homepage

    The updaters frequently expose their programming interfaces

    The dirty beggars.

  • Let's put this into perspective.

    If your attacker can either A) hack into the Internet back-end routers; or B) physically colocate on your private network, he can hack your PC during an update check.

    If we assume update checks are sufficiently frequent, then your most likely attack is from a PC on your network--a neighbor or white van that's connected to your wifi, assuming it's not encrypted with a non-trivial password ("lemonade_ghost_riders" would keep the NSA out if they had to brute-force your WPA2--

    • by omnichad ( 1198475 ) on Wednesday June 01, 2016 @02:03PM (#52226861) Homepage

      A) hack into the Internet back-end routers; or B) physically colocate on your private network

      Or just compromised DNS on your router. There are an awful lot of vulnerable router firmwares out there still in common use.

      Such an attack would need to connect to the local wifi, spoof ARP packets of the router at your particular device, spoof ARP packets of your device at the router, and interpose itself.

      You give coffee shops too much credit. Log into router after getting on free wifi, because the username and password are still set to the factory default. Change default DNS servers handed out on DHCP to your external host. No need to spoof anything.

      For that matter, if the coffee shop has a lower power AP, you can just bring in a discreet high-powered AP and use the same SSID. Laptops will just connect to the highest powered signal with the same SSID. Instant MITM.

      • True. My point was mostly that the general theme of security news is "OOOOOOOOOOOOOH SCARY HACKERS WILL HIJACK YOUR PRECIOUS DELICATE LITTLE PC ACROSS THE INTERNET!" and people imagine sitting at home, unwrapping a new desktop, turning it on, and getting hacked 4,000 times. That doesn't happen.

        Hacking home routers is actually really hard from outside. Most routers don't expose any open ports to the WAN side, so you can't just route around their broken Web apps. There's this continuing myth that you c

        • Right. This would assume that their router had been hacked via the previous PC and was already running the attack.

        • Most routers don't expose any open ports to the WAN side

          Depends on the ISP. At least around here, UPC wants port 443, Netia both 443 and 4567, for their backdoors.

      • by jetkust ( 596906 )
        Do routers really let guest accounts log into them? And if so, why?
        • Not sure what you're asking. But a small business that happens to be cheap will be using an off-the-shelf consumer router as their "access point" and will require no password to connect and join the network. Yes, routers generally let wireless clients access the administration features, provided they know the password (still set to default). Not every consumer even owns a wired device.

          • by jetkust ( 596906 )
            I'm assuming any sane businesses are using the Guest Access or Guest Mode feature on their router, which is a separate isolated network, meaning each user connected to it is completely isolated from the other users and only has internet access. They are not actually on the network. It makes no sense the router would accept a login from such a user. I don't use a lot of public networks, but the one I do use, Starbucks, you are completely isolated. You can't just ping random people at will. You have inter
            • So you don't mean just any coffee shop. That's a multinational corporation. Don't assume most small businesses are even willing to spend enough on a router with a guest network.

    • Let's put this into perspective.

      If your attacker can either A) hack into the Internet back-end routers; or B) physically colocate on your private network, he can hack your PC during an update check.

      If we assume update checks are sufficiently frequent, then your most likely attack is from a PC on your network--a neighbor or white van that's connected to your wifi, assuming it's not encrypted with a non-trivial password ("lemonade_ghost_riders" would keep the NSA out if they had to brute-force your WPA2--don't use that password; it's public knowledge now).

      The only reasonable scenario is a targeted attack by an infected machine on coffee-shop wifi. Such an attack would need to connect to the local wifi, spoof ARP packets of the router at your particular device, spoof ARP packets of your device at the router, and interpose itself. Not impossible, but very much not reasonable if two competing devices are attempting to do it.

      Exactly. If you're being victimized by a man in the middle attack you have a *lot* more to worry about than your Dell/Lenovo/HP driver update suite being non-encrypted.

  • expose their programming interfaces, making them easy to reverse engineer

    I fail to see how this statement should ever be construed as bad. If done properly, knowing the programming interfaces and how they work should in no way compromise the security of the system.

    Also, while it's good that the new Lenovo utility employs all the security best practices and it wouldn't hurt to have signed manifests, if TLS is working properly the signed manifest seems likely to be a mostly redundant security feature.

  • Put Windows onto a USB stick.

    Download Double Driver and put on stick.

    Back up the drivers using Double Driver onto a folder on the aforementioned stick.

    Start the Windows 10 install. Go have dinner.

    Copy the drivers to the hard drive.

    Reinstall any drivers from the folder on the drive as and when you need them. I tend to find the default wireless one provided by Microsoft to be rather flakey.

  • Whenever I've bought a PC (that I didn't immediately install Linux on), I go through and remove all non-OS (preinstalled) software, including the OEM's updater. I make exceptions for antivirus (actually, I don't on my hardware but I do an awful lot of this for family) as well as full software suites such as MS-Office (rarely pre-installed).

    I wasn't even worried about security from OEM updaters; I just don't want to spend the time, bandwidth and CPU cycles checking two sources - especially since any driver

    • by Dwedit ( 232252 )

      Then Windows 10 proceeds to install the OEM crapware automatically, since it is embedded in the system BIOS.

"The way of the world is to praise dead saints and prosecute live ones." -- Nathaniel Howe

Working...