Re: LoJack

Angus Scott-Fleming Tue, 23 Apr 2013 17:47:59 -0700

On 23 Apr 2013 at 17:47, Ben Scott  wrote:

> On Tue, Apr 23, 2013 at 2:53 PM, James Rankin <[email protected]> wrote: >
> I think the BIOS piece, if Activated, puts the agent back onto it.


It downloads the software from Lojack and installs it silently.

>   Yah, that's scary enough.  I mean, sure, if someone else can control
> the hardware, in theory they can do anything, but think about the
> implications.  Is there some kind of hook in Windows that lets the
> BIOS run arbitrary code?  If so, that's kind of spooky.  Or are they
> using a higher privilege level to inject code directly into the
> kernel?  If so, what happens when a kernel update comes out?

My guess is that the software re-installs itself pre-boot (much like CHKDSK /F 
can be made to run before Windows loads).  Not sure what would happen if it 
started up and tried to write to a Truecrypted or Bitlocked drive.

In 2009 this got some bad press at BlackHat:

    Researchers find insecure BIOS 'rootkit' pre-loaded in laptops | ZDNet

    LAS VEGAS -- A popular laptop theft-recovery service that ships on 
    notebooks made by HP, Dell, Lenovo, Toshiba, Gateway, Asus and Panasonic 
    is actually a dangerous BIOS rootkit that can be hijacked and controlled 
    by malicious hackers.

    The service -- called Computrace LoJack for Laptops -- contains design 
    vulnerabilities and a lack of strong authentication  that can lead to "a 
    complete and persistent compromise of an affected system," according to 
    Black Hat conference presentation by researchers Alfredo Ortega and Anibal 
    Sacco from Core Security Technologies.

Seen here:
http://www.zdnet.com/blog/security/researchers-find-insecure-bios-rootkit-pre-loaded-in-laptops/3828

Not sure if these vulnerabilities have been fixed since.

FWIW, the publish list of laptops which have this in the BIOS:

    BIOS Compatibility | Absolute Software
    http://www.absolute.com/en/partners/bios-compatibility


--
Angus Scott-Fleming
GeoApps, Tucson, Arizona
1-520-290-5038
Security Blog: http://geoapps.com/





~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to [email protected]
with the body: unsubscribe ntsysadmin

Re: LoJack

Reply via email to