Instead, Kamluk had uncovered a flawed but legitimate tracking software program developed by a Canadian company, named Absolute Software, which had been apparently installed at the manufacturer level. Computrace — now known as LoJack For Laptops via a licensing agreement with the famous vehicle-tracking company — has been publicly documented as having security problems, based on multiple reports, which worried Kamluk because he knew someone could leverage the underlying program in an attack to gain remote access.
The fresh report suggested that an infamous group of Russian government-linked hackers were able to exploit a lingering flaw in LoJack to conduct espionage operations. Absolute Software was warned about the issue as early as The finding is significant because LoJack comes preinstalled on a lot of computers made by various different vendors and it has expanded in recent years to also cover Android devices. It also shows that even when big companies choose to make security improvements in their supply chains, distributing a fix can be extremely difficult.
Absolute Software says it has taken concrete steps to fix related flaws in newer versions of LoJack. But t hese fixes have never been publicized or cataloged by the MITRE Corporation, which maintains a running list of vulnerabilities. Researchers who spoke to CyberScoop said they had not yet reverse-engineered the latest versions of LoJack, so it was not possible to confirm whether it is more secure today.
Damosthy Computrace is a component installed by Absolute software to enable you to track and locate your PC -- an invaluable function should it be lost or stolen. I am a volunteer and I do not work for, nor represent, HP. Was this reply helpful? Yes No. Message 3 of 7. WAWood wrote: Damosthy Computrace is a component installed by Absolute software to enable you to track and locate your PC -- an invaluable function should it be lost or stolen.
I know what it is and I know it can be exploited. Message 4 of 7. Damosthy OK Message 5 of 7. Message 6 of 7. Here is the contact info if you want to pursue this If you have trouble finding a phone number, then try: 1 I am a volunteer and I do not work for, nor represent, HP. Message 7 of 7. All forum topics Previous Topic Next Topic. Replies 4. Default setting: Deactivate NOTE: The Activate and Disable options will permanately activate or disable the feature and no further changes will be allowed.
In response to jphughan. Any trick to make it disable? In response to er. Post Reply. Top Contributor. Dell Support Resources.
You can do absolutely anything. A half year later, Computrace remains exploitable. The mystery regarding who or what is activating Computrace remains unsolved. However, forensic analyses of affected computers show what Computrace dates back to the first system boot. Deeper analysis of a brand new machine on which Computrace was not enabled may hint at how the anti-theft product is ending up on machines automatically.
Kamluk and Sacco believe that manufacturers may run tests on newly made machines checking for compatibility with Computrace. They managed to extract the test and run it themselves:. Next the test reboots the system and checks that rpcnetp. Finally, the test reboots and checks that rpcnetp.
When Sacco and Kamluk simulated the test, it crashed out during the third step, meaning it failed to remove the mechanism that initiates Computrace. Kamluk and Sacco noted in their Black Hat talk that Computrace, though it acts like malware in a number of ways, is not detected by antivirus engines. And there are a number of good reasons for that, not the least of which is that Computrace is a well-known piece of software that is whitelisted by most antivirus companies, trusted by large numbers of hardware companies and developed by a legitimate business.
In a system with Computrace, they say the situation is even worse, because rpcnet. With this attack, all the Computrace persistency features will be turned against the user, by giving control to the attacker. This provides an attacker with a disguised connect back method in a Computrace deployed system.
The modified rpcnet executables can be detected by antivirus engines, but because of white-listing, the executables are not blocked. Otherwise, these orphaned agents will keep on running unnoticed and provide opportunities for remote exploitation.
0コメント