Hackers can use common anti-theft tool to wipe devices remotely

According to a Kaspersky Lab researcher, a popular anti-theft software installed on laptops from pretty much every major computer manufacturer can be used by attackers to hijack computers.

Absolute Software claims its Computrace product helps organisations track and secure their endpoints. As far as Kaspersky Lab is concerned, the tool can be used by attackers to remotely monitor and control these machines, and even wipe all the information from the computer.

"It's clear that if there are a lot of computers with Computrace agents running, it is the responsibility of the manufacturer to notify users and explain how the software can be deactivated and disabled," said Vitaly Kamluk, a principal security researcher at Kasperksy Lab.

Kamluk told attendees at the conference he was surprised to find Computrace on his home laptop despite never having bought or installed anything from Absolute Software. He is not the only one, as there are other reports from users online "claiming they found them [Computrace] on their machines and they had never purchased Absolute," he said

Computrace Inside

Computrace appears to come pre-installed on a dozen major laptop manufacturers, including Samsung, Acer, Lenovo, Hewlett-Packard, Dell, Panasonic, Toshiba, Asus, Gateway, General Dynamics, Fujitsu, and Gamatech. Since it is intended to be used as an anti-theft tool, it is whitelisted by major antivirus vendors so most users never have any idea the software is on their machines. "All companies see it as a legitimate product," said Anibal Sacco, co-founder and researcher at Cubica Labs who first analysed Computrace back in 2009 while at Core Security Technologies.

The agent resides in the firmware, so it doesn't matter what operating system you are running, or what kind of security protections you have. It's embedded right in the hardware and is difficult to remove. Most pre-installed software can be permanently removed or disabled by the user, but Computrace is designed to survive professional system cleanup and even hard disk replacement.

According to statistics provided by Kaspersky's Security Network, there are approximately 150,000 users who have the Computrace agent running on their machines, which means the number of users worldwide with Computrace active may exceed 2 million. The majority of these computers are located in the United States and Russia, Kaspersky Lab said.

Problematic Behavior

While Computrace is commercial software designed to do good, it employs many of the same tricks as malware, including using anti-debugging and anti-reverse engineering techniques, injecting memory into other processes, and encrypting configuration files. Sacco described the tool as a "latent toolkit" and noted the Windows agent has no authentication of any kind. Computrace communicates with the servers at Absolute Software over an unencrypted channel and stores information unencrypted. The network protocol can be used for remote code execution and is vulnerable to abuse, Sacco warned.

Kaspersky Lab said that encryption seems to be added to the network protocol at a later stage of communications, but that attackers can still take advantage of the unencrypted components to remotely hijack the system. Kamluk said Computrace could be used to install spyware on the endpoints, redirect all traffic from a computer running Small Agent to the attacker's host via ARP-poisoning, and launch a DNS service attack to trick the agent into connecting to a fake C&C server, to name a few.

"There is a big problem with this," Sacco told attendees.

No Problem Here?

Absolute Software's CTO, Phil Gardner, criticised the Kaspersky research as "flawed" and said it had "questionable technical merit." Absolute Software said Computrace uses encryption and authentication to the server, which would prevent the types of attacks Kamluk warned about.

The agent won't communicate with a server unless it's authorised, and "will only communicate with mutual authentication of the server and the client," Gardner said.

Before an attacker can use Computrace maliciously, the endpoint must be compromised. "The obstacles to mounting such an attack are considerable and are not achievable via the mechanism outlined in the Kaspersky report," Absolute Software said in an FAQ.

Even so, if you don't like the idea of something running on your computer you don't know about, you can follow the instructions from Kaspersky Lab to find and disable Computrace.

Hijack and Wipe

Kamluk demonstrated a proof-of-concept at the summit showing how an attacker could launch a man-in-the-middle attack against a machine in which Computrace was installed. The attacker could pretend to be a server from Absolute Software and change memory in the victim's machine.

"Anyone with the power to control your Internet connection could do the same—a government or an ISP, for example," Kamluk said.

Kaspersky Lab says it has no proof that Absolute Computrace has been used in attacks to date. Absolute Software needs to use authentication and encryption to secure Computrace so that it cannot be abused, Kamluk said.

During Kamluk's presentation, several attendees could be seen checking their BIOS to see if Computrace was present on their computers. By the end of the presentation, the tension in the room was almost palpable, as many of the attendees realised just how widespread Computrace was and that they weren't even aware of its presence on their machines. It was also disturbing just how many of them were enabled by default.