When companies allow staff to use their own systems to access corporate data, the devices used can often be outside of IT department control.
But how much of a security and privacy hazard is presented by a new off-the-shelf laptop? Security company Duo Labs set out to discover the risks by buying a number of OEM Windows 10 machines in the US, Canada and the UK and testing them for vulnerabilities.
All of the systems tested were found to have privacy issues, some were more serious than others and many of them affected all the machines. Network protocol-related security issues affected all the laptops, starting as soon as the laptop appeared on the network during initial boot.
Following the application of Patch Tuesday updates, some privacy settings were reset to their default values, without the user being notified that they'd changed. Default laptop settings and protocols make it easier for an attacker to sniff, grab, view and redirect an unsuspecting user’s traffic especially on public networks.
Bloatware and trial software was at the root of questionable traffic on some of the systems too. The OEM Microsoft Signature Edition machine tested came in for praise here as it had less unnecessary software installed. It did, however, still have some of the Windows 10 privacy concerns identified elsewhere.
Systems with McAfee security trials installed were found to contain web bugs that could be used to track and serve advertising to users. "We observed web bugs which are used typically by advertisers to track surfing habits. You'd expect to see this in web browsers as they're a reality of internet advertising today. It seems curious to us that a security company would do this, because as an attacker if I were to compromise a third-party advertising company I would then have the ability to feed my content out to all the systems using that platform," says Steve Manzuik Director of Research at Duo.
"I don't think there's anything nefarious going on, they're using it to track their trial versions and get people to buy the software, but it seems odd that this would be the route they decided to use".
More information and the full report, along with recommendations for making out-of-the-box machines more secure, is available from the Duo website.