Hackers can use common anti-theft tool to wipe devices remotely

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.itproportal.com/2014/02/18/hackers-can-use-common-anti-theft-tool-wipe-devices-remotely/

According to a Kaspersky Lab researcher, a popular anti-theft software
installed on laptops from pretty much every major computer manufacturer can
be used by attackers to hijack computers.

Absolute Software claims its Computrace product helps organisations track
and secure their endpoints. As far as Kaspersky Lab is concerned, the tool
can be used by attackers to remotely monitor and control these machines,
and even wipe all the information from the computer.

"It's clear that if there are a lot of computers with Computrace agents
running, it is the responsibility of the manufacturer to notify users and
explain how the software can be deactivated and disabled," said Vitaly
Kamluk, a principal security researcher at Kasperksy Lab.

Kamluk told attendees at the conference he was surprised to find Computrace
on his home laptop despite never having bought or installed anything from
Absolute Software. He is not the only one, as there are other reports from
users online "claiming they found them [Computrace] on their machines and
they had never purchased Absolute," he said

Computrace Inside

Computrace appears to come pre-installed on a dozen major laptop
manufacturers, including Samsung, Acer, Lenovo, Hewlett-Packard, Dell,
Panasonic, Toshiba, Asus, Gateway, General Dynamics, Fujitsu, and Gamatech.
Since it is intended to be used as an anti-theft tool, it is whitelisted by
major antivirus vendors so most users never have any idea the software is
on their machines. "All companies see it as a legitimate product," said
Anibal Sacco, co-founder and researcher at Cubica Labs who first analysed
Computrace back in 2009 while at Core Security Technologies.

The agent resides in the firmware, so it doesn't matter what operating
system you are running, or what kind of security protections you have. It's
embedded right in the hardware and is difficult to remove. Most
pre-installed software can be permanently removed or disabled by the user,
but Computrace is designed to survive professional system cleanup and even
hard disk replacement.

According to statistics provided by Kaspersky's Security Network, there are
approximately 150,000 users who have the Computrace agent running on their
machines, which means the number of users worldwide with Computrace active
may exceed 2 million. The majority of these computers are located in the
United States and Russia, Kaspersky Lab said.

Problematic Behavior

While Computrace is commercial software designed to do good, it employs
many of the same tricks as malware, including using anti-debugging and
anti-reverse engineering techniques, injecting memory into other processes,
and encrypting configuration files. Sacco described the tool as a "latent
toolkit" and noted the Windows agent has no authentication of any kind.
Computrace communicates with the servers at Absolute Software over an
unencrypted channel and stores information unencrypted. The network
protocol can be used for remote code execution and is vulnerable to abuse,
Sacco warned.

Kaspersky Lab said that encryption seems to be added to the network
protocol at a later stage of communications, but that attackers can still
take advantage of the unencrypted components to remotely hijack the system.
Kamluk said Computrace could be used to install spyware on the endpoints,
redirect all traffic from a computer running Small Agent to the attacker's
host via ARP-poisoning, and launch a DNS service attack to trick the agent
into connecting to a fake C&C server, to name a few.

"There is a big problem with this," Sacco told attendees.

No Problem Here?

Absolute Software's CTO, Phil Gardner, criticised the Kaspersky research as
"flawed" and said it had "questionable technical merit." Absolute Software
said Computrace uses encryption and authentication to the server, which
would prevent the types of attacks Kamluk warned about.

The agent won't communicate with a server unless it's authorised, and "will
only communicate with mutual authentication of the server and the client,"
Gardner said.

Before an attacker can use Computrace maliciously, the endpoint must be
compromised. "The obstacles to mounting such an attack are considerable and
are not achievable via the mechanism outlined in the Kaspersky report,"
Absolute Software said in an FAQ.

Even so, if you don't like the idea of something running on your computer
you don't know about, you can follow the instructions from Kaspersky Lab to
find and disable Computrace.

Hijack and Wipe

Kamluk demonstrated a proof-of-concept at the summit showing how an
attacker could launch a man-in-the-middle attack against a machine in which
Computrace was installed. The attacker could pretend to be a server from
Absolute Software and change memory in the victim's machine.

"Anyone with the power to control your Internet connection could do the
same--a government or an ISP, for example," Kamluk said.

Kaspersky Lab says it has no proof that Absolute Computrace has been used
in attacks to date. Absolute Software needs to use authentication and
encryption to secure Computrace so that it cannot be abused, Kamluk said.

During Kamluk's presentation, several attendees could be seen checking
their BIOS to see if Computrace was present on their computers. By the end
of the presentation, the tension in the room was almost palpable, as many
of the attendees realised just how widespread Computrace was and that they
weren't even aware of its presence on their machines. It was also
disturbing just how many of them were enabled by default.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!