{"id":3837,"date":"2014-02-20T12:30:51","date_gmt":"2014-02-20T17:30:51","guid":{"rendered":"https:\/\/www.kaspersky.com\/blog\/?p=3837"},"modified":"2021-07-23T04:13:56","modified_gmt":"2021-07-23T08:13:56","slug":"beware-of-vulnerable-anti-theft-applications","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com\/blog\/beware-of-vulnerable-anti-theft-applications\/3837\/","title":{"rendered":"Beware of Vulnerable Anti-Theft Applications"},"content":{"rendered":"

What if your computer ran an anti-theft software you never activated? A software that can make your PC remotely accessible. A software that you can\u2019t delete, even by physically replacing the hard drive. Sounds like a modern urban legend. However, it turns out that it\u2019s true.<\/p>\n

<\/b><\/p>\n

This exact realization happened to Sergey Belov, a Kaspersky Lab malware researcher, when he started to investigate a software-related mistake on his wife\u2019s personal laptop. A suspicious process caught his attention; first, he thought that he had found a previously unknown rootkit<\/a>. However, the process turned out to be legitimate \u2013 it was a part of the Absolute Computrace software agent, a popular anti-theft solution for laptops. What is unique about Computrace is the very exclusive position it holds on a users\u2019 computer. The Computrace agent partially resides in BIOS or UEFI, a chip with a hardcoded program sequence that executes first on a computer bootup, before the operating system even starts. This helps Computrace survive \u201chard resets\u201d and even disk replacements. What is most disturbing about Computrace \u2013 Belov\u2019s wife never activated the software and was unaware of its existence. Further analysis uncovered the bad news \u2013 a malicious third party is able to hijack the Computrace agent and perform any kind of remote hack on a victim\u2019s PC.<\/p>\n

Anti-theft solutions<\/a> are crucial for mobile devices, as thieves favor these small and expensive gadgets. Designing an anti-theft software is not an easy task. It must be tiny and stealthy. It should keep a connection to some HQ server to report its location or call for action, if stolen. Finally, it must resist a thief\u2019s attempts to remove the software. All these requirements mean that anti-theft software operates at a low level and must have impressive privileges on the user\u2019s machine. So what happens if such a powerful application is vulnerable? Worst case, the hacker may do whatever he\/she wants and basically own your computer.<\/p>\n

Anti-theft solutions are crucial for mobile devices, as thieves favor these small and expensive gadgets.<\/div>\n

Unfortunately, I am not theorizing. Last week, I was a witness to a real-life demonstration, conducted by Vitaly Kamluk and Sergey Belov of Kaspersky Lab during Security Analyst Summit 2014<\/a>. The researcher duo unwrapped a newly bought Asus laptop, performed a typical set of first-run procedures and used another PC to remotely activate the laptop\u2019s camera and eventually initiate a remote wipe procedure. The wipe was done by intercepting unencrypted network packets and sending some data back, mimicking communication with the original Computrace server.<\/p>\n

By now you may feel an urge to immediately check your laptop for the presence of the Computrace agent. If you\u2019re already planning its brutal deletion, don\u2019t bother, it\u2019s very challenging. The agent fights attempts to remove it, which is quite natural due to its anti-theft purpose. To achieve this, a BIOS part of Computrace agent checks for the software presence on each boot. If there is no software found, a tiny program is installed from BIOS to the Windows OS. Upon Windows boot, this program will download a full-scale Computrace agent from the Internet and make it active. This specific step is vulnerable to remote compromise, which was demonstrated at SAS 2014.<\/p>\n

\"demo-computrace\"<\/a><\/b><\/p>\n

The full analysis is available on Securelist<\/a>, as well as the list of indicators of the Computrace Agent activity<\/a>. Data from Kaspersky Security Network<\/a> indicates that 150,000 of our customers have a Computrace agent active on their machines. Vitaly Kamluk estimates, that Computrace is active on 2 million computers worldwide. We don\u2019t know, how many of them are activated by user\u2019s themselves.<\/p>\n

The BIOS part of Computrace is preinstalled on most popular BIOS\/UEFI chips and you can encounter it on most laptops, including Acer, Asus, Sony, Toshiba, HP, Lenovo, Samsung and others.\u00a0 However, some laptops include a visible BIOS option to enable\/disable Computrace while others don\u2019t. Additionally, not every computer runs Computrace, even if it has a BIOS component onboard, the software is inactive on many computers. But Kaspersky Lab researchers discovered and bought some fresh laptops, which bear an active Computrace agent on the first run, just after the unboxing. Why these agents are active and who possesses control, remains a mystery.<\/p>\n","protected":false},"excerpt":{"rendered":"

What if your computer ran an anti-theft software you never activated? A software that can make your PC remotely accessible. A software that you can\u2019t delete, even by physically replacing<\/p>\n","protected":false},"author":32,"featured_media":3839,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[5],"tags":[220,453,4208],"class_list":{"0":"post-3837","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-news","8":"tag-anti-theft","9":"tag-computer-protection","10":"tag-sas-2014"},"hreflang":[{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/beware-of-vulnerable-anti-theft-applications\/3837\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/beware-of-vulnerable-anti-theft-applications\/2979\/"},{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/beware-of-vulnerable-anti-theft-applications\/2873\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/beware-of-vulnerable-anti-theft-applications\/3202\/"},{"hreflang":"ja","url":"https:\/\/blog.kaspersky.co.jp\/beware-of-vulnerable-anti-theft-applications\/2749\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/beware-of-vulnerable-anti-theft-applications\/3837\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/beware-of-vulnerable-anti-theft-applications\/3837\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com\/blog\/tag\/anti-theft\/","name":"Anti-theft"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/3837","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/32"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=3837"}],"version-history":[{"count":4,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/3837\/revisions"}],"predecessor-version":[{"id":40705,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/3837\/revisions\/40705"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/3839"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=3837"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=3837"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=3837"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}