Devs angrily dismiss Absolute Computrace rootkit accusation
Developers have denied accusations that their Computrace anti-theft software poses a remote wipe risk for the computers the program is designed to protect.
However security researchers at Kaspersky Lab are standing by their warning that Absolute Software’s Computrace anti-theft technology poses a hidden threat that might be abused by hackers and cyberspies to plant malware – or worse.
Absolute’s Computrace agent resides in the firmware, or ROM BIOS (Basic Input/Output System), of millions of laptops and desktop PCs from manufacturers including Dell, Fujitsu, HP, Lenovo, Samsung, and Toshiba.
Unlike most traditional pre-installed software packages, which can be permanently removed or disabled by a user, Computrace is designed to survive professional system cleanups and even hard disk replacement.
“Powerful actors with the ability to tap fibre optics can potentially hijack computers running Absolute Computrace,” warns Vitaly Kamluk, a principal security researcher at Kaspersky Lab. “This software can be used to deploy spyware implants.”
“Our estimate is that millions of computers are running Absolute Computrace software and a large number of the users might be unaware that this software is activated and running. Who had a reason to activate Computrace on all those computers? Are they being monitored by an unknown actor? That is a mystery which needs to be solved.”
According to Kaspersky’s Security Network, there are approximately 150,000 users who have the Computrace agent running on their machines, and the majority of these computers are located in the US and Russia.
The network protocol used by the Computrace Small Agent provides basic features for remote code execution. The protocol doesn’t require using any encryption or authentication of the remote server, creating many opportunities for remote attacks, according to security researchers at the Russian security software firm.
Kasperky Lab admits that it has “no proof that Absolute Computrace is being used as a platform for attacks” while warning of the potential for all sorts of mischief.
During a presentation at Kasperky Lab’s Security Analysts Summit in a luxurious beach resort of Punta Cana in the Dominican Republic security researchers warned that “if your BIOS has the Computrace component, it can wipe any filesystem” irrespective of what operating system a machine was running.
Kaspersky’s main concern is that once the Computrace software agent starts running deactivating it is well beyond the capabilities of most users. And machines on which the software is running are thereafter wide open to hack attacks. It isn’t against the idea of anti-theft software technology per se.
“A powerful tool such as Absolute Computrace software must use authentication and encryption mechanisms to continue serving the greater good,” explained Kaspersky’s Kamluk. It’s clear that if there are a lot of computers with Computrace agents running, it is the responsibility of the manufacturer (in this case Absolute Software) to notify users and explain how the software can be deactivated and disabled.”
“Otherwise, these orphaned agents will keep on running unnoticed and provide a possibility for remote exploitation,” he added.
Security issues with Absolute Computrace have surfaced in the past. Way back in 2009, researchers from Core Security Technologies warned about how a potential attacker could modify the system registry to hijack the callbacks from Computrace, behaviour that security researchers argued was akin to a low-level rootlet.
Computrace Agent’s aggressive behaviour has even prompted some anti-virus firms to label it as malware on occasion, Kaspersky notes, adding that this detection was later removed by Microsoft and other anti-malware vendors caught up in the same snafu.
These days Computrace executables are routinely whitelisted by most anti-malware companies. In a statement supplied to El Reg, Absolute Software dismissed Kaspersky’s research, arguing that it was simply rehashing points raised by researchers at Core Security five years ago and long since addressed.
It also criticised Kaspersky for pushing out an alarmist alert without giving it the chance to respond properly beforehand, implying Kaspersky researchers had got their facts wrong before going ahead with publication.
It is surprising that Kaspersky Lab would promote this story. It was in fact originally raised and addressed five years ago. Read the 2009 response from Absolute Software. It is confusing that Kaspersky Lab has not shared their concerns with Absolute directly and provided the complete report detailing their findings. This would allow Absolute to provide them with further details about Computrace technology so that they could ensure their findings were technically accurate.
All major anti-malware software vendors recognise the Absolute client implementation as safe, legitimate technology that improves the security of the endpoint. Hence our status as a white-listed vendor.
Absolute Computrace has been reviewed and implemented by numerous organisations globally. Absolute currently has more than 30,000 active customers representing all industries including corporate, healthcare, government, and education – from Fortune 500 firms to individuals. Computrace has been successfully deployed and actively protecting millions of devices, without compromise, for 20 years.
The Absolute persistence module is embedded in the firmware of computers, netbooks, tablets, and smartphones by global leaders, including Acer, ASUS, Dell, Fujitsu, HP, Lenovo, Motion, Panasonic, Samsung, and Toshiba, and the company has reselling partnerships with these OEMs and others, including Apple. The Absolute persistence module stays in a dormant state until the Computrace software client is installed and activated.
El Reg relayed Absolute’s response to Kaspersky, which said it stood by its research and denied it was going back over old ground.
Kaspersky Lab decided to undertake full research on this topic after discovering several privately owned laptops of Kaspersky Lab security researchers had the Computrace agent running without prior authorisation. The analysed laptops were purchased in 2012 in brand new condition and with the top configurations available on the market.
It quickly became alarming when our reverse engineering revealed weak implementation of the Computrace agent. Absolute Software’s press release from 2009 claims that “The Computrace BIOS module is activated by the installation of Absolute Software by our customers, and is never forced upon any user. Computrace is designed to be activated, deactivated, controlled and managed by the customer using encrypted channels.”
However, we found signs of unauthorised activations on our hardware. Our research paper shows that the Computrace agent compiled in 2012 still uses unencrypted channels. Due to this fact, we were able to make a live demo of Computrace hijacking at the SAS2014 conference.
According to Kaspersky Lab it sent an email to Absolute Computrace with a draft version of the research paper on February 3 but didn’t get any reply. In the absence of any answer, Kaspersky went ahead with its planned presentation on what it sees as the dangers of Computrace.
“Although Absolute Computrace is a legitimate software, due to security weaknesses it can be used not as a protection tool, but as an instrument for cyber attacks,” Kasperky Lab told El Reg. “As a security company we believe it’s our job to warn people about potential serious risks hidden in Absolute Computrace.”
The security firm published an FAQ on the issue after receiving “requests for clarifications” (here). ®