Incident Response, TDR, Vulnerability Management

Pre-installed security software leaves computers vulnerable to remote hijack, experts reveal

Researchers are warning that legitimate anti-theft software, impacting millions of users with the activated installation on their computers, leaves systems vulnerable to remote hijack.

On Wednesday, Kaspersky Lab's security team published a report on Absolute Computrace, a product developed by Austin, Texas-based Absolute Software which “allows organizations to persistently track and secure all of their endpoints within a single cloud-based console,” the product page for the software says.

According to Kaspersky researchers, however, it's the fact that Absolute's tracking software is pre-installed in the firmware of laptops and desktops, and difficult to remove or disable for users, that makes its security flaws that much more concerning.

The report said that remote takeover of impacted systems was possible through a number of avenues.

“The protocol used by the [Computrace] Small Agent provides the basic feature of remote code execution,” the report said. “The protocol doesn't use any encryption or authorization with the remote server, which creates numerous opportunities for remote attacks in a hostile network environment.”

While Kaspersky hasn't seen any evidence of Computrace's weaknesses being used to carry out attacks, the researchers found that an attack on a local area network via address resolution protocol (ARP) poisoning (where a saboteur redirects all traffic from a computer running the software to their own control hub) was possible.

Another attack method could entail a domain name system (DNS) service attack “to trick the agent into connecting to a fake [command-and-control] server,” the report said.

Kaspersky Lab estimates that the vulnerable Computrace software may be activated on more than 2 million computers around the global, with the majority of computers located in the U.S. and Russia.

The firm also warned that many users are unaware that the software is even running on their systems. In fact, the team decided to look into the software after they discovered that it was running on several computers belonging to Kaspersky Lab's researchers unbeknownst to them.

After further investigation, analysts also found that Computrace had been pre-activated on a Samsung laptop at a local computer retail shop.

In its report, Kaspersky noted that other researchers had previously warned users on the security of the product.

“While physical security and a lack of proper code validation have already been shown in prior research by Core Labs, in our research we have focused on the network security aspect of such solutions. Our intention was to evaluate how secure Computrace Agent communications are and to see if it is possible to hijack control remotely,” the report said.

On Wednesday, Stephen Midgley, vice president of global marketing at Absolute Software, told via an emailed statement that the company was “currently reviewing the [Kaspersky] report” and would provide a more detailed response on the matter once its review was complete.

In the meantime, Midgley added that the “all major anti-malware software vendors recognize the Absolute client implementation as safe, legitimate technology that improved the security of the endpoint.”

“Absolute Computrace has been reviewed and implemented by numerous organizations globally,” Midgley said, later adding that the software “has been successfully deployed and actively protecting millions of devices, without compromise, for 20 years.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.