Alfredo Ortega and Anibal Sacco, researchers for penetration testing software company Core Security Technologies, demonstrated at Black Hat how Absolute Software's Computrace LoJack For Laptops contains a BIOS rootkit-like vulnerability.The reason this is significant is that about 60% of laptops ship with this installed including those from Dell, HP, Toshiba, and Lenovo. These companies are listed as OEM partners on Absolute's web site.
Here is a good article which describes how LoJack for Laptops works and the vulnerability. Lest you think this is only a Windows issue, the software is also used on Macs, although Apple is not listed as an OEM partner.
In order for this vulnerability to be exploited the bad guy would need physical access to your laptop or remote access with Admin/root privileges. If you are running in User-mode, which should be an enforced policy, the risk drops significantly. The high risk exploits are:
- A keylogger is installed and used to capture your passwords which, for example, you use to access your bank accounts
- An agent is installed that enables the bad guy to retrieve whatever data is stored on the system, such as intellectual property, financial records, etc.
There are always trade-offs in technology. By definition, adding features increases the attack surface. The good news is that LoJack for Laptops reduces the risk of disclosing information on lost or stolen laptops. The bad news is that by using it, you are increasing the risk of a rootkit-like attack on the laptop.
