Major LoJack BIOS vulerability found...what will Dell do?

Question

So, some BIOS security researchers released a paper at the BlackHat conference highlighting some extremely bothering and major security flaws in Computrace's LoJack for laptops implementation. More info explaining it can be found here. Computrace, Inc. has already suspiciously rapid-fire style refuted these claims, but US-CERT and at least one major manufacturer has already begun to ask questions. The really bad part about this is that the issue lies at the BIOS level of laptops and virtually every laptop Dell has made in the past several years has this functionality built into their BIOSes. What makes this worse is that if enabled by the user in the BIOS (like myself), it can never be disabled again, leaving those who have enabled the functionality open to potentially disastrous implications like complete access to the compromised PC all the way to the OS-level from an attacker. This is just all-around bad and I'd like to know what Dell is going to do to stop this. This is a VERY serious issue and at this point, there is absolutely no way to fix it. As a Network Security specialist with former experience in large-scale government FISA enforcment, I can say that I would almost be forced to decommission all laptops with this function enabled and be on the phone with my laptop manufacturer and Computrace calmly excrementing cinder-blocks over this. It's that serious. So I have one question to Dell: How are you going to fix this?

mutiny32 · Answer

This has begun to snowball with CompuTrace's denial that their software/bios system is a rootkit and that it cannot be easily exploited. I'm still waiting for  word from Dell on this. I've been in contact with some old coworkers who are in charge of this type of security at a large government agency and they are almost to the point of recalling all of the laptops with this built-in. Dell laptops. This is unacceptable, not just from Dell, but also from their lack of action on trying to fix this issue by either pressuring Computrace into beefing up the security on the software or releasing BIOS updates enabling some sort of safeguard against potential exploitation.

hrova · Answer

To add to what Davet said....

Dell does not warrant third party products, nor do they warrant software.

Any fix would need to come from CompuTrace. Perhaps you should pose your questions to them. If they issue a fix, I am sure Dell will implement it, but I would be surprised if they did anything until then.

I doubt they will have any response on this subject for a while....

Are any of the other computer makers (HP, Acer, etc...) actively doing anything about this?

Davet50 · Answer

Since this is a user to user forum if you are awaiting any response from Dell it will not be forthcoming as Dell does not monitor these forums.

Tom McCune · Answer

Is there anything new on this? I received my XPS1640 a few days ago, and need to decide on whether to activate LoJack.

hrova · Answer

The maker of LoJack, Absolute Software, has denied there is any problem. See the article here:

http://www.absolute.com/company/pressroom/news/2009/07/refutes_claim

I don't know who to believe, but one thing to consider is that none of the major antivirus makers have jumped onthis and stated there is any problem, That fact almost makes me trust LoJack's comments that this is a non issue, but I am nowhere near expert enough to decide either way.

Tom McCune · Answer

Thanks hrova, I'm still undecided though.

Locked Topics – Laptops General

Was this post helpful?