Researchers find security holes in new laptops just out of the box. What you can do to fix them.
You know that updating your laptop is good for security—the patches fix holes so bad guys can’t get in.
But what if the updater itself was the problem, a security hole so easy to exploit that the bad guys could already be inside your brand new laptop, rooting around for your juiciest data?
Researchers at Duo Security tested laptops from five top makers—Dell, HP, Lenovo, Asus and Acer—and found that sloppy work and low-level security is making some of the computers’ updaters a prime target for malicious attackers, even those with little skill.
“The level of sophistication required to exploit most of the vulnerabilities we found is somewhere between that possessed by a coffee stain on the Duo lunch room floor and your average potted plant—meaning, trivial,” wrote Duo Labs security researcher Darren Kemp.
The research uncovered 12 vulnerabilities in all, most of them high-level, allowing attackers to completely take over your computer, according to Duo.
”This kind of news seems to confirm the lack of interest in doing things right on the manufacturers’ part,” said Miguel Garcia-Menendez, president of the Innovation & Technology Trends Institute and vice president of the Industrial Cybersecurity Center.
“At the same time, it gives the feeling that the rush to bring products to market—generally, to beat the competition—always wins out, so that products are put into circulation without being fully tested,” he told Archer News. “At the bottom of it all, the great problem of lack of security has its roots in the lack of quality.”
Insecurity already installed
Your new laptop comes with software already on it.
“Shovelware, crapware, bloatware, ‘value added’—it goes by a lot of names—whatever you call it, most of it is junk (please, OEMs [original equipment manufacturers], make it stop),” said Kemp.
He and his fellow researchers checked the pre-installed updaters for that ‘bloatware’ to see if the updaters could prevent man-in-the-middle attacks, where malicious hackers intercept traffic and send you their own commands. These updaters are separate from the Microsoft Windows Update.
Although all of the laptops tested allowed system takeovers, some rated worse than others.
Researchers called one of the Asus updaters an “atrocity.”
“The “Asus Live Update” software contains no security features whatsoever, allowing for easy exploitation,” the report said.
Acer, on the other hand, tried to take some security steps with its Acer Care Center updater, the report said, but implemented some steps wrong, rendering them ineffective.
A tale of two updaters
Testing showed some companies—like Lenovo—had a dramatic mix of good and bad updaters.
“Lenovo’s UpdateAgent was one of the worst updaters we looked at, providing no security features whatsoever,” the report said. However, the Lenovo Solutions Center updater was hardened against man-in-the-middle attacks.
“Security features and update behavior is not even consistent across one system, let alone one vendor,” researchers wrote. “This was especially notable with both HP and Lenovo.”
HP & Dell
HP “fared okay” in testing, researchers said. However, they found a security gap—what attackers might call “the best thing ever” for a man-in-the-middle hack.
“An attacker could wreak havoc by forcibly uninstalling HP software entirely,” the report said. “The HP updater could be used to prompt users to install undesirable software.”
Dell fared relatively well in the tests, the report said, though researchers described some implementation flaws and security steps that were “woefully insufficient.”
Researchers said they reported the problems to the manufacturers long before publishing the report.
It’s not the first time makers have pre-installed vulnerable software on your new machines.
“Every time something like this happens, we are reassured that the offending vendor of the day cares deeply about our security and privacy,” the report said. “Unfortunately, a cursory analysis of most OEM software reveals that very limited, if any security review was performed.”
You can see more about which updaters Duo Security tested, what they found, and how manufacturers responded in their report.
Answers from manufacturers
Archer News contacted all five manufacturers for their response.
Asus, Acer and HP did not respond.
Update: Acer responded at 10:42 am on 6-2-16, saying the company has issued an update for its updater.
Effective immediately, Acer Care Center will automatically download the updated version upon initialization.
To check if the latest version is installed or to manually install the update, users can click on the information icon to access the “Check for updates” function. Consumers can also contact their nearest Acer customer service center for more details.
This update addresses the vulnerabilities that could allow unauthorized parties to potentially tamper with the software update files distributed to Acer customers.
A Lenovo spokesperson said that Duo Security notified them of a vulnerability in the updater in the Lenovo Accelerator Application software that could lead to a man-in-the-middle attack.
“Upon learning of the vulnerability, Lenovo worked swiftly and closely with Duo Security to mitigate the issue and a publish a security advisory (which can be found here: https://support.lenovo.com/product_security/len_6718),” the company said in a statement.
“Users can remove this vulnerability from their devices by uninstalling the Lenovo Accelerator Application by going to the ‘Apps and Features’ application in Windows 10, selecting ‘Lenovo Accelerator Application’ and clicking on ‘Uninstall.’ A System Update removal utility will soon be available,” the statement said.
Dell
A Dell spokesperson told Archer News that Dell “fared comparatively well” in the report, and it appears the vulnerabilities may already have been mitigated, though the company is checking the findings to make sure.
“Dell does have a robust product development and testing cycle that we are always improving and when we detect issues we work quickly to resolve them,” said Christina-Marie Furtado in Dell Communications. “However, no matter how many controls we have in place, new vulnerabilities will always arise as hackers get more and more sophisticated.”
Furtado thanked Duo and other security researchers and said others who find potential vulnerabilities can contact Dell here.
Cutting corners
Some experts say the problems may come down to money.
Bundling software with new computers—and increasingly with new software—has been going on for years, said Patrick Coyle with Chemical Facility Security News.
“I think that it started when computer manufacturers found that software vendors would actually pay them to add ‘out-of-the-box’ functionality to their computers, instead of the hardware vendors having to develop the capabilities themselves,” said Coyle.
“It is becoming more and more of a problem now because the legitimate software vendors have had to cut programming corners and sell subsequent access to the machines to be able to afford to pay the vendors,” he explained.
“The cut corners make it easier to hack the software and the future access erodes our remaining privacy protections,” he said.
What now?
If you just bought a laptop from one of these manufacturers, Duo has advice for you.
“Most laptops come with a lot of bloatware and are out of date when you first open the box. This leaves users vulnerable to some very easy attacks,” said Steve Manzuik, Duo Labs’ director of security research.
“If you are able to, we recommend wiping the system and reinstalling a clean copy of Windows and not reinstalling the vendor bloatware,” he told Archer News.
The report also recommended that the laptop companies strengthen the security of their products
“Manufacturers do not intentionally make these systems insecure,” Manzuik said. “However, the problems we identified highlight that more work is required by manufacturers to protect their customers.”
On the market
If you are looking for a new laptop, some experts recommend buying from one of the companies that performed better in testing.
“Choose one that has a greater guarantee of not having problems like those discovered by Duo, even though, unfortunately, with all probability, it will have other problems,” said Garcia-Menendez.
“Reject those products whose vulnerabilities have already been identified objectively,” he added. “It will be a good incentive for manufacturers to correct them and take better care of future products they bring to market.”