June 1, 2016
Researchers from Duo Security have discovered that HP Inc, Dell, Acer, and Lenovo machines are all susceptible to hackers, reported International Business Times. Laptops bought off-the-shelf come with “bloatware or third party pre-installed software that users don’t really need”, and professionals in cybersecurity do not advocate purchasing them. The Recycler recently reported on working from a virtual office, and as working from home relies on laptops, preventing hacking is of utmost importance.
During their research, Duo Security tested all the above computers and also uncovered the “eDellRoot backdoor” discovered in November 2015, Dell admitting that its latest PCs “contain security backdoors that expose customers to being hacked”. Researchers also discovered that “every single manufacturer’s updater had security vulnerabilities that put millions of consumers at risk”.
Steve Manzuik, Duo Security’s Director of Security Research, commented: “Short of explicitly disabling updaters and removing OEM components altogether, the end user can do very little to protect themselves from the vulnerabilities created by OEM update components. In general you have to be a tech person to understand there’s a problem and then know how to fix it. You have to know to go to the manufacturer’s website and know how to download and install the software. We knew these laptops were being bought by people who aren’t tech people.”
Because customers are unaware and are not using basic security (encryption) to protect messages, it is simple for a hacker to adjust data from “the server to the laptop and add an extra file that might run” and cause problems. Darren Kemp, a Duo Security Researcher, added that “on each laptop there’s a lot of different software doing very different things built by different departments. I have the feeling it’s very difficult for the manufacturer to track.
“It’s a short turnaround and the manufacturer probably doesn’t get enough time to secure each piece of software. For example, in one Lenovo updater, they obviously put in a lot of effort to secure it, and then running parallel to it was another updater that had none of the security features enabled”. The OEMs were informed of the security risks as they were found – some reacted to this immediately, while others did not and have still not addressed the problems.
Manzuik stated: “Asus and Acer were the worst. With Asus, there were two different vulnerabilities. This one had code execution that was quite obvious and easy to exploit – it literally took less than 10 minutes to attack the system using that vulnerability. They have told us they are patching the issue, but we have still not seen a patch from it. They originally did make a patch, but then they didn’t release it. We told them about the bugs over three months ago.”
Lenovo and HP Inc were commended by Duo Security for “taking the risks seriously and having a process in place for researchers to report such issues”, with Lenovo deciding to “completely remove the offending updater software from its laptops”. Manzuik advised that “the best advice we can offer is to make sure you remove all the third-party bloatware on these machines.
“In a lot of cases, our biggest concern is that a lot of people are buying these laptops and then bringing them into the corporate network. IT guys need to tell them to remove bloatware and clean the computers up, and users should also make sure they’re using good passwords, two-factor authentication and to turn on encryption.”
Categories : Products and Technology