Anti-theft tech allows remote hijacking of millions of computers

A piece of anti-theft technology installed in millions of computers can be compromised remotely and used to hijack devices and wipe them, research by a security vendor has found.

Absolute Software's Computrace tracing and anti-theft technology resides in persistent firmware or BIOS in computers and cannot easily be removed by end-users even if the hard drive is replaced.

Security vendor Kaspersky became aware of Computrace after it found a software agent running on several of its researchers' private and corporate computers and began analysing it, suspecting it was malicious code as it used tricks popular with malware writers such as anti-debugging and anti-reverse engineering techniques and secret communication.

The analysis showed Computrace comes with a small executable file for Windows, rpcnetp.exe that downloads and starts a small remote access tool which in turn communicates with a command and control server.

According to Kaspersky researcher Vitaly Kamluk, the network protocol used by Computrace for initially communicating with the server is not encrypted and does not use authentication.

This means the communication could be hijacked and trick the agent into connecting to a fake server, to attack devices and execute code remotely.

Vendors that sell systems with Computrace installed.

Source: Dmitry Bestuzhev/Kaspersky

“Powerful actors with the ability to tap fibre optics can potentially hijack computers running Absolute Computrace. This software can be used to deploy spyware implants," Kamluk said.

Making the threat worse, the Computrace agent is often activated without users knowing it has taken place, and the binaries from the company are white-listed by security vendors.

However, Kamluk notes that there have not been any reports of Computrace being used to remotely hijack computers.

Computrace is installed by many popular systems vendors, and Kaspersky estimated the number of systems with the agent activated could be more than two million around the world.

Kaspersky recommended users turn off Computrace in the system BIOS settings of their computers and remove the software agent. If Computrace is activated in BIOS, it will plant a new copy of the software agent on the hard drive of computers, and the removal procedure has to be redone.

iTnews has contacted Absolute Software for comment on Kaspersky's analysis.

Update: Absolute Software vice president of global marketing Stephen Midgley said the company is currently reviewing the Kaspersky report.

"All major anti-malware software vendors recognise the Absolute client implementation as safe, legitimate technology that improves the security of the endpoint. Hence our status as a white-listed vendor," Midgley said.

"Absolute Computrace has been reviewed and implemented by numerous organisations globally.

"Computrace has been successfully deployed and actively protecting millions of devices, without compromise, for 20 years."