In a defense of Absolute software - I met with them few years ago and they are a fairly large and very technical company, not a bunch of hacks. Their CTO is a guy who wrote QEMM [1] back in 80-90s. Younglings may not know what this is, but it was one of the most impressive and useful bits of software to ever hit MS-DOS.
With regards to the CompuTrace - it is their primary product and it has been in the development for quite a while. From what I remember they have went to great pains to standardize the placement of the tracing software on bootable disks, i.e. create an open standard through RFC process with disk/OS vendors and what not. As I said they are not some random hacks, and they fully understand the importance of being open and transparent.
In other words, if you want to point a finger here, point it at Toshiba that failed to disclose the placement of ComputTrace on their laptops. Also understand that the software is designed to be hard to detect as its primary usage is tracking, recovery and remote wipe of stolen laptops, hence it being very similar to a rootkit.
I think the point here is that the computer was recording and transmitting information about him and his wife without either of their knowledge or consent. If he had wanted LoJack for his laptop, he could have signed up for one of the services that offers it. Once again, hardware manufacturers seem to think they still own the device once you've bought it.
To be fair to Absolute and Toshiba, there are advantages to this sort of tracking/anti-theft software being integrated by the manufacturer. Building it into the BIOS, though scary and rootkit-like, gives the software persistence across re-installs of Windows, a feature I doubt the standalone competitors boast. If I was a laptop thief, the first thing I'd do would be to image then wipe the drive.
But yes, consent is a must. Absolute and Toshiba should have avoided this issue by adding a clear, detailed notice/consent screen on the first boot.
It's not even consent. Toshiba should be listing this "feature" as a security feature, letting potential buyers know that there is non-removable software that allows this laptop to be tracked in event of theft. Marketing this has the potential to turn it around from "Toshiba plants rootkits" to "Toshiba has some of the best anti-theft protection"
I don't see this listed in the official specifications, so if it were me that found it, on a laptop that doesn't say it has it, I would also agree that this is malware.
My black-hat days are behind me, but isn't it SOP to copy a version of the uncorrupted file under another name, and run it when you're done with your cruftiness? Or incorporate the old code into the .exe along with your insertion?
right -- so a proper black hat would make autochk.exe do its bad stuff and then go ahead and do a proper checkdisk, so the user doesn't notice anything amiss.
Oh, you mean - the Absolute Software guys should have done that? Yes, totally, I'm with you! I thought you were suggesting a solution for me - a laptop user who's not able to run checkdisk.
How has Absolute ensured that other malware authors won't be able to piggyback off their system?
Can my malware add a hosts file entry and cause this data to be sent to my servers instead? Could I replace the Absolute software with a botnet node and still use their nigh-irremovable persistence mechanism?
Selling laptops with a pre-installed surveillance framework, however well you meant, is not acceptable. Your software's security is likely no stronger than that of the software you exploit.
Should non-technical buyers of electronic devices simply expect to be subject to malicious behavior?
This is fucking outrageous. Imagine what would have ensued if new cars were equipped with concealed GPS tracker, which sends location info to some unknown place, along with pictures taken by hidden camera, without any clue given to owners.
I do not give a shit if it actually helps one to recover a stolen laptop, when I am not even told about this, let alone given the possibility to opt out.
The funny thing is that if I point a video camera at a police officer in a public space, I'll get charged with 'illegal wiretapping,' but if Toshiba implants a spying device without user knowledge/consent will they get charged with illegal wiretapping? Doubtful. Even though they are 'spying' on customers behind their backs, it will get less punishment than openly filming a police officer in a public space.
Diffusion of responsibility at its finest. As a private individual, I get crushed under the wheels of the system, while Toshiba gets to ride in the backseat.
Arguments by symmetry are incredibly powerful and useful. Why do you think they don't get to the heart of things? (Granted, X must be chosen so that it is a fair comparison, but when it's not, that choice is what should be attacked, not the structure of the argument.)
An argument by symmetry is that something shouldn't change when some irrelevant bit is changed -- such as the identity of the actors. Yes, the preconditions for using "If I X then Y" when trying to argue that "when someone else X', then Y' " is wrong are that X' is relevantly similar enough to X, and Y' is distinctly different than Y.
This article gives an overview, there may be better sources or you could refer to forums people use for bios modification of SLIC tables to get a better introduction to the tools.
The T135 is a pretty old laptop which explains why it was present after vendors stopped using it - I bought one around January or February last year, it doesn't seem to have the rootkit but it's a Latin American model which might have been exempt.
The fault lies with Toshiba. I have a Dell Studio laptop and CompuTrace is an option in the BIOS - once enabled, it can't be disabled (I haven't actually tried wiping the EEPROM) but it's an option nonetheless.
This reflects badly on CompuTrace and they could certainly have taken steps to ensure that Toshiba's use of their tools didn't affect their business prospects. That they have a "Hey, do what you want with it. We don't care." approach to sales makes me wonder who else is buying from them. As above it appears IBM is on the list as well (unverified).
i understand the frustration, but how else would a laptop tracking software work if not by connecting to the web and listening for commands, etc?
It seems that this app is created by: http://www.absolute.com/en-GB/
For a start, user could be notified that he can install that system, instead of getting a laptop with such software preinstalled. I don't really see a reason to have this installed when users are not aware of it. How many people go to the producer after their laptop is stolen and ask "Have you by any chance installed some laptop tracking software on my laptop by default? I cannot identify my laptop anymore in any meaningful way - it's one of toshiba ones." ?
If the user isn't aware of it, it's useless. If the user didn't agree to the way it's done, it's pretty much an illegal spying device.
Yeah, correct. But what if some Absolute's employee turns out to be dishonest? A non-removable process, not detected by most antiviruses, that listens to the commands from the Net... Seems like a botnet to me.
When we asked this question in the context of the laptops at the big enterprise that I worked for, the response from Absolute was "most of our employees are ex-cops, so that isn't a problem".
By the way, I purchased a Toshiba T135 last year from Amazon and updated the BIOS several times. I can't find any trace of the CompuTrace backdoor, but I must say that my trust in Toshiba, DELL, and other laptop manufacturers has been severely shaken. This is infuriating.
I think this adds to the advantages of using linux and scrapping windows,after all with the security features of linux nothing like this would have happened.
I see related Google results for 'rpcnet.exe'. Not sure if they are related yet (spelling error?).
Also, I wonder how quickly they could rename the executable to deter removal, given the nature of their 'Persistence Module' and antivirus industry cooperation.
I'm sure they've got it in the fine print somewhere. The (commercial) tracking software almost certainly has an EULA, which I'm sure buyers are required to agree to.
Personally, I wouldn't trust them to not break things myself. I know they may not be "amateurs" at low level things like they do to make this happen, but I still wouldn't trust it. This is why my suggestion would be to use some kind of disk/filesystem encryption. TrueCrypt should be able to defeat them putting it back on and allow you to restore (from a clean copy) the original files and get your CHKDSK back.
On another note, I don't think I'd have ever noticed this myself, every laptop I've had I end up installing Linux on because of all the crapware that gets included with the OS in the first place.
Wait, just by providing the SN of a device you can get them to modify the BIOS? (assuming that is how they would get rid of this BIOS-executed payload)
I wonder what else you can social engineer out of them with just SN. . .
How would you react if you find the builder of your home has installed hidden cameras in every single room? If you somehow find about it and call him he'll turn them off. No big deal, right? If you're a proper person you have nothing to hide anyway ...
With regards to the CompuTrace - it is their primary product and it has been in the development for quite a while. From what I remember they have went to great pains to standardize the placement of the tracing software on bootable disks, i.e. create an open standard through RFC process with disk/OS vendors and what not. As I said they are not some random hacks, and they fully understand the importance of being open and transparent.
In other words, if you want to point a finger here, point it at Toshiba that failed to disclose the placement of ComputTrace on their laptops. Also understand that the software is designed to be hard to detect as its primary usage is tracking, recovery and remote wipe of stolen laptops, hence it being very similar to a rootkit.
[1] http://en.wikipedia.org/wiki/QEMM