
Rootkit on a Brand new Toshiba laptop - jitbit
http://blog.jitbit.com/2011/04/rootkit-on-brand-new-toshiba-laptop.html
======
huhtenberg
In a defense of Absolute software - I met with them few years ago and they are
a fairly large and very technical company, not a bunch of hacks. Their CTO is
a guy who wrote QEMM [1] back in 80-90s. Younglings may not know what this is,
but it was one of the most impressive and useful bits of software to ever hit
MS-DOS.

With regards to the CompuTrace - it _is_ their primary product and it has been
in the development for quite a while. From what I remember they have went to
great pains to _standardize_ the placement of the tracing software on bootable
disks, i.e. create an open standard through RFC process with disk/OS vendors
and what not. As I said they are not some random hacks, and they fully
understand the importance of being open and transparent.

In other words, if you want to point a finger here, point it at Toshiba that
failed to disclose the placement of ComputTrace on their laptops. Also
understand that the software is designed to be hard to detect as its primary
usage is tracking, recovery and remote wipe of stolen laptops, hence it being
very similar to a rootkit.

[1] <http://en.wikipedia.org/wiki/QEMM>

~~~
tectonic
I think the point here is that the computer was recording and transmitting
information about him and his wife without either of their knowledge or
consent. If he had wanted LoJack for his laptop, he could have signed up for
one of the services that offers it. Once again, hardware manufacturers seem to
think they still own the device once you've bought it.

~~~
skymt
To be fair to Absolute and Toshiba, there are advantages to this sort of
tracking/anti-theft software being integrated by the manufacturer. Building it
into the BIOS, though scary and rootkit-like, gives the software persistence
across re-installs of Windows, a feature I doubt the standalone competitors
boast. If I was a laptop thief, the first thing I'd do would be to image then
wipe the drive.

But yes, consent is a must. Absolute and Toshiba should have avoided this
issue by adding a clear, detailed notice/consent screen on the first boot.

~~~
uxp
It's not even consent. Toshiba should be listing this "feature" as a security
feature, letting potential buyers know that there is non-removable software
that allows this laptop to be tracked in event of theft. Marketing this has
the potential to turn it around from "Toshiba plants rootkits" to "Toshiba has
some of the best anti-theft protection"

I don't see this listed in the official specifications, so if it were me that
found it, on a laptop that doesn't say it has it, I would also agree that this
is malware.

[http://us.toshiba.com/computers/laptops/satellite/T100/T135-...](http://us.toshiba.com/computers/laptops/satellite/T100/T135-S1309)

------
gtank
How has Absolute ensured that other malware authors won't be able to piggyback
off their system?

Can my malware add a hosts file entry and cause this data to be sent to my
servers instead? Could I replace the Absolute software with a botnet node and
still use their nigh-irremovable persistence mechanism?

Selling laptops with a pre-installed surveillance framework, however well you
meant, is not acceptable. Your software's security is likely no stronger than
that of the software you exploit.

Should non-technical buyers of electronic devices simply expect to be subject
to malicious behavior?

~~~
joe_the_user
This is an especially important point and should be at the top of this page.
Makes me miss the karma indicators...

The problem with arbitrary surveillance isn't just that it's icky, unfair and
(hopefully) illegal. It's that it is easily used by criminals.

------
xyzzyz
This is fucking outrageous. Imagine what would have ensued if new cars were
equipped with concealed GPS tracker, which sends location info to some unknown
place, along with pictures taken by hidden camera, without any clue given to
owners.

I do not give a shit if it actually helps one to recover a stolen laptop, when
I am not even told about this, let alone given the possibility to opt out.

~~~
cooldeal
I think you haven't heard of OnStar, have you?

~~~
trafficlight
But it's pretty obvious that your car is equipped with OnStar. Plus, you have
to pay for that service.

------
pyre
The funny thing is that if I point a video camera at a police officer in a
public space, I'll get charged with 'illegal wiretapping,' but if Toshiba
implants a spying device without user knowledge/consent will _they_ get
charged with illegal wiretapping? Doubtful. Even though they are 'spying' on
customers behind their backs, it will get less punishment than openly filming
a police officer in a public space.

~~~
mgkimsal
You're a private person, Toshiba is a multinational corporation.

~~~
pyre
Diffusion of responsibility at its finest. As a private individual, I get
crushed under the wheels of the system, while Toshiba gets to ride in the
backseat.

------
pasbesoin
Previous discussion (including a few Blackhat links, though I haven't looked
at those).

<http://news.ycombinator.com/item?id=2018703>

~~~
paulgerhardt
That page has been removed from Absolute's website; cache here:
[http://webcache.googleusercontent.com/search?q=cache:vb0e0b5...](http://webcache.googleusercontent.com/search?q=cache:vb0e0b5bfAkJ:www.absolute.com/products/bios-
compatibility+absolute+software+bios&cd=1&hl=en&ct=clnk&gl=us&source=www.google.com)

edit: Or Absolute updated their site map; list here:
<http://www.absolute.com/en/partners/bios-compatibility.aspx>

------
trotsky
It is possible, though not the easiest thing in the world, to rebuild your
bios while removing the lojack option rom.

<http://www.freakyacres.com/remove_computrace_lojack>

This article gives an overview, there may be better sources or you could refer
to forums people use for bios modification of SLIC tables to get a better
introduction to the tools.

------
aphexairlines
An incentive to support coreboot/openbios?

------
GoodIntentions
The Toshiba Satellite sitting beside me is running slackware like a champ.
Problem solved ;-)

------
benologist
The T135 is a pretty old laptop which explains why it was present after
vendors stopped using it - I bought one around January or February last year,
it doesn't seem to have the rootkit but it's a Latin American model which
might have been exempt.

------
archivator
The fault lies with Toshiba. I have a Dell Studio laptop and CompuTrace is an
option in the BIOS - once enabled, it can't be disabled (I haven't actually
tried wiping the EEPROM) but it's an option nonetheless.

~~~
rhizome
This reflects badly on CompuTrace and they could certainly have taken steps to
ensure that Toshiba's use of their tools didn't affect their business
prospects. That they have a "Hey, do what you want with it. We don't care."
approach to sales makes me wonder who else is buying from them. As above it
appears IBM is on the list as well (unverified).

------
jpcosta
i understand the frustration, but how else would a laptop tracking software
work if not by connecting to the web and listening for commands, etc? It seems
that this app is created by: <http://www.absolute.com/en-GB/>

~~~
jitbit
Yeah, correct. But what if some Absolute's employee turns out to be dishonest?
A non-removable process, not detected by most antiviruses, that listens to the
commands from the Net... Seems like a botnet to me.

~~~
Duff
When we asked this question in the context of the laptops at the big
enterprise that I worked for, the response from Absolute was "most of our
employees are ex-cops, so that isn't a problem".

~~~
natch
Wow. Even setting aside the question of whether all cops are trustworthy, one
does wonder why they are "ex" cops.

------
die_sekte
Found Computrace in my ThinkPad X201's BIOS. However, there's an option to
permanently disable it.

------
mcantelon
Blogpost says it actually isn't a "brand new" laptop and Toshiba has since
removed the crapware.

~~~
mleonhard
Where does it say that?

By the way, I purchased a Toshiba T135 last year from Amazon and updated the
BIOS several times. I can't find any trace of the CompuTrace backdoor, but I
must say that my trust in Toshiba, DELL, and other laptop manufacturers has
been severely shaken. This is infuriating.

------
StavrosK
Picking nits here, but this is a trojan (if that, really), not a rootkit, no?

------
boscomutunga
I think this adds to the advantages of using linux and scrapping windows,after
all with the security features of linux nothing like this would have happened.

------
compuerase38278
[http://forums.mydigitallife.info/archive/index.php/t-9213.ht...](http://forums.mydigitallife.info/archive/index.php/t-9213.html)

448675 2011-05-01 Dell.Service.Tag.Editor.iso.rar initial scan seems ok on
opensuse LINUX. <http://www.coreboot.org/SeaBIOS>

backup BIOS first

call warantee service. IE is frozen with 100% cpu. install anti-virus?? then
get rid of the compu ERASE or lojack problem - then, go to warantteee.

do it at the beginning before your important pictures are on the computer and
been sent to outsource india for compu ERASE

------
baltcode
How do I check this on my laptop?

~~~
DizzyDoo
Check your process list for 'rcpnetp.exe'. Just checked my six month old
Toshiba Satellite Pro C650, happily it was clean.

~~~
sodiumphosphate
I see related Google results for 'rpcnet.exe'. Not sure if they are related
yet (spelling error?).

Also, I wonder how quickly they could rename the executable to deter removal,
given the nature of their 'Persistence Module' and antivirus industry
cooperation.

~~~
dfox
rpcnet.exe seems to be essentially same thing as rpcnetp.exe, only without the
BIOS persistence hack.

------
gitarr
Isn't this "unauthorized access to computer systems[1]"?

When buying a laptop on Amazon, is there some sort of agreement/contract
between the buyer and the "security" firm where one signs his privacy away?

Especially the screenshot taking would be a concern to me. What if you were
working on secret company files while screens are being taken?

[1] <http://www.ncsl.org/default.aspx?tabid=13494>

~~~
amalcon
I'm sure they've got it in the fine print somewhere. The (commercial) tracking
software almost certainly has an EULA, which I'm sure buyers are required to
agree to.

------
Joeri
You can ask Absolute to remove it: [http://www.ehow.com/how_7683954_disable-
computrace-laptop-bi...](http://www.ehow.com/how_7683954_disable-computrace-
laptop-bios-toshiba.html)

So, aside from not being informed about it, this isn't a big deal.

~~~
simcop2387
Personally, I wouldn't trust them to not break things myself. I know they may
not be "amateurs" at low level things like they do to make this happen, but I
still wouldn't trust it. This is why my suggestion would be to use some kind
of disk/filesystem encryption. TrueCrypt should be able to defeat them putting
it back on and allow you to restore (from a clean copy) the original files and
get your CHKDSK back.

On another note, I don't think I'd have ever noticed this myself, every laptop
I've had I end up installing Linux on because of all the crapware that gets
included with the OS in the first place.

