Sunday, September 09, 2012

Spying on ex-employees & others using Computrace

[Hi, and welcome to 1984!]
The Norwegian Data Protection Authority (Datatilsynet) has strict guidelines on the use of tracking software & hardware enabling position tracking of people. Easily summarized: A user has to agree on being tracked (in writing), and can recall his/her consent at any given time. Consequences of not agreeing on being tracked may of course be denied access to the service in question, etc.

In Norway it has become pretty common that employees get to keep their laptop & smartphone when leaving a company due to downsizing. Enter the problematic world of asset tracking & inventory software hardcoded into your system BIOS.

Background

Absolute Software is the creator of Computrace, a piece of software that provides tracking, compliance monitoring and more for computers running Windows or Mac in enterprise settings. For home users they have Computrace Lojack for laptops.

Much more interesting than the standard software which can be installed & removed like any other software, they also have OEM partners that implements the Computrace agent into BIOS. Once you install a compatible operating system onto the computer, the agent gets installed silently into the OS from BIOS. Hoohaa! This is an overview of OEM partners taken from their own webpage:

[Screenshot from www.absolute.com on September 08, 2012]

They do it in such way that flashing your BIOS won't remove it. According to Absolute, their agent firmware is persistent to BIOS flashing, resetting and more. That's a good thing from a corporate security perspective; when a laptop is lost/stolen it can be tracked and monitored to recover the computer and catch the bad guys.

Furthermore, again according to their own documentation, the agent firmware will install itself into your Windows XP/Vista/7/server installation automatically, and within minutes after installing Windows.


Sounds like serious stuff to me.

In addition to the picture on top of this blog post, here are a few more pictures from a Lenovo Thinkpad T420S BIOS that has the Computrace agent embedded in firmware, and activated:

[Anti-Theft sounds nice, right?]

[Intel offers their own Anti-Theft module, in addition to Computrace]

[Enabled, cannot be disabled by end-user]
And to prove it working, here is a screenshot showing properties for rpcnet.exe, one out of several files that mysteriously appeared in a clean Windows 7 x64 setup shortly after installation:


Defeating Computrace

Well, maybe we could replace the BIOS chip. You can install any other operating system than Microsoft Windows. There seem to be recipes on how to prevent it from being installed and/or run on your local Windows system. I haven't found any info yet about ports, protocols, DNS names & IPs, but I just might spend some time figuring it out and posting it here.

An old posting says that once enabled in BIOS, it remains so permanently. Understandable from one perspective, hard to accept from the other side. anonymous_02 in this reply dated 03-28-2011 is not exactly happy about Computrace, and that is just one example if you google removal of computrace software.

To me, all these ways of removing, disabling or preventing Computrace from running is close to irrelevant.

Principles

We have laws and regulations on privacy in Norway, and I'm happy that we have them. Installing & using tracking software requires the consent of the end-user, be it an employee or a customer. The user may withdraw that consent at any time. As stated earlier, this may eventually mean revoking access to services, software and hardware.

With Computrace permanently enabled in the BIOS of a laptop (by an employer), the laptop will always report back to Absolute Software as soon as Windows is installed. Depending on agreements between Absolute Software and the customer (the company), your former employer may be able to secretly track you, do inventory scans of your laptop and enforce various types of policies including remote wipe.

Unless Absolute Software has options for permanently disabling and preferably removing its agent software from your laptops BIOS, I'm having a hard time seeing how this could be legal in Norway.

Consequences for you as an employee; your employer could possibly be legally prevented from giving you your work laptop when you leave the company.

Now I do wonder how difficult would it be for any unauthorized person to set up such invisible tracking of another persons computer, if it has already been equipped with the Computrace agent in BIOS, but not yet enabled? 

--
PS:
Absolute Software has a page describing Computrace Persistent in Android devices as well. The list of supported systems contains names of certain tablets, in addition to various laptops.

--
Added info on September 13, 2012:

Aftermath

I've got a few responses on this blog post, and thanks to Magnus & Daniel, I can add a few more screenshots and explanations.

First of all there are 2 options available in the BIOS shown above; Intel Anti-Theft Technology, and the Computrace BIOS persistent agent as an extra layer of security.

Disabling both from a corporate perspective includes 2 remote commands to be issued, where each command requires a reboot to complete. This is completely silent, with no forced reboot. In addition the agent is said to "phone home" once every 24 hours, so it might take some time for to finish.

Fortunately the process can go much faster, by running a Computrace agent locally, and forcing it to "phone home". I was - of course - mighty impressed by seeing password  as the password to use to "log in" to this agent software, which came up with this initial screen: 
[Computrace Windows agent software for status/options etc]
The "test call" tab has the option of "initiate 'phone home' now", so that the agent reports in and receives any instructions that may be waiting for it. After 2 reboots BIOS options now look like this:



Now the end user has the ability to configure both options to "Permanently disabled". If you are paranoid and would prefer not being able to track your lost/stolen laptop over the risk of somebody tracking it (you), go ahead.

If you are closer to normal paranoid, you might consider using these options for your own good - just remember to password protect your BIOS so that your friends, colleagues or others can't configure tracking and sign up to watch your every move.

Oh, and you might want to peel away the serial number of your laptop. That's the info Absolute Software needs to identify your laptop among all the others reporting in every day.


2 comments:

  1. Dancho Danchev actually wrote about Computrace back in 2009: http://www.zdnet.com/blog/security/absolute-software-downplays-bios-rootkit-claims/3936

    ReplyDelete
  2. I have recently noticed this spyware on our companies machines. We never consented to having this invasive technology installed and what gives Absolute the legal right to remotely change our computers permanently? I am now seeing this piece of software calling home every single day. It is absolutely unacceptable. We have a lot of client confidential information that we are required by law to protect. By all accounts our computers are open to anyone at Absolute which puts us in a very bad situation as we are expressly forbidden from this. This is so wrong on many levels. We really need to get the word out there so people understand what is going on. The fact that it cannot be removed is extremely concerning. It is different to anything I have ever seen. It is hard to believe that the owner of the property has no ability to disable this. Why not password protect the feature? If someone steals the computer then they will be unlikely to know the password if the owner wants the spyware enabled. If the owner however does not want this enabled then with the pass phrase we should be able to disable this. It is very simple. When you take the choice away from the legal owner of the property you are treading a very fine legal line.

    ReplyDelete

All comments will be moderated, primarily for spam. You are welcome to disagree with my posts of course.