LoJack for Laptops

LoJack for Laptops (originally known as CompuTrace) is a proprietary laptop theft recovery software (laptop tracking software) with features including the abilities to remotely lock, delete files from, and locate the stolen laptop on a map. The persistent security features are built into the firmware of devices themselves. Additionally, LoJack for Laptops provides additional services of an Investigations and Recovery Team who partners with law enforcement agencies around the world to return protected laptops to their owners.[1][2][3][4]

Absolute Software licenses the name LoJack from the vehicle recovery service LoJack in 2005.[5]

Activated Computrace/LoJack for Laptops periodically phones home to Absolute Software's server to both announce its location and to check to see if the machine has been reported stolen.[6][7]

Absolute Computrace persistence module is preinstalled into many BIOS images by most of laptop vendors.[8]

Analysis of Absolute CompuTrace by Kaspersky Lab shows that in rare cases software was preactivated without user authorization. The software agent behaves like rootkit (bootkit), reinstalling some programs into Windows OS at first boot and downloading full agent from Absolute server via Internet. This installer (small agent) is vulnerable to some local attacks[8][9] and to attacks from hackers, controlling all network communications of victim.[10]

How it Works

Once installed, the computrace agent activates Absolute Persistence by making an initial call to the Monitoring Center (for example, search.namequery.com, bh.namequery.com, etc[10]). Agent may be updated by modules, downloaded from command server (in small agent there is no authentification of server).[10] Subsequent contact occurs daily, checking to ensure this agent remains installed and provides detailed data such as location, user, software, and hardware.

If the device is stolen the owner first contacts the police to file a report, then contacts Absolute. The next time the protected device connects to the internet it silently switches to theft mode and accelerates Monitoring Center communication. The Investigations and Recovery team forensically mines the computer using a variety of procedures including key captures, registry and file scanning, geolocation, and other investigative techniques. The team works closely with local law enforcement to recover the protected device, and provides police with evidence to pursue criminal charges.

In the event of theft, a user can log into their online account to remotely lock the computer or delete sensitive files to avoid identity theft.[11]

LoJack comes preinstalled in the BIOSes of, at least, Lenovo, HP, Dell, Fujitsu, Panasonic, Toshiba, and Asus machines.[12]

Apple, unlike the PC computer manufacturers, does not allow the software to be installed in the BIOS.[13] LoJack can be installed on Apple computers, but will be stored only on the hard drive. If the hard drive is replaced or reformatted, the LoJack will be lost.

BIOS service should be disabled by default and can be enabled by purchasing a license for Computrace; upon being enabled, the BIOS will copy a downloader (small agent) named rpcnetp.exe from the BIOS flash ROM to %WINDIR%\System32 (which usually resolves to C:\WINDOWS\System32). On some Toshiba laptops rpcnetp.exe is preinstalled by Toshiba on the unit's hard drive prior to shipment from the factory. Rpcnetp.exe will in turn download the actual agent (full agent) rpcnet.exe from Absolute and install it as a windows service.

From then on, rpcnet.exe will phone home to Absolute Software servers once a day, querying for a possible theft report, and, in any case, transmitting the results of a comprehensive system scan, IP address, user- and machine names and location data, which it obtains either by tapping the GPS data stream on machines equipped with GPS hardware, or by triangulating available WLAN access points in the vicinity, by providing WLAN IDs and signal strengths so Absolute Software servers can geolocate the device using the Mexens Technology data base.

If Absolute receives a theft report, the service can be remotely commanded to phone home every 15 minutes, install additional 3rd vendor software, such as a key logger or a forensic package, make screenshots, etc.

Computrace also supports Intel's AT-p anti theft protection scheme: If it is unable to phone home within a configurable time interval it will require a special BIOS password upon the next reboot. It can be configured to shut down the machine's power supply immediately in this case, to force a reboot.

Absolute Persistence Technology

The persistence module, installed as part of system BIOS/UEFI, detects when the Lojack for Laptops software has been removed. It ensures the software is automatically reinstalled even if the hard drive is replaced, or the firmware is flashed.

Absolute Software partners with many OEMs to embed this technology in the firmware of computers, netbooks, smartphones, and tablets [14] by Acer, ASUS, Dell, Fujitsu, HP, Lenovo, Motion, Panasonic, Samsung and Toshiba.

In 2011 the software earned a 4.5 / 5 star review from PC Mag.[15] In 2012, macworld.co.uk rated it 5/5 stars.[16] Today, Toptenreviews.com ranks Lojack for Laptops as the #1 laptop tracking software of 2013.[17]

Vulnerabilities

As the Computrace client exhibits trojan and rootkit-like behaviour, but some its modules were whitelisted by several antivirus vendors.[8][10] Earlier it was detected as TR/Hijack.Explor.1245 or W32/Agent.SW!tr.

At the Black Hat Briefings conference in 2009, researchers Anibal Sacco[18] and Alfredo Ortega showed that the implementation of the Computrace/LoJack agent embedded in the BIOS has vulnerabilities and that this "available control of the anti-theft agent allows a highly dangerous form of BIOS-enhanced rootkit that can bypass all chipset or installation restrictions and reutilize many existing features offered in this kind of software."[19][20] Absolute Software rejected the claims made in the research, stating that "the presence of the Computrace module in no way weakens the security of the BIOS". Another independent analyst confirmed the flaws, noted that a malware hijacking attack would be a "highly exotic one", and suggested that the larger concern was that savvy thieves could disable the phone home feature.[21]

Later, Core Security Technologies proved the researcher's finding by making publicly available several proofs of concept, videos, and utilities on its webpage.[22]

Local and remote exploitation of first-stage CompuTrace agent (small agent, it is used only to install full version of rootkit after activation of LoJack or after reinstallation of Windows) was demonstrated at BlackHat USA 2014. This dropper agent is whitelisted by several antivirus vendors and can be used to setup some local attacks, for example to download and install software from different servers.[10]

The Absolute Investigations Team

The team of professionals who uses data captured by LoJack for Laptops and works with local police to recover stolen mobile devices.[23] Members of the Absolute Investigations and Recovery Team have previously worked for The FBI, The US Marines, The US Army, Homeland Security and other government positions. The team specializes in internet and computer crime; other specific areas of experience include:

Supported Devices

References

  1. Theft Report White Papers. by Absolute Software
  2. David A. Andelman (2005-08-19). "Does LoJack For Laptops Work?". Forbes.
  3. LoJack foils laptop theft, Techworld.com
  4. "LoJack for Laptops Software Review by PCMag.com". 2011-06-21.
  5. "LoJack licenses technology to track stolen computers". Boston Business Journal. June 27, 2005. Retrieved 2009-04-10.
  6. Heath, Nick (15 Apr 2008). "Thieves caught out as PCs 'phone home'". zdnet.co.uk. Retrieved 2009-04-10.
  7. "Absolute Software Service Agreement" (PDF). Absolute Software. July 30, 2008. Retrieved 2009-04-10. Must permit the regular, unimpeded transmission of communications and other data between the Customer Computer and the Monitoring Center in order to enable the Service, including without limitation allow access through your configured firewalls
  8. 8.0 8.1 8.2 Absolute Computrace Revisited / SecureList, Vitaly Kamluk, February 12, 2014.
  9. Ortega, Alfredo; Sacco, Anibal (2009-07-24). Deactivate the Rootkit: Attacks on BIOS anti-theft technologies (PDF). Black Hat USA 2009 (PDF). Boston, MA: Core Security Technologies. Retrieved 2014-06-12.
  10. 10.0 10.1 10.2 10.3 10.4 Kamlyuk, Vitaliy; Belov, Sergey; Sacco, Anibal (2014-08). Absolute Backdoor Revisited (PDF). Black Hat USA 2014 (PDF). Las Vegas. Retrieved 2015-01-27. Check date values in: |date= (help)
  11. How to keep your laptop from being stolen. by Andrew Nusca for The ToyBox, February 26, 2009
  12. Absolute Software, Partner: BIOS Compatibility, absolute.com
  13. "How can loJack be effective, if i have a password.... someone steals my laptop, they can't login to connect to the internet". Retrieved 2012-06-18.
  14. Absolute CEO Says Growth to Accelerate After Samsung Win / Bloomberg, by Hugo Miller - April 15, 2013
  15. Software Review. by pcmag.com, June 21, 2011
  16. Software Review. by macworld.co.uk, Nov 07, 2012
  17. Software Review. by toptenreviews.com, 2013
  18. Sacco, Anibal; Alfredo Ortéga. "Deactivate the Rootkit". Exploiting Stuff. Retrieved 2009-10-06.
  19. Robertson, Jordan. "Anti-theft software could create security hole". The Associated Press. Retrieved 2009-08-06.
  20. Sacco, Anibal; Alfredo Ortéga. "Deactivate the Rootkit". Black Hat Briefings. Retrieved 2009-08-06.
  21. "Absolute Software downplays BIOS rootkit claims". ZDNet. Retrieved 2009-08-20.
  22. Sacco, Anibal; Alfredo Ortéga. "Deactivate the Rootkit". Core Security Technologies. Retrieved 2009-09-08.
  23. Technology Overview. by Absolute Software

External links