On August 6, 2014, Kaspersky Lab presented research at the Black Hat event in Las Vegas. This was the same research they presented at an event in February 2014. The research contained assertions about perceived vulnerabilities with Absolute Computrace technology. In particular, Kaspersky restated their claims that Absolute Computrace can be activated without the customer’s knowledge. For more information, contact us.

Absolute Software CTO’s Perspective on Kaspersky Report

The Kaspersky research included allegations of perceived vulnerabilities within Absolute Computrace technology. Since the attack vectors described in the report were artificially created using local administrator privilege to tamper with Computrace, Absolute Software considers the analysis in the report flawed and rejects its conclusions.

Absolute wants to reassure its customers and partners that the report’s conclusions have no technical merit and that Computrace is secure.

Since discussions we’ve had with Kaspersky since the report’s publication in February 2014 have been limited, our feedback and findings are based solely upon the information in the report.

Absolute Persistence Technology

Absolute Software customers and partners value the ability to rebuild the security of the system. They view this capability as a unique and critical feature of the Absolute Computrace product. All software can be compromised, and our customers value and rely upon the ability of Absolute Computrace to automatically fix a security hole when it occurs.

Absolute Computrace cooperates with all other means of securely modifying the system. It does not reject administrator’s commands to stop or be deleted. It doesn’t hide from anti-virus software, and it is not a rootkit. Absolute Computrace requires an administrator’s permission to maintain its function as a component in the security subsystems of their systems.

Encryption & Authentication

The installation process is under the full control of the Absolute Computrace administrator and once the installation is complete, the communication is secure and uses encryption as well as authentication of the host server to reject attacks as described in the Kaspersky report. There is no clear text transmission of any data and the protocol of the full agent will reject attempts to communicate without authorization and will only communicate with mutual authentication of the server and the client. The rebuilding process (Absolute persistence) is armed.

Kaspersky has misinterpreted this rebuilding process that—by design—will fully re-secure the system if the security desired by the legitimate user is disabled or tampered with by a user with access and privilege.

External Attacks

The Absolute Computrace rebuild mode cannot be forced from outside the system through an attack on a secure system via the fully installed Absolute Computrace software agent. The discussion of ARP attacks and DNS attacks are irrelevant since the encrypted and authenticated communication of the full agent would have to be defeated first.

Firmware-based Binary

It is also irrelevant that the small agent is not signed. This is for efficiency, but does not compromise the security of the system since the source of the binary is from firmware. Modern firmware is signed as a package and the individual components do not have to be signed since the integrity of the system was verified at boot. The new secure boot feature in the most modern computer systems goes a step further, ensuring that only expected binary is allowed to execute in the boot process. Absolute Software is constantly involved and in cooperation with many others in the security industry to make sure all applicable security standards desired by our customers and partners, are built into the software and tested rigorously.

Communication

Critical to the proper rebuilding of the Absolute Computrace security configuration is the identity of the assigned host server of the device. For example, the device can be assigned to one of our customer’s private servers at which point that device is no longer able to communicate with our centrally hosted systems.

There is absolutely no private information required from the system to recreate the activation sequence. We don’t know the user and we have no way to determine who the user may be. We simply recognize a match in the previous activation sequence recorded during the legitimate installation of the software and refresh the configuration on the system being rebuilt to restore the assigned host server recorded earlier.

Absolute Computrace Security Vulnerability Claims FAQ

What is Kaspersky alleging about Computrace?

Kaspersky alleges that the research confirms and demonstrates how Absolute Computrace can be used as a “powerful utility for cyber attackers”. They also assert that this will allow attackers to fully access millions of users’ computers. Absolute considers Kaspersky’s analysis flawed and rejects its conclusions.

Is it possible for an attacker to use Computrace to access millions of users’ computers?

The research we reviewed does not describe a demonstration of a successful attack. It’s important to note that any potential attack depends upon the endpoint or other devices being compromised first. The obstacles to mounting such an attack are considerable and are not achievable via the mechanism outlined in the Kaspersky report.

In the report, Kaspersky states that some device owners have claimed they’ve never installed, activated, or had ever known that Computrace was installed on their device. Is this true?

Again, we can only base our response on the narrative within the research presented. Thus we can only hypothesize that these types of scenarios may be the result of defective implementations, improper service procedures and/or poor IT practices. We cannot comment on the specific cases described by Kaspersky where Computrace appeared to have been activated without the consent of the owner of the device since we were not given an opportunity to investigate how these devices were activated.

Absolute would be happy to examine these devices to provide a more accurate assessment. It’s important to note that Kaspersky’s survey of new computers in retail outlets revealed no activations of Computrace.

Are there any scenarios where Computrace is activated before a customer receives the computer?

Yes. Some of Absolute’s corporate customers may request that the computer manufacturer activate the Computrace software client so that the computers arrive with Computrace already activated. This is typically done as a security measure so that the devices are protected while in transit. If the devices go missing, Computrace can be used to determine chain of custody, allowing the customer to address potential security issues. Pre-activation can also be done as a time-saving measure for IT. Since this is a transaction between the customer and the OEM, we have no insight to specific details regarding frequency of these requests or the number of devices.

Is Absolute alerted when a defective implementation occurs?

It depends on the scenario. In instances where we are alerted, we provide assistance to proactively disable any impacted devices

Isn’t this scenario similar to the allegations made at the Black Hat security conference in 2009?

Yes, this is a very similar scenario. Our response in 2009 is still posted on our website for reference. The technical facts we provided at that time are still accurate and current today. Additionally, Absolute Software continually improves the security of its systems to harden them against attack.

Kaspersky calls out the whitepaper by Alfredo Ortega and Anibal Sacco of Core Security Technologies as pre-existing research to back up the perceived weaknesses of Absolute Computrace. Does this support Kaspersky’s position?

No, it does not. This same whitepaper was presented in 2009 at the Black Hat security conference. As we stated back then, the research described in this whitepaper was based on one example of BIOS stub code, version 785 which was never active in any BIOS to our knowledge. Our earliest released version of the Computrace BIOS module was version 802 which was released about five years after version 785 was created.

Even if the BIOS vendor inadvertently included inactive dead code in the build of the BIOS examined, Absolute has no method to activate this version and it cannot be exploited by a malicious attacker.

Kaspersky alleges that some device users are unable to remove Computrace because it is designed to reinstall if efforts are made to remove it. Is this true?

Absolute persistence technology is designed to rebuild the security if efforts are made to remove it. Many of our customers purchase Computrace for this reason since it allows them to maintain a connection with their device, regardless of user or location. Authorized customers are able to uninstall the Computrace software agent and disable persistence at their discretion.

Kaspersky states that there is no proof that Absolute Computrace is being used as a platform for attacks but that experts from several companies see the possibility for attacks. Is this true?

Absolute is unaware of any successful attack on its technology of the nature suggested by Kaspersky. Since Kaspersky does not identify the “experts from several companies” it is not possible for us to validate or disprove these claims. In their guidance, Kaspersky asserts that “powerful tools such as Computrace software must use authentication and encryption mechanisms to continue serving the greater good”.

Why doesn’t Computrace incorporate these measures?

Computrace employs strong authentication and encryption in its client/server communications. The Kaspersky research does not show the transmission of unencrypted, sensitive data at any time.

Kaspersky states that numerous opportunities exist for remote attacks in a hostile network environment. Some examples they provide include an attack on a local area network to redirect all traffic from a computer running Small Agent to the attacker’s host via ARP-poisoning. Or the use of a DNS service attack to trick the agent into connecting to a fake C&C Server. Is this possible?

Kaspersky does not describe a successful implementation of such an attack. The report assumes the small agent is running. The small agent does not run unless the system is first compromised locally to modify the execution of the full agent. The full agent is secure against these types of attacks.