a bit OT: used laptops, computrace rootkit

Michael Torrie torriem at gmail.com
Sat Mar 22 19:29:56 MDT 2014


Here's a little cautionary tale about buying used laptops (IE don't).
It's not Linux-related, but I wanted to bring it up here in case any of
you encounter this in your travels in Windows-land. It's not new either.
 But it's more widespread than I thought before.

So it turns out that many of the big laptop brands (Lenovo, HP, Asus)
bundle a piece of software called CompuTrace in the BIOS (My laptop is a
ThinkPad X220).  In essence this is a Windows rootkit that, once
activated, installs itself to the hard drive of the computer before
Windows even boots.  The purpose of the rootkit is to call home to
Absolute.com every so often to report the laptop's IP address, and
possibly other identifying pieces of information.  The idea is that a
user activates this "feature" and then pays Absolute.com to track the
laptop so that if it's ever reported stolen, Absolute.com can locate the
laptop, take pictures with the webcam, or even remote-wipe the hard drive.

The problem is that if a laptop is sold or given away, unless
Absolute.com is contacted by the original owner and instructed to
disable CompuTrace, it's permanently on and cannot be disabled.  And
this rootkit will install itself to even a fresh install of windows, all
silently.

Suffice it to say I've got a laptop now that has this rootkit activated
(but powerless, since I installed Linux).  The seller (a major used
laptop dealer), sells no it's not phoning home or tracking you, though
in fact if I boot into Windows it certainly is.  If I want to deactivate
this little beauty, I have to contact Absolute.com, and plead my case.
Now there's no reason for them to cooperate with me, as I bought the
laptop used and there's a greater than zero chance the laptop really is
stolen, though it does not appear to have ever been reported stolen.
And the seller is supposedly reputable and swears up and down it's not
stolen.

Moral of the story, don't ever buy used laptops.  Always run Linux.  And
even on a new laptop, check the BIOS to see if Computrace is enabled.
If it is, return it.  There are reports of several cases where this
feature was activated on new machines without the owner's consent.
Absolute.com has not proved responsive to these users either.  If it's
enabled and you are running Windows

Given recent NSA revelations, this idea of a rootkit in the BIOS really
bothers me.  Another entire level of trust that I used to have has been
eroded.  Here's some more info for those interested:

https://www.securelist.com/en/analysis/204792325/Absolute_Computrace_Revisited

I'm curious to learn from list members who've bought laptops in the last
few years if your laptop's BIOS has CompuTrace as an option under
Security.  And if any of you have CompuTrace enabled and you've never
enabled it yourself, I'd find that very interesting as well.


More information about the PLUG mailing list