Written by Chris Bing

When Vitaly Kamluk, a security researcher with Kaspersky Lab, discovered a mysterious program named “Computrace” deeply burrowed into his colleagues’ computers, he expected to find an elite hacking group at the other end — something the Moscow-based cybersecurity firm is keenly familiar with.

Instead, Kamluk had uncovered a flawed but legitimate tracking software program developed by a Canadian company, named Absolute Software, which had been apparently installed at the manufacturer level. Computrace — now known as LoJack For Laptops via a licensing agreement with the famous vehicle-tracking company — has been publicly documented as having security problems, based on multiple reports, which worried Kamluk because he knew someone could leverage the underlying program in an attack to gain remote access.

“It was very alarming to find unauthorized instances of Computrace,” Kamluk told CyberScoop. “There was no explanation how those new private computers had Computrace activated … We contacted Absolute technical support and provided hardware serial numbers, as requested. They explained that those Computrace agents were never registered in their database and therefore they couldn’t help deactivate them.”

Last week, Kamluk’s discovery again received attention because of new research from Arbor Networks, another cybersecurity firm. The fresh report suggested that an infamous group of Russian government-linked hackers were able to exploit a lingering flaw in LoJack to conduct espionage operations. Absolute Software was warned about the issue as early as 2009.

The finding is significant because LoJack comes preinstalled on a lot of computers made by various different vendors and it has expanded in recent years to also cover Android devices. Kaspersky doesn’t know for sure if its network was ever breached through LoJack years ago, but it has since flagged the program as malicious on its own anti-virus engine, which is used around the world.

The incident reveals the deep-rooted impact felt when hackers target the supply chain behind a product, making a computer uniquely vulnerable even before it’s purchased or turned on. It also shows that even when big companies choose to make security improvements in their supply chains, distributing a fix can be extremely difficult.

Absolute Software says it has taken concrete steps to fix related flaws in newer versions of LoJack. But these fixes have never been publicized or cataloged by the MITRE Corporation, which maintains a running list of vulnerabilities. Researchers who spoke to CyberScoop said they had not yet reverse-engineered the latest versions of LoJack, so it was not possible to confirm whether it is more secure today.

“We downloaded [Arbor Networks’] samples and can confirm they are all modified binaries of the 2008 version of our agent, which is vulnerable to the type of hijacking discussed by the research blog,” an Absolute spokesperson said. “After evaluating [Kaspersky’s 2014 research], we promptly patched the vulnerability and have been closely monitoring the issue ever since. Our software is no longer vulnerable to this type of attack and we are unaware of any incidents based on this research. All Absolute customers are using the current and supported version of our software.”

Absolute’s customer base is made up of manufacturers and vendors that produce electronic devices. In other words, the end user, or consumer of these products, is not a direct customer. And because of how LoJack works, it’s not easy for Absolute to simply send out a remote software update. The program is installed within the BIOS, or firmware, of devices. For a regular consumer, getting a patched version likely requires buying a newer computer that was built after 2014.

In 2009 and 2014, Absolute argued with researchers about the presence of certain security issues even in the face of public disclosures by cybersecurity companies Core Security and Kaspersky Lab. Absolute downplayed the seriousness of these flaws, noting that they required the attacker to have already invaded the computer.

CyberScoop spoke with multiple security experts who have personally analyzed the Computrace/Lojack program who say they’re still concerned about the product’s security and its potential for misuse — especially because of the pervasive tracking capabilities that otherwise make it an effective anti-theft tool.

“In 2014, we shared [with Absolute] what we had seen on a previous security issue in their BIOS agent,” explained Kamluk, director of Kaspersky’s Global Research & Analysis Team’s APAC division. “The agent lacked a digital signature and could be modified by anyone. Also it’s communication could be hijacked by a MiTM [man-in-the-middle] attack or tampered registry value which would lead to RCE (remote code execution) as user system.”

Arbor Networks’ latest research showed that the hacking group APT28, also known as “Fancy Bear,” had engineered a unique cyber-espionage technique by coopting an older version of Lojack. According to Arbor, APT28 successfully created a so-called “man-in-the-middle” (MiTM) attack, where the external connection inherently established by Lojack was instead rerouted to a Russian-owned command-and-control server.

Basically, the attack that Kaspersky predicted would happen did in fact occur three years later. And it was accomplished by a group that’s widely associated with Russia’s Main Intelligence Directorate, or GRU.

“Absolute claimed it posed minimal risk, because that agent was installed once and then replaced with a digitally signed agent from their server … [but] It turned out to be vulnerable,” Kamluk continued. “We had many questions about [Lojack’s] design [back in 2014]. It seemed to be relying on security by obscurity, which of course, is a very poor practice.”

The fear is that less advanced hacking groups will begin to adopt the same technique in the future.

“Computrace used a secret protocol relying on obscurity to enable/disable Computrace in BIOS,” said Kamluk. “The owner had no control over this feature once it was enabled.”

In practice, Lojack is supposed to help people locate their computer if it’s ever stolen or lost. But the same technology that makes it capable of tracking the device can also be corrupted for more malicious purposes.

“It’s understandable as an anti-theft mechanism, but imagine if it was activated by an evil attacker,” Kamluk explained. “The owner cannot get rid of this agent — it comes again with every system reboot … It is one of those ultimate persistence mechanisms.”

What makes this hacking tactic so effective is the cover it provides the attacker. The computer code behind Lojack is rarely flagged as malicious by major anti-virus vendors, meaning that someone could wrap their hacking tools in this same code to evade detection.

“The most notable aspect of using this software and the minute changes made to the C2 mean that it evades many anti-virus and host-based threat scanners,” said Richard Hummel, manager of threat research at Arbor Networks. “While it may ID the Absolute Lojack/Computrace software, it likely wouldn’t ID the rogue C2 server unless it was previously blacklisted or a known bad domain. The ability to hide in plain sight, coupled with the persistence mechanism inherent in the software, makes the threat ‘sticky.'”

“We’ve been told that newer iterations of the software are no longer susceptible to the same hijacking methods. However, we’ve not done any analysis on new samples, nor have we reverse engineered them to assess that the flaw exists in recent iterations,” Hummel added.

Absolute attempted to get Kaspersky to sign a nondisclosure agreement in 2014 about the research discovery. But the company never signed it.

Absolute originally did not immediately respond to the first warning sent by Core Security in 2009 but it later threatened a lawsuit and refuted aspects of the firm’s findings, according to one of the researchers involved.

In 2009 Computrace threatened to sue us (personally, not our employer) when @hannibals and I reported this bullshit at Blackhat. Told you so. https://t.co/n5aRnYlqV8 — Alfredo Ortega (@ortegaalfredo) May 1, 2018

Anibal Sacco, an Argentinian cybersecurity researcher who co-authored Core Security’s 2009 research with Alfredo Ortega, was one of the first experts to pinpoint the coding issue in Computrace. He remains skeptical about Lojack’s security architecture and Absolute’s engineering practices.

“They definitely ignored us in the first place, and then they came out denying everything,” Sacco said. “I would love to know what they’ve patched … Is it the fact that the binary is whitelisted via string signature instead of cryptographic signature? Or that the url where they connect to is not ‘protected.'”

“This software comes pre-installed in every bios waiting for an attacker to enable it,” said Sacco. “It should be handled even more transparently than other products … I don’t wanna sound like a conspiracist but at some point I thought that’s the whole idea of this software: to serve as some sort of ready to use backdoor.”

There’s no evidence to suggest that Absolute purposefully planted the vulnerability in the product.

In a statement sent to CyberScoop, Absolute stated: “Nothing is more important to us than the security of our customers, and the idea that someone could maliciously use our old technology is deeply concerning. We are taking every precaution to ensure any issues are immediately addressed.”