A test of seven OEM laptops running Windows has shown consistent privacy and security issues, including an interesting revelation that the McAfee Antivirus running on six of them is using web beacons to serve ads and possibly even track users online.

The seven laptops – Lenovo Flex 3, Lenovo G50-80 (UK version), HP Envy, HP Stream x360 (Microsoft Signature Edition), HP Stream (UK version), Acer Aspire F15 (UK version), and Dell Inspiron 14 (Canada version) – have been tested by the security research team of Duo Security by simply sniffing the traffic sent from and to them once they have been taken out of the box, plugged in, and connected to a network.

“The focus of our research was on home systems accessing multiple networks, including public Wi-Fi and the corporate environment. However, this research also impacts corporate enterprises looking to improve both security and privacy settings for Windows 8.1 and Windows 10,” they explained.

“Within the first few packets on all seven laptops, there were issues. It took awhile to figure them out, as much of the traffic was encrypted and one had to go by server hostname or calling program name, or by reverse-engineering the calling code to find out what was going on,” they pointed out.

Findings

Among the other things they found were:

A pre-installed, trusted eDellRoot root CA certificate with an associated private key, as well as an Atheros Authenticode signing certificate shipped with the Bluetooth software on the Dell Inspiron 14. (This was publicly revealed at the same time that the existence of the eDellRoot certificate on all desktop and laptops shipped by Dell since August 2015 was unearthed by several security researchers and journalists).

There are many features in Windows 8 and 10 that collect data about the user and laptop, and many privacy settings. “Many of the applications and services connected to these privacy settings start phoning home as soon as the laptop is connected to a network, before you are logged in. For anyone concerned about privacy, it would be ideal to have a chance to opt out – particularly when it’s not obvious that the collection and uploading of data is even happening,” the researchers pointed out.

Unfortunately, changing privacy settings is not as straightforward as one would hope. In some cases, the user would have to disable a service or create/adjust registry keys – and that’s not something that most users know how to do.

After Patch Tuesday updates, many of the privacy settings are reset to their default settings, and the user doesn’t get notified of this.

Default laptop settings (e.g. open ports) and protocols make it easy for an attacker to sniff and redirect the laptop user’s traffic when the device is connected to insecure, open Wi-Fi networks.

McAfee is using web beacons that can be used to track and serve advertising to users. “In our opinion, this is the only purpose these web bugs serve,” the researchers noted, but pointed out that trusting third party sites and allowing them to load content it not a good security practice.

The only good news is that all the aforementioned traffic to Microsoft or OEM vendor servers is encrypted by default.

Mitigation

“Mitigation [for all of this] is to turn off all of the privacy settings, make some registry settings adjustments, and turn off some services. And as stated, redo everything each time you patch,” the researchers advised. Removing McAfee, setting up Windows Defender, and adjusting firewalls to stop the transmission of data is also a good idea.

More details about Duo Labs’ research and instructions on how to perform those mitigations, as well as to configure advanced security settings, can be found in this technical whitepaper.