Full System Compromise in Under Ten Minutes
Duo Security, a cloud-based trusted access provider protecting the world’s largest and fastest-growing companies, has investigated software update tools spanning five vendors - Acer, Asus, Dell, Hewlett Packard (HP), and Lenovo - and identified and reported twelve different vulnerabilities across all the vendors.
All vendors had at least one vulnerability that allowed for a complete compromise of the affected machine. Attackers could very easily exploit most of the vulnerabilities found in the full report with very little effort and at little to no cost. The full report can be found at https://duo.com/decipher/out-of-box-exploitation-a-security-analysis-of-oem-updaters. In many cases, the consistent use of encryption would have made attacks much more difficult to exploit.
These vulnerabilities become a significant problem for companies whose employees are using their Acer, Asus, Dell, HP, or Lenovo laptops with default settings, in the workplace. The vulnerable devices open an entire organization up to an attack resulting in a data breach.
“Security researchers have always known that consumer laptops sold in the big box stores were vulnerable to hackers,” said Darren Kemp, Security Researcher at Duo Labs. “Vulnerabilities are present because these machines are loaded with third-party programs and bloatware that are not sufficiently reviewed for security. We were just surprised at how bad these add-ons made things once we began our investigation. For a system administrator, it’s a bit of a nightmare when these machines are used for business applications and to access company email. To protect an organization, policies need to be in place to block access to sensitive corporate data from vulnerable or risky devices.”
Duo Labs, the security research team at Duo Security, reported these vulnerabilities to all five vendors at least 90 days ago, which is the standard timeline given to vendors to fix a vulnerability before public disclosure. At this time, Hewlett-Packard has responded and fixed the high risk vulnerabilities. Acer and Asus have responded, but have not released their fix timelines yet. Lenovo removed the vulnerable software from their systems, effectively making those machines no longer vulnerable.
Duo Labs recommends that users fully disable updaters and remove all third-party components to be fully protected from these vulnerabilities. In addition, organizations should install basic security functions, such as two-factor authentication, to ensure users are who they say they are, and turn on encryption.
About Duo Security
Duo Security is a cloud-based trusted access provider protecting the world’s fastest-growing companies and thousands of organizations worldwide, including Dresser-Rand Group, Etsy, Facebook, K-Swiss, Paramount Pictures, Random House, SuddenLink, Toyota, Twitter, Yelp, Zillow, and more. Duo Security’s innovative and easy-to-use technology can be quickly deployed to protect users, data, and applications from breaches, credential theft and account takeover. Duo Security is backed by Benchmark, Google Ventures, Radar Partners, Redpoint Ventures and True Ventures. Try it for free at www.duo.com.