Security researchers have discovered critical vulnerabilities in popular off-the-shelf HP, Acer, Dell, Asus and Lenovo laptops that make it possible for hackers to hijack and compromise the PCs in less than 10 minutes.
Among cybersecurity professionals, it's commonly known that if you want to have a secure PC, you probably shouldn't use a regular off-the-shelf consumer laptop as they come with 'bloatware', or third-party pre-installed software that users don't really need.
However, no one has ever definitively proved that consumer laptops aren't that secure, so researchers from Duo Security in the US decided to test out 10 different laptops by HP, Acer, Dell, Asus and Lenovo sold by retailers in Canada, the UK and the US. Ahead of the full report published today (31 May 2016), their project also exposed the eDellRoot backdoor found in Dell PCs in November 2015.
All the laptops come with automatic updaters developed by the computer's manufacturer to update system drivers or the BIOs, as well as the bloatware, and the researchers discovered that every single manufacturer's updater had security vulnerabilities that put millions of consumers at risk.
Hackers can hijack your computer in less than 10 minutes
"Short of explicitly disabling updaters and removing Original Equipment Manufacturer [OEM] components altogether, the end user can do very little to protect themselves from the vulnerabilities created by OEM update components," Steve Manzuik, Duo Security's director of security research told IBTimes UK.
"In general you have to be a tech person to understand there's a problem and then know how to fix it. You have to know to go to the manufacturer's website and know how to download and install the software. We knew these laptops were being bought by people who aren't tech people."
The researchers say that the updaters communicate with the manufacturers' servers to receive updates every few days, weeks or months, but some of the laptop vendors are not even making use of basic encryption to secure communications, so it is easy for an attacker to modify data being sent from the server to the laptops and add an extra file that might run on the laptop and do something bad.
"On each laptop there's a lot of different software doing very different things built by different departments. I have the feeling it's very difficult for the manufacturer to track. It's a short turnaround and the manufacturer probable doesn't get enough time to secure each piece of software," said Duo security researcher Darren Kemp.
"For example, in one Lenovo updater, they obviously put in a lot of effort to secure it, and then running parallel to it was another updater that had none of the security features enabled."
How the laptop manufacturers responded
The research was conducted between October 2015 and April 2016, and Duo Security informed each manufacturer as soon as they spotted each vulnerability. However, while some of the laptop vendors responded to the threat immediately, others did not and some have still not even patched the vulnerabilities.
"Asus and Acer were the worst. With Asus, there were two different vulnerabilities. This one had code execution that was quite obvious and easy to exploit – it literally took less than 10 minutes to attack the system using that vulnerability," said Manzuik.
"They have told us they are patching the issue, but we have still not seen a patch from it. They originally did make a patch, but then they didn't release it. We told them about the bugs over three months ago."
Duo Security praised Lenovo and HP for taking the risks seriously and having a process in place for researchers to report such issues. In fact, Lenovo has decided to completely remove the offending updater software from its laptops.
"The best advice we can offer is to make sure you remove all the third-party bloatware on these machines. In a lot of cases, our biggest concern is that a lot of people are buying these laptops and then bringing them into the corporate network. IT guys need to tell them to remove bloatware and clean the computers up," warned Manzuik.
"Users should also make sure they're using good passwords, two-factor authentication and to turn on encryption."