Absolute Software hit back on Kaspersky Lab’s assertion that its Computrace software can be exploited by hackers.
Computrace is marketed as a product that can help organizations track and secure their endpoints. In a report Wednesday, Kaspersky Lab researchers said the network protocol used by the Computrace Small Agent provides the opportunity for remote code execution. The protocol does not require the use of any encryption or authentication of the remote server, opening up avenues of attack.
“The protocol doesn’t use any encryption or authorization with the remote server, which creates numerous opportunities for remote attacks in a hostile network environment,” according to Kaspersky Lab. “Although encryption seems to be added to the protocol at some later stages of communication, an attacker may utilize the basic unencrypted protocol to successfully hijack the system remotely. A typical attack on a local area network would be to redirect all traffic from a computer running Small Agent to the attacker’s host via ARP-poisoning. Another possibility is to use a DNS service attack to trick the agent into connecting to a fake C&C server.”
Absolute Software CTO Phil Gardner however called the Kaspersky Lab analysis is flawed.
“The installation process is under the full control of the Absolute Computrace administrator and once the installation is complete, the communication is secure and uses encryption as well as authentication of the host server to reject attacks as described in the Kaspersky report,” he said in a statement. “There is no clear text transmission of any data and the protocol of the full agent will reject attempts to communicate without authorization and will only communicate with mutual authentication of the server and the client. The rebuilding process (Absolute persistence) is armed.”
“The Absolute Computrace rebuild mode cannot be forced from outside the system through an attack on a secure system via the fully installed Absolute Computrace software agent,” he added. “The discussion of ARP attacks and DNS attacks are irrelevant since the encrypted and authenticated communication of the full agent would have to be defeated first.”
It is also irrelevant that the small agent is not signed, Gardner said.
“This is for efficiency, but does not compromise the security of the system since the source of the binary is from firmware,” he said. “Modern firmware is signed as a package and the individual components do not have to be signed since the integrity of the system was verified at boot.”
Kaspersky Lab also took issue with the persistence of the software, which researchers said is difficult to remove. However, Gardner said the software does not hide from antivirus and requires an administrator’s permission to “maintain its function as a component in the security subsystem of their systems.”
In addition, Absolute Software said that for any potential attack depends upon the endpoint or other devices being compromised first.
Kaspersky Lab is not the first to raise security concerns about the software. In 2009, researchers from Core Security Technologies warned that an attacker could potentially modify the system registry to hijack callbacks from Computrace.
Kaspersky Lab says it has no proof that Absolute Computrace is being actively used as a platform for attacks.
