Laptop theft can be disastrous. The best case is that someone is out the hundreds of dollars they spent on a secondary computer. The worst case is that someone uses the laptop to steal confidential files, access online accounts and otherwise interfere with every aspect of the victim's digital life. That's why many OEMs make it easier for people to retrieve their systems by pre-installing Absolute Software's LoJack anti-theft utility on their laptops. But a report from ESET this week revealed that hackers used LoJack to create the first UEFI rootkit seen outside their lab.
A rootkit is software used to give someone access to a PC without detection. ESET dubbed this particular instance LoJax (the only thing security researchers may like more than discovering new threats is giving them clever names) and said it's been found in systems in the Balkans, as well as Central and Eastern Europe. The company attributed LoJax to a hacking group known as Sednit, APT28, Fancy Bear and others. Some of those ought to sound familiar; the U.S. Department of Justice blamed the group for the Democratic National Committee (DNC) hack that occurred before the 2016 presidential election. The group has been active since 2004.
LoJax is very worrisome for two reasons: the sheer number of devices it could target and the difficulty associated with removing it from a system. The first problem results from the near-ubiquity of LoJack--it's easier to name a company with which Absolute Software hasn't partnered than to list all of the ones it has. The utility's website lists everyone from Apple and Microsoft to Acer and Toshiba as partners. Not all of these partners ship their laptops with LoJack pre-installed, but many of them do, and those devices could be at risk of being targeted by LoJax because of it.
However, many may not be aware LoJack came pre-installed on their systems. It makes sense for manufacturers to partner with an anti-theft company to make all the appropriate preparations in case a laptop is stolen; you can't install the anti-theft software after you notice your laptop's gone. But we aren't aware of a single laptop manufacturer advertising their partnership with LoJack or directly disclosing its presence to customers. How are people supposed to know they can sign up for LoJack's services if they're never told about the utility in the first place?
The other problem with LoJax is how persistent it can be. LoJack was designed to remain operational even if a thief installs a new operating system or replaces a laptop's storage. LoJax can use that same persistence to make it next to impossible for the average person to detect its presence or know how to remove it from their system when they do. There are steps they can take to protect themselves, such as enabling Secure Boot in Windows to prevent un-signed firmware from being installed, but that's about the average user can do.
"There are no easy ways to automatically remove such a threat from a system. In the case we described above: in order to remove the rootkit, the SPI flash memory needs to be reflashed with a clean firmware image specific to the motherboard. This is a delicate operation that must be performed manually. It is definitely not a procedure that most computer owners are familiar with. The only alternative to reflashing the UEFI/BIOS is to replace the motherboard of the compromised system outright."
There is an upside: ESET said the malware it discovered exploits a vulnerability in older chipsets that shouldn't be present in any motherboards using chipsets with an integrated Platform Controller Hub. But these problems are never limited to a single exploit. Remember when researchers didn't find a new problem with Intel's Management Engine every few months? Or when the Meltdown and Spectre vulnerabilities were unique? Now that one UEFI rootkit has been found in the wild, it's reasonable to expect that more will be discovered.
We reached out to Absolute Software to learn more. After seeing complaints that Microsoft accidentally let this rootkit function by making an exception in Windows' defenses for LoJack to use, we reached out to them too. We'll update this post if we hear back from either company. In the meantime, you can find ESET's full paper on LoJax here, and a blog post from Arbor Networks published in May offers more background information on LoJax.