Duo Labs, the research team at Duo Security, has discovered new security vulnerabilities in the software update tools preloaded on laptops of some popular brands. In its new published study 'Out-of-Box Exploitation: A Security Analysis of OEM Updaters', Duo Labs found that laptops from HP, Dell, Acer, Asus, and Lenovo carried security vulnerabilities right out-of-the-box that if exploited could allow attackers to take over the system in just 10 minutes.
The research team noted, "Every OEM we looked at included one (or more) [vulnerabilities] with their default configuration." The team found 12 different software vulnerabilities in the software update tools that come preloaded on laptops from HP, Dell, Acer, Asus, and Lenovo.
The researchers investigated the Lenovo Flex 3, HP Envy, HP Stream x360 (Microsoft Signature Edition), HP Stream (UK version), Lenovo G50-80 (UK version), Acer Aspire F15 (UK version), Dell Inspiron 14 (Canada version), Dell Inspiron 15-5548 (Microsoft Signature Edition), Asus TP200S, and Asus TP200S (Microsoft Signature Edition).
Steve Manzuik, Duo Security's Director of Security Research explained to IBTimes UK, "Short of explicitly disabling updaters and removing Original Equipment Manufacturer [OEM] components altogether, the end user can do very little to protect themselves from the vulnerabilities created by OEM update components. In general you have to be a tech person to understand there's a problem and then know how to fix it. You have to know to go to the manufacturer's website and know how to download and install the software. We knew these laptops were being bought by people who aren't tech people."
Talking about the five OEMs, Manzuik said that Acer and Asus were the "worst." Manzuik said, "With Asus, there were two different vulnerabilities. This one had code execution that was quite obvious and easy to exploit - it literally took less than 10 minutes to attack the system using that vulnerability."
Duo Labs also suggested some steps for users to safeguard from preloaded software vulnerabilities including wiping any OEM system, and reinstalling a clean and bloatware-free copy of Windows before the system is used. The research team also suggests identifying any unnecessary software and disabling or uninstalling it.
"Dell, HP and Lenovo vendors (in specific cases) appeared to perform more security due diligence when compared to Acer and Asus," added the study.
Soon after Duo Labs reached out to the OEMs, many fixed the vulnerabilities by releasing fixes. According to the research team, HP, Dell, and Lenovo released the fixes. Acer and Asus acknowledged the vulnerabilities and will soon release a fix.
This is not the first time popular laptop OEMs have been identified carrying software vulnerabilities preloaded as previously cases such as the Superfish fiasco where Lenovo was caught installing adware on many of its PCs as well as eDellRoot where Dell was reported to be shipping its systems with a self-signed digital certificate that could be exploited by hackers to leave the system vulnerable to man-in-the-middle attacks.