Researchers find that laptops shipped by HP, Lenovo, Acer, Asus and Dell have bloatware which can be hacked
Researchers from Duo Security have found that almost all big ticket PC/laptop vendors have bloatware which can be easily hacked by malicious actors to gain admin control or steal information. Duo Security researchers found 12 vulnerabilities in the bloatware on laptops shipped by Dell, HP, Asus, Acer and Lenovo.
The problems relate to the bloatware that vendors put on laptops. “The OEM software landscape is complicated and includes a depressing amount of superfluous tools for vendor support, free software trials, and other vendor-incentivised crapware. Some apps do nothing more than add a shortcut to launch your web browser to a specific site,” the company said.
The problem occurs when these OEM manufacturers insist on adding their own software on the laptops to make it more appealing to buyers. However, in most instances, the buyers are annoyed by this bloatware.
“The experience is annoying to most people for a number of reasons. In addition to wasting disk space, consuming RAM, and generally degrading the user experience, OEM software often has serious implications for security.”
One of the vulnerabilities listed by Duo Security is Superfish in Lenovo. The Lenovo PCs apparently come with pre-installed adware that uses Man-in-the-middle method to inject any ad into any page however trusted and secure. This adware can be hacked easily say the researchers.
“Every time something like this happens we are reassured that the offending vendor of the day cares deeply about our security and privacy. Unfortunately, a cursory analysis of most OEM software reveals that very limited, if any, security review was performed,” said Duo.
“It’s well known in the security research community that OEM software is a vulnerability minefield, but finding them is not particularly exciting. But that’s also why OEM software has remained a major security problem.
“So we decided to dig deep to find out just how bad the issue is, and provide recommendations for consumers to protect themselves against the security gaps and annoyance that bloatware presents.”
The researchers also found the Dell has a high-risk vulnerability called eDellroot while HP has two high ranking flaws that can enable arbitrary code execution and five lesser vulnerabilities.
Asus and Lenovo have one high-risk vulnerability each, again risking arbitrary code execution, while Acer has two and Asus has one medium severity local privilege escalation flaw.
The 10 devices tested by Duo Security were Lenovo Flex 3, HP Envy, HP Stream x360 (Microsoft Signature Edition), HP Stream (UK version), Lenovo G50-80 (UK version), Acer Aspire F15 (UK version), Dell Inspiron 14 (Canada version), Dell Inspiron 15-5548 (Microsoft Signature Edition), Asus TP200S and Asus TP200S (Microsoft Signature Edition).
