Research finds critical out-of-the-box vulnerabilities on big name laptops

When you buy a new PC it inevitably comes with a range of extra software — bloatware if you will — ranging from the maker’s own updater tools to trials of antivirus and other products.

Trusted access provider Duo Security has carried out some research into how this extra software could be making users more vulnerable and invading their privacy.

It tested a total of 10 new laptops from Acer, Asus, Dell, HP and Lenovo and found that all the vendors had at least one vulnerability that allowed for a complete compromise of the affected machine. Most of the vulnerabilities found in the study needed little sophistication or effort and little to no cost to exploit.

This is particularly significant for companies with BYOD policies whose employees are using their laptops with default settings, in the workplace. The vulnerable devices can open an entire organization up to an attack resulting in a data breach.

Some vendors allowed for silent updates with no indication to the user when new patches or software are installed and for what purpose, making it difficult for the end user to identify unwanted applications.

“Security researchers have always known that consumer laptops sold in the big box stores were vulnerable to hackers,” says Darren Kemp, security researcher at Duo Labs. “Vulnerabilities are present because these machines are loaded with third-party programs and bloatware that are not sufficiently reviewed for security. We were just surprised at how bad these add-ons made things once we began our investigation. For a system administrator, it’s a bit of a nightmare when these machines are used for business applications and to access company email. To protect an organization, policies need to be in place to block access to sensitive corporate data from vulnerable or risky devices”.

The Duo team reported these vulnerabilities to all five vendors at least 90 days ago. At the time of writing, HP has responded and fixed the high risk vulnerabilities. Acer and Asus have responded, but have not yet released their fix timetables. Lenovo has removed the vulnerable software from its systems, effectively making those machines no longer vulnerable.

Kemp adds that, “The only way for users to be safe is to uninstall the extra components but this can prove difficult for the non-technical. Microsoft Signature Edition machines go some way towards reducing the attack surface but often they still include flawed OEM installers”.

More detail on the vulnerabilities can be found on the Duo blog along with a link to download the full report.