It’s always a nice feeling to power up a new laptop or notebook for the first time.
The machine boots in no time, the desktop isn’t cluttered with 18 months’ worth of stuff, and everything just works. There’s also that really nice feeling knowing that the laptop is clean and virus free. Or at least it should be. It turns out that nothing could be further than the truth.
At least that’s according to a research team from Duo Security.
A new study released by the Duo Labs team has found a veritable plethora of security vulnerabilities in the software update tools that come preinstalled with some of the most popular brands of laptop makers.
Duo Labs have discovered that Laptops from Acer, Asus, Dell, HP, and Lenovo come preloaded with security issues fresh from the factory.
All of the above manufacturers were found to have security issues that would allow hackers to piggy back on the update processes and install malicious code the first time a new laptop connected to the internet.
Worse still, the skills and experience required to hack the new laptops was deemed to be minimal. Each of the OEM vendors listed were found to have at least one vulnerability that the Duo Labs team rated as being high risk.
Among the security failures discovered were the delivering of updates without using HTTPS, and also the non-signing and non-validation of update files. Neither of these flaws is good news for consumers.
Duo Labs also had some sharp words for the ‘bloatware,’ that the OEMs (Original Equipment Manufacturers) insisted on installing on their laptops. OEMs routinely install programs that come with free 30 day trials, and sometimes more than one product registration form.
Most of this ‘bloatware’ is, according to Duo Labs, a) unnecessary, and b) not installed at users requests, and c) often the weak link in the security chain.
Suggestions for OEMs
The Duo Labs report concludes with the recommendation that OEMs should make their OEM updaters harder to hack, and should consider reducing or controlling the extra as standard software they allow to be preinstalled on the laptops they produce.
For the rest of us….
It’s not great news, I’m afraid to say.
Short of wiping the OS and installing a clean version of Windows 10, or uninstalling and disabling the OEM updaters, there’s next to nothing us poor end users can actually do.
But thank the heavens for small mercies.
Before publishing the report, the guys at Duo Labs gave their findings to the companies in question, and some of them, like HP have taken steps to fix their security issues already, while others, like Lenovo, are said to be releasing a patch to address the vulnerabilities shortly. And credit where credit is due, Dell were reported to have fixed all their issues fairly promptly.
All the same, if you do own a laptop, it’s probably a good idea to get your hands on some independent 3rd party security software. If you want that security for free, you could do a lot worse than installing something from FileHippo.com, the link for which you can find here.
You can download the pdf of the Duo Labs report, here.