ASUS LiveUpdate vulnerable to impersonation attacks

[Jimdaggert]

Hello LTT forum.

 

Came across this article by Github user "indrora".

I feel that this should be shared with more people since it makes any computer with LiveUpdate installed very vulnerable to attack.

https://gist.github.com/indrora/2ae05811a2625a6c5e69c677db6ea331

 

The simple solution is to just uninstall LiveUpdate from your system.

The biggest problem seems to be the fact that LiveUpdate is preinstalled on many laptops that come with Asus hardware.

 

Please note that I am not the author of this article.

I have only signed up today in order to share this article, I rarely participate in forums.

[Clonzoo]

I find it odd how Asus wouldn't have encryption on their servers... Is it to save a few bucks?

[Jimdaggert]

If it was to save a few bucks you would think they would at least require some sort of verification.

Quote

There is no verification done of the authenticity of this XML file or the items it points to.

So LiveUpdate will literally run anything it receives as an update, leaving the BIOS vulnerable to a "flashing".

[Bouzoo]

"Luckily" the program is useless as it gets, I don't think I got 1 update in a year, or actually a single update since I bought my laptop. I don't even install in anymore. 

[Jimdaggert]

I found this report made by the people at Duo.

Out-of-Box Exploitation: A Security Analysis of OEM Updaters (PDF)

 

On page 15 (17 in PDF pages), they talk about Asus being the worst:

Quote

Asus appears to be one of the worst OEMs we looked at, providing attackers with functionality that can only be referred to as remote code execution as a service. The “Asus Live Update” software con-tains no security features whatsoever, allowing for easy exploitation. Oh yeah, we should probably mention they use this atrocity to push out BIOS updates too.

 

I'm both amazed and horrified at how they have been allowed to do this for so long (Original linked article talked about it happening since XP), but i'm more horrified about the fact that Asus is not alone in providing horrible security as an OEM.

[NumLock21]

Asus live update is useless. I open Asus site and I see the latest bios for my board. Leaving the site open, I fire up live update to see if, it will detect the new bios. Nope it didn't.

[suicidalfranco]

just one of the reasons, when it comes to pre-installed OSs, why i prefer OS X. At least Apple doesn't deliver half baked, insecure programs.

[Notional]

Is it the same as EZ Update, as it's called in the AI suite?

[Jimdaggert]

4 minutes ago, NumLock21 said:

Asus live update is useless. I open Asus site and I see the latest bios for my board. Leaving the site open, I fire up live update to see if, it will detect the new bios. Nope it didn't.

That should make it easy to get rid off without losing any convenience.

Sadly not everyone who buys an Asus laptop is technical enough to install it themselves or even to uninstall it.

[NumLock21]

1 minute ago, Jimdaggert said:

That should make it easy to get rid off without losing any convenience.

Sadly not everyone who buys an Asus laptop is technical enough to install it themselves or even to uninstall it.

Most don't bother running it.

[Jimdaggert]

2 minutes ago, Notional said:

Is it the same as EZ Update, as it's called in the AI suite?

I believe that it is yes, in the article/report the author mentions it, although by a different name.

Quote

This looks to have been at one point called "ASUS Easy Update" and has been around since at least the XP days.

I can't be totally sure that it is the same.

[Jimdaggert]

2 minutes ago, NumLock21 said:

Most don't bother running it.

It doesn't run at startup on Asus laptops where it comes pre-installed?

That's at least good to hear if that is the case.

[spartaman64]

2 hours ago, suicidalfranco said:

just one of the reasons, when it comes to pre-installed OSs, why i prefer OS X. At least Apple doesn't deliver half baked, insecure programs.

or you could just do a clean install as you probably should do

[suicidalfranco]

1 hour ago, spartaman64 said:

or you could just do a clean install as you probably should do

or you shouldn't have to do it and get the optimal experience from the instant you purchase it. 

But then again the last time i opened a new notebook and let windows greet me was a long, looooong time ago. Now i instantly install whatever Linux distro i have in my backpack the moment i get out of the store, and go get drink at the bar.