Dell, toshiba and lenovo, three strikes OUT!

[Bsmith]

Since this news hasn't reached official channels yet I will do my best to write it down here as detailed as possible and give as much information I can.

I am not responsible for any sites visited in mentioned article, I personal strongly recommend people not to click the links in aforementioned tweet/site unless they know what they are doing and possible dangers, since you might cross the line on what is legal and not!

In case this topic contains links or anything that goes against the CoC(due to this being a grey area to me) The mods are allowed to remove them, although I would appreciate if the tweets where left in place, since they are my source's.

 

on 3 December 2015- 7:36 A tweet got released with the following text.

 

 

The tweet by thewack0lian a security researcher claims to have found an exploit which is able to hit 3 OEMs through pre-installed applications.

Not much later another twitter account confirms that these OEMs are Dell, toshiba and lenovo and calls this a hattrick(3 goals within 1 game in football/soccer)

 

 

the link in the first tweet sends you to a page which has a small introduction directly pointed at the OEMs and a way to contact the researcher through IRC channels.

The message contains the following text.

 

 

Dell, Toshiba, Lenovo

Three OEMs. Three issues.

 

ToL presents to you 2015-12 three OEm fails at once!

a UAC bypass in Dell System Detect...

A SYSTEM registry read in Toshiba Service Station...

And a local privesc in Lenovo Solution Center!

 

Contact us at irc.rol.im #rol or http://roll.im/chat

Follow slipstream on twitter: @ thewack0lian

enjoy your pwnage! ;-)

 

Further on the page there are a couple of links, the first one being a download link which allows you to use these exploits and discover them yourself and maybe even safeguard yourself in case you run a system that is vulnerable for one of these exploits. The second link on this page is also a download link, but then for something rather different, once again aimed at lenovo, for who this truelly is the 3rd strike if you remember the earlier this year related superfish incident which involved lenovo.

 

Although I have not looked into this myself, I assume that the breaches found can be considered harmful until more information gets outside.

The dell related breach might be related to a bug reported earlier today, which allowed outside people to ping(check) a whole network form a single infected system.

 

 

 

Since this hasn't reached official channels yet and none of the named OEMs has out any official reports on this it is hard to tell how big the leaks are and how much abuse has already been done.

Although it doesn't seem like this researcher wants to do harm to the OEMs, it seems he took this approach to ensure their attention and alert people, since together those three OEMs make up a fair share, if not >50% of the prefab system market, which only enlarges possible dangers of the issues.

Like I said before, I am no professional on this subject, but I can see the potential dangers in this case they are able to go from bypassing a security line up to full system breach, considering one of the issues gives access to a "hidden" part of the OEM's solution centre which gets used for hardware checks and a extra safety measure.

 

Up till now this is everything I have been able to find about this, since I can't stay awake the whole night(would love to do that I will do my best to update this once again tomorrow.

 

UPDATE:

I have been trying to look into this more, without passing the barrier of my knowledge and not crossing the line of things that might be legally questionable.

Sadly the outcome didn't give any more insights into this or the way the breaches could be abused, so far I know non of the companies has let out any official news yet regarding this, they might put out a official respond once the issues have been solved or abused in such a way that it could endanger their whole eco system.

Looks like they try to keep it under the radar out of safety which is understandable, but for how long it's going to work?

[The_Stig]

GG, but I do hope they fix that ASAP

[shermantanker]

will have to see how this unfolds.

[Nineshadow]

I don't have Lenovo Solution Center on my Y50 so...

[techguru]

who the hell buys a oem pc..and doesn't format it right away and clean install except noobs..and they wouldn't even care about this

[Samfisher]

who the hell buys a oem pc..and doesn't format it right away and clean install except noobs..and they wouldn't even care about this

Suddenly noobs have no right to their privacy?

[techguru]

Suddenly noobs have no right to their privacy?

they don't care about privacy...everyone posts there full f'ing life on facebook

[Samfisher]

they don't care about privacy...everyone posts there full f'ing life on facebook

Uh huh.  Carry on.

[SirNumbers]

Uh huh.  Carry on.

People make me sighh... 

 

sighhhhhh

[Tocsin_786]

they don't care about privacy...everyone posts there full f'ing life on facebook

 

 

Uh huh.  Carry on.

 

 

People make me sighh... 

 

sighhhhhh

Working at a computer repair shop and well... he does have a point. Noobs suck at caring about their privacy. 

[Syfes]

Working at a computer repair shop and well... he does have a point. Noobs suck at caring about their privacy.

This generalization is painful... @Samfisher makes a valid point. Or consider laptops assigned for company use that still have these software packages on them.

[Tocsin_786]

This generalization is painful... @Samfisher makes a valid point. Or consider laptops assigned for company use that still have these software packages on them.

I know its a generalization and i know im insulting some when i made the comment. But i was speaking from my experience working at my job. The people who dont know how to use their computers or phones as well as others or to their full potential dont care much about their privacy. The business clients sure as hell do for the few dental and law offices we install computers for, but the old people dont, and most of the young generation that come in to fix their phones and macbooks acknowledge the fact that their privacy isnt really private with the things they do, but they dont care. 

[DigitalHermit]

Now, who's left to trust? Acer??

This generalization is painful... @Samfisher makes a valid point. Or consider laptops assigned for company use that still have these software packages on them.

I've had to deal with one of such laptops recently... A Lenovo G40 (iirc)... The bloatware is real... I was itching to get all the unnecessary stuff uninstalled but had to hold back as it was a company-issued laptop...

[manikyath]

they don't care about privacy...everyone posts there full f'ing life on facebook

as much as i'd want to shun you for saying this, i have to say i agree here...

 

spending most of my time around "noobs" i have come to realise they wouldnt even mind if the NSA was watching them trough their laptop webcam 24/7

"i've got nothing to hide"

[Bsmith]

Now, who's left to trust? Acer??

-snip-

Time to drop this bomb,

apple.....

[DigitalHermit]

Time to drop this bomb,

apple.....

[Castdeath97]

as much as i'd want to shun you for saying this, i have to say i agree here...

spending most of my time around "noobs" i have come to realise they wouldnt even mind if the NSA was watching them trough their laptop webcam 24/7

"i've got nothing to hide"

Surprisingly it's the other way round with me, maybe it's a cultural thing but almost every non-computer guy I know has a sticker on his webcam and most of their social media accounts are private.

[manikyath]

Surprisingly it's the other way round with me, maybe it's a cultural thing but almost every non-computer guy I know has a sticker on his webcam and most of there social media accounts are private.

"cultural thing"

the feels bro...

please help me get out of here..

[Tech_Dreamer]

Damn they keep finding these NSA loopholes for access:p

[don_svetlio]

I don't have that software installed so I don't caaaare, I love it!

[Bsmith]

I have been trying to look into this more, without passing the barrier of my knowledge and not crossing the line of things that might be legally questionable.

Sadly the outcome didn't give any more insights into this or the way the breaches could be abused, so far I know non of the companies has let out any official news yet regarding this, they might put out a official respond once the issues have been solved or abused in such a way that it could endanger their whole eco system.

 

 

 

"cultural thing"

the feels bro...

please help me get out of here..

 

Here in the Netherlands it's kinda the same way, alot of non tech savy people coverd of their laptop webcams since it became known how easily they can be abused by both governments and hackers.

 

 

Damn they keep finding these NSA loopholes for access:p

 

It's unknown if these loopholes are or have been used by the NSA, the possibility of it being that way is actually quite big considering the possible size of this, if it would ahve reached official channels.

 

 

I don't have that software installed so I don't caaaare, I love it!

 

Most of the time I would think the same way, but considering that nearly every school, office, company or whatever decently sized corp runs Dell systems most of the time, this threat could be more serious and increase in danger when it stays under the radar.

[Agent181]

well shit, glad i make my own pcs