Late last year, Duo Labs, the security research team of Duo Security, purchased a stack of OEM (Original Equipment Manufacturer) laptops to see how secure they were. Some problems immediately jumped out at us, like the eDellRoot issue, but a few other issues took a bit more sorting through.
I took a look at the network by sniffing the laptops as they were first booted, and then, once configured. The idea was to judge how secure the laptops were based on network traffic and network presence.
Spoiler alert - from a network perspective, the laptops I looked at were kind of a mess.
Our Findings: Laptop Security & Privacy
Normally, we would just find the flaws, report them to the vendor, and release this paper after patching was complete and everyone was safe. But in this case, we found issues that would not necessarily meet the criteria of a vulnerability report.
The main takeaways include:
- Many of the privacy issues found affected all of the laptops. Some were more serious than others, but all laptops had issues.
- Network protocol-related security issues affected all laptops, starting from as soon as the laptop appeared on the network during initial boot.
- After Patch Tuesday updates, many privacy settings that were adjusted were reset to their default settings - without any notification to the end user.
- The lone OEM Microsoft Signature Edition model was more desirable since it contains less bolted-on and unneeded software, resulting in less questionable traffic.
- One particular finding: McAfee is using web bugs that can be used to track and serve advertising to users. In our opinion, this is the only purpose these web bugs serve. In addition, it is against security best practices to trust third party sites and allow them to load content. It puts users at risk and benefits only the vendor and advertisers.
Some of the issues were so glaring we felt compelled to provide tips on securing these laptops. Download our paper (PDF) for a full technical explanation of our security research and what you can do to minimize the impact of those results.
Real-World Impact: Security Concerns & Attack Scenarios
The main attack scenario to consider is not the new laptop user at home - at least from a network perspective - but, rather, when that new laptop user grabs their fresh purchase and heads out the door to the coffee shop, the hotel on a trip, the favorite restaurant chain with “free Wi-Fi,” and so on.
Default laptop settings and protocols make it easier for an attacker to sniff, grab, view and redirect the unsuspecting laptop user’s traffic for illicit purposes. Attackers can steal online bank account passwords, view company data and more due to default firewall settings and services that are exposed on the network.
This is just powering it up - good hygiene like using strong passwords and two-factor authentication, regular patching, and safe web surfing habits are not even being discussed in this scenario.
Default Settings Compromise Privacy
There are a lot of new features in Windows 8 and 10 that collect data about the user and laptop. Some of that data is uploaded to Microsoft and OEM vendor servers. On Windows 8, there are five screens of privacy settings, and on Windows 10 there are thirteen.
All of them are on by default. Many of the applications and services connected to these privacy settings start phoning home as soon as the laptop is connected to a network, before you are logged in. For anyone concerned about privacy, it would be ideal to have a chance to opt out - particularly when it’s not obvious that the collection and uploading of data is even happening.
Turning them off seems like it would be a straight-forward process, but in some cases it requires either a service to be disabled or registry keys created/adjusted. So, an average user either wouldn’t know how to do it, wouldn’t think to do it, or both.
Additionally, when some of these applications and services get updated on Patch Tuesday, they resort to their default settings - without warning. This means every Patch Tuesday you will have to be in the habit of checking those privacy settings to ensure they stay off.
Data Collection Privacy Concerns
Encrypted network traffic was not examined, although after some investigation it was possible to tell at least the type of data being transmitted back to a Microsoft or OEM vendor server. It might give one comfort to know that virtually all privacy-related data was encrypted before transmission, but the data is still being collected nonetheless.
I understand the desire of the vendors to collect data to improve their products, I would just prefer to not be opted in without consent, particularly after I’ve adjusted the privacy settings with the explicit intent to stop data collection.
For the inexperienced beginner, the paper may seem rather daunting, but for your average IT person, this should be fairly easy to follow and understand. And let’s face it, every one of us who “computer” for a living have become the family and friend de facto standard help desk for those nerd-challenged who get a new laptop, and were probably asked to “make it secure from the various evils you keeping going on about”, so this one’s for you.
Is the laptop safe enough to take to a hacker conference? Well, it won’t be low-hanging fruit if you complete the mitigation steps, but I’d still consider it at risk in extremely hostile environments.
This is a laptop running Microsoft Windows and a blog post about risks and turning off the really crazy stuff, not a hardening guide. That being said, I’d be a lot more confident handing the laptop back to your tech-challenged friend if the steps from the Detailed Mitigation Instructions section of the paper are taken.
At least from a network perspective, things will be a lot better before they pack up that laptop and head to the nearest coffee shop with public Wi-Fi.
Download the full technical paper (PDF) for detailed mitigation instructions, including how to adjust Windows 8 and 10 privacy and security settings:
- Removing McAfee and setting up Windows Defender
- Adjusting firewalls to stop the transmission of data
- Disabling settings for Windows privacy
- Disabling and deleting OEM apps that gather data
And how to configure advanced security settings, including:
- Disabling LLMNR, Smart Multi-Homed Name Resolution, WPAD, Teredo Tunneling and ISATAP
- Other low-level privacy setting adjustments