We help IT Professionals succeed at work.

New podcast episode! Our very own Community Manager, Rob Jurd, gives his insight on the value of an online community. Listen Now!

x

Concerning anti-theft activation, what hardware is involved?

Tom Kimmel
Tom Kimmel asked
on
333 Views
Last Modified: 2017-04-05
Particulars: Optiplex 790, Intel i5, bought cheap, no hard drive, from a reseller, Tags indicating it was from the DC School System. I installed a hard drive working on a 780, wouldn't boot. Using a thumb I installed Ubuntu. again wouldn't boot. Tried other drives, same. Discovered Computrace was activated. Next mistake: Purchased a replacement motherboard. Made the swap and found Computrace activated. (!) Now I wonder whether a NEW motherboard might resolve the issue.
Or , Whether this firmware perfidy spreads to the firmware of attached hard drives. Do CPUs themselves become complicit? Is it possible or likely that attempted reuse of the affected hard drive might activate anti-theft modules on a NEW mother board?
My question is , Is this problem containable, or self containing? I understand the theory behind planned obsolescence, why Intel and Dell don't want these used computers inhibiting new sales, but wonder whether this isn't a vulnerability that could spread. Lots of news about this from Stuxnet on.
Am I safe buying a New Mother board?

As an epidmiologist I worry about weaponized anthrax as well. Come back.
Comment
Watch Question

JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
If there is hardware, it would be done via the TPM chip or TPM integration in the machine.

You should be able to use a new motherboard without issue. I sold two Windows 7 machines to a member here and the user is still successfully using them. I never enabled TPM.

What does technology like this have to do with anthrax? My guess is nothing.
Dr. KlahnPrincipal Software Engineer
CERTIFIED EXPERT

Commented:
Computrace is embedded in the machine's BIOS and activated as a BIOS option.  Once it's activated it can't be deactivated.  It is certainly remarkable that your second motherboard's BIOS also had Computrace activated, but not nearly an impossibility, since anyone with such a motherboard would want to be shed of it.

Computrace is a devil to get rid of as re-flashing the BIOS, clearing the BIOS settings and erasing the hard drive does not disable it.   The setting is stored in a non-volatile flash chip which would have to be replaced or specifically erased to disable the setting.

Even when starting from a clean Windows load, Computrace infects Windows.


The software agent behaves like rootkit (bootkit), reinstalling a small installer agent into the Windows OS at boot time. This installer later downloads the full agent from Absolute's servers via the internet.

So any drive that has been put in that machine is also infected, and should be erased and reloaded.

Computrace has been proven vulnerable to several back-door attacks by hackers.  It's like having a live backdoor virus you can't get rid of.

You can probably clear the issue if you buy a clean motherboard which has never had Computrace activated, and totally erase the hard drive, and start over again from a fully erased hard drive, and reload Windows from scratch.  But truthfully, I'd write the whole thing off as a bad learning experience, look for a different system, and never again buy anything that has Computrace even as a deactivated option.

I suppose that if one could determine the IP addresses and domain names of the Computrace servers it would be possible to load clean Windows sans internet, add rules to hosts to deny access to those domain names, put in Windows Firewall rules to exclude those IP addresses, and then connect the system to the internet, register, and update it.  Assuming, of course, that Computrace doesn't decide to do something nasty when it can't contact its servers, which is behavior I would not care to rely upon.  But it would still be lurking in the system.

Side note:  If any hard drive that was ever attached to the original system was used to boot from the replacement motherboard, it's plausible that Computrace infected the new motherboard by activating the BIOS option.  It's an obvious loophole that would be hard for the Computrace programmers to overlook.
Dr. KlahnPrincipal Software Engineer
CERTIFIED EXPERT

Commented:
Addendum:  Bertavision has a product that they claim eliminates Computrace.  I personally have my doubts, but now that you're stuck with the two motherboards, it may be worth a shot.  If the BIOS option showing Computrace is active reverts to "disabled" after applying this fix, it may in fact be a solution.

http://www.bertavision.com/Download.html
Retired
CERTIFIED EXPERT
Most Valuable Expert 2013
Top Expert 2009
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION

Author

Commented:
Thank you. I did not understand that such remedy was available from the discussion segments I read.
I will call Absolute Software tomorrow and report whatever.
Again, thank you
Tom
Dr. KlahnPrincipal Software Engineer
CERTIFIED EXPERT

Commented:
From the research I've done so far (and thank you for bringing this to our attention; I was not previously aware that this thing exists) what Absolute can do is disable enforcement in the Windows software.

Computrace won't be removed, because it gets reinstalled automatically from the BIOS.  It won't be prevented from running, again due to the BIOS shoving it back in.  Once in, always in.  But they can disable the Windows disabler.  It won't return the BIOS to from-the-factory state with Computrace disabled; once set, it's permanently set.  Computrace will still be in the system and the system will still be infected.  But Windows should be able to run.
Gary CaseRetired
CERTIFIED EXPERT
Most Valuable Expert 2013
Top Expert 2009
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION
Dr. KlahnPrincipal Software Engineer
CERTIFIED EXPERT

Commented:
I certainly hope so.  What a nasty thing to have hiding in a system.
CERTIFIED EXPERT
Most Valuable Expert 2013

Commented:
As an epidemiologist you should know better than to base your hypothesis on such a small sample size!

This is how Trusted Platform Management works to protect business users and their data. Where did you source your replacement systemboard? If not new, chances are your seller wants to get rid of any stock that has it activated.
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
since it concerns anti theft - it must be foolproof for wiping, and deleting; otherwise it does not do what it needs to do

Author

Commented:
Good point. I got the replacement MB from Discount Electronics in Austin. New ones are available. The tech at Discount Elect. assured me that a replacement board would serve.  I plan to let them know it was compromised as well.
From my perspective, after a career in Public Health and having done contact tracing for both SmallPox and Syphilis I felt infected, and wanted to track down the pathogen and is vector. Caviat emptor, indeed.

Is it so that firmware in the hard drives could have been infected, such that it would reactivate the module on a new motherboard?
I will call Absolute today and see if they are able and willing to release his machine. But as I contemplate this, I wonder whether I will have to reinstall the original motherboard. Obviously,  I have no experience with Trusted Management Platforms.
This thing is a proper tarbaby.
Cheers
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
i don't know the details - but will follow this up
CERTIFIED EXPERT
Most Valuable Expert 2013

Commented:
Suspect you've two patients with similar symptoms which are serologically different. There's no contagion here the second board arrived already infected. Absolute have a specific "magic bullet" cure for the first but you'll need to reassemble it first.

Author

Commented:
Thanks, yeah, that's what I was afraid of.
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
Any health infection on the board is from the owner not the anti-theft devices.

If this is true, and you purchased used, throw them away and get a new board from a reputable seller. That is guaranteed to work.
Gary CaseRetired
CERTIFIED EXPERT
Most Valuable Expert 2013
Top Expert 2009

Commented:
"... But as I contemplate this, I wonder whether I will have to reinstall the original motherboard. " ==>  I suspect you do indeed need to do this; as one of the things they'll ask you for is the serial #.    Shouldn't take more than 30 min or so to swap the boards, however -- and it seems pretty likely this will resolve your issue.    You should also be able to return the 2nd board you bought -- especially since it didn't work.

Author

Commented:
Thanks everyone. The problem  is resolved. although I am not sure how.  I did replace the original mother board. And I did call Compputrace, Absolute actually. Their automated system is state of the art. Maddening, that is. Their Abslute.com/express contact facility invited opening a case on line and I did. I was answered fairly promptly with assurances that my my machine, as identified by the Service Tag,  had been protected but was removed from protection in 2014.
Still a day later and after another installtion of Ubuntu 16.04.2, this time not reformatting the whole drive , It did install and boots directly.
 As expected the security setttings in BIOS still show Computrace active.
So I am not sure what happened.  Still,My problem is resolved.
Thank you all for your interest and advice.
I now believe that Computrace Activation is not a reason not to buy one of these TPM capable machines and my paranoia is somewhat relieved. I was suspicious that it was a tool enforcing planned obsolesence and as such malign. I still wonder why they were were replaced.
I am happy to know this forum exists, you have been helpful and encouraging. I am sorry that my experience is of so little or no use in definitively identifying the problem.
I mentioned that my career experience was in public health. I became aware of weaponized anthrax in the 1970's. Perhaps there is no analogy here, but I have wondered whether devices dependent on on firmware that might be sureptisciously overwritten, ie. routers and hard drives, was a new 'Thing'.
Perhaps not.
So,, Thanks again to all, and Cheers,
Tom Kimmel
Gary CaseRetired
CERTIFIED EXPERT
Most Valuable Expert 2013
Top Expert 2009

Commented:
Glad it's resolved.   I suspect Absolute did SOMETHING that helped based on your case #, but hard to say for sure.    Does the BIOS now allow you to disable CompuTrace?

In any event, don't forget to close the question.

Author

Commented:
No, Sir, It does not. And it does seem to take a long time to boot. Before I close the discussion I will clock its load time compared to the 780 on which it is not activated and report the difference. Both systems boot Ubuntu, same version and neither have a SSD. If there remains a significant discrepancy, I cannot think what might be causing it other than the call home requirement of the TPM, active Computrace.

Also I don't know how to close the discussion. I'll look into that.
Again, Thanks. I'll bookmark Experts Exchange for consultation if I find myself boxed in in future.
Cheers, Tom
Gary CaseRetired
CERTIFIED EXPERT
Most Valuable Expert 2013
Top Expert 2009

Commented:
"... Also I don't know how to close the discussion " ==>  You simply click on one "Best Solution" and any additional "Assisted Solutions" that you want to give credit to.    Only you can decide which comments you found most helpful -- and that's what you should choose from.
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a sample view!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.