X

Unbox your laptop, and say hello to security risks

Laptops from five popular PC makers all contained security vulnerabilities right out of the box, according to an investigation by Duo Labs.

Carrie Mihalcik Former Managing Editor / News
Carrie was a managing editor at CNET focused on breaking and trending news. She'd been reporting and editing for more than a decade, including at the National Journal and Current TV.
Expertise Breaking News, Technology Credentials
  • Carrie has lived on both coasts and can definitively say that Chesapeake Bay blue crabs are the best.
Carrie Mihalcik
3 min read

Powering up a new laptop can be exhilarating. It can also be full of security risks.

gettyimages-527099781-hacking.jpg

Duo Labs looked for vulnerabilities in 10 laptops during its investigation.

Moment Editorial/Getty Images

Software update tools that are preinstalled on Acer, Asus, Dell, HP and Lenovo laptops all contained at least one critical security vulnerability that hackers could easily exploit, said Duo Labs, the research arm of Duo Security, in the results of an investigation published Tuesday. In total, Duo Labs uncovered 12 different OEM software vulnerabilities across all the computer makers.

OEM (original equipment manufacturer) software includes programs like product registration and 30-day free trials that come installed on a laptop right out of the box. They're often referred to as bloatware since they're largely unnecessary and weren't installed at the user's request. Not only is bloatware superfluous, it's often a weak link in the security chain, according to Duo Labs.

"The level of sophistication required to exploit most of the vulnerabilities we found is somewhere between that possessed by a coffee stain on the Duo lunch room floor and your average potted plant -- meaning, trivial," wrote Darren Kemp, a security researcher with Duo Labs, in a blog post Tuesday.

The Duo Labs investigation highlights the risk of unnecessary software. Programs that people have little use for -- or didn't know were there in the first place -- can easily become out-of-date, which opens them up to security vulnerabilities. PC vendors also failed to build basic security measures into these update tools, said the report. When this happens, bloatware goes from annoying to dangerous.

Here's the really bad news: There's little that laptop owners can do to protect themselves from the vulnerabilities created by these OEM update tools, Duo Labs said. What safeguards there are require significant time and effort: The research team recommended wiping any OEM system and reinstalling a bloatware-free copy of Windows and uninstalling any unnecessary software.

Duo Labs reported these vulnerabilities to the PC makers, which were selected because they are popular brands, and some have already been fixed. In many cases, consistent use of encryption in these OEM update tools would have made these vulnerabilities much more difficult to exploit, said Duo Labs.

HP has fixed the high-risk vulnerabilities, Duo Labs said, and Lenovo will be releasing an update to remove the vulnerable software from all its laptops. Lenovo worked "swiftly and closely with Duo Security to mitigate the issue and publish a security advisory," the company said in a statement. HP did not respond to CNET's request for comment.

Acer and Asus acknowledged the vulnerabilities, said Duo Labs, but have not released a fix yet. Asus did not respond to CNET's request for comment. On Thursday, Acer said it deployed an update to fix the problem.

"This update addresses the vulnerabilities that could allow unauthorized parties to potentially tamper with the software update files distributed to Acer customers," the company said in a statement. "We will continue to focus on the security and functionality of our software to deliver an enhanced customer experience."

Dell released an update fixing many of the issues before Duo Labs could report them.

"Customer security is a top priority for Dell," said a spokeswoman for the company. "Like Duo Security called out in the report, we fared comparatively well in their testing and continue to test our software to identify and fix outstanding vulnerabilities as we examine their findings more closely."

Update, 9:12 p.m. PT: Adds comment from Dell.
Update, June 1 at 8:35 a.m. PT: Adds comment from Lenovo.
Update, June 2 at 11:30 a.m. PT: Adds comment from Acer.