ANN ARBOR — Duo Security, the Ann Arbor-based provider of cloud-based two-factor authentication technology, said this week that it has investigated software update tools spanning five vendors — Acer, Asus, Dell, Hewlett-Packard, and Lenovo — and identified and reported 12 vulnerabilities across all the vendors.
All vendors had at least one vulnerability that allowed for a complete compromise of the affected machine. Duo officials said attackers could easily exploit most of the vulnerabilities found in the full report with very little effort and at little to no cost.
The full report can be found at http://duo.sc/oemupdaters.
In many cases, Duo officials said, the consistent use of encryption would have made attacks much more difficult to exploit.
These vulnerabilities become a significant problem for companies whose employees are using their Acer, Asus, Dell, HP, or Lenovo laptops with default settings in the workplace.
The vulnerable devices open an entire organization up to an attack resulting in a data breach, according to Duo security researcher Darren Kemp.
“Security researchers have always known that consumer laptops sold in the big box stores were vulnerable to hackers,” Kemp said. “Vulnerabilities are present because these machines are loaded with third-party programs and bloatware that are not sufficiently reviewed for security. We were just surprised at how bad these add-ons made things once we began our investigation. For a system administrator, it’s a bit of a nightmare when these machines are used for business applications and to access company email. To protect an organization, policies need to be in place to block access to sensitive corporate data from vulnerable or risky devices.”
Duo Labs, the security research team at Duo Security, reported these vulnerabilities to all five vendors at least 90 days ago, which is the standard timeline given to vendors to fix a vulnerability before public disclosure. At this time, Hewlett-Packard has responded and fixed the high risk vulnerabilities. Acer and Asus have responded, but have not released their fix timelines yet. Lenovo removed the vulnerable software from their systems, effectively making those machines no longer vulnerable.
Duo Labs recommends that users fully disable updaters and remove all third-party components to be fully protected from these vulnerabilities. In addition, organizations should install basic security functions, such as two-factor authentication, to ensure users are who they say they are, and turn on encryption.
Duo Security’s customer base includes Dresser-Rand Group, Etsy, NASA, Facebook, K-Swiss, The Men’s Wearhouse, Paramount Pictures, Random House, Toyota, Twitter, Yelp, Zillow, and more. Try Duo’s security products free at www.duo.com.