{{Short description|Computer software}} '''Absolute Home & Office''' (originally known as '''CompuTrace''', and '''LoJack for Laptops''') is a proprietary laptop theft recovery software (laptop tracking software). The persistent security features are built into the firmware of devices. ''Absolute Home & Office'' has services of an investigations and recovery team who partners with law enforcement agencies to return laptops to their owners.<ref>[http://www.absolute.com/en/resources/whitepapers/theft-report Theft Report White Papers] {{webarchive|url=https://web.archive.org/web/20130318211526/http://www.absolute.com/en/resources/whitepapers/theft-report |date=2013-03-18 }}. by Absolute Software</ref><ref>{{cite news | work = Forbes | title = Does LoJack For Laptops Work? | author = David A. Andelman | date = 2005-08-19 | url = https://www.forbes.com/technology/2005/08/19/digilife-lojack-laotops-cx_daa_0819digilife.html | archive-url = https://web.archive.org/web/20051219090848/http://www.forbes.com/technology/2005/08/19/digilife-lojack-laotops-cx_daa_0819digilife.html | url-status = dead | archive-date = December 19, 2005 }}</ref><ref>[http://techworld.com/security/news/index.cfm?newsID=11882&pagtype=all LoJack foils laptop theft], ''Techworld.com''</ref><ref>{{cite web|url=https://www.pcmag.com/article2/0,2817,2387275,00.asp|title=LoJack for Laptops Software Review by PCMag.com|date=2011-06-21}}</ref> Absolute Security licensed the name LoJack from the vehicle recovery service LoJack in 2005.<ref>{{cite news| title = LoJack licenses technology to track stolen computers| url = http://www.bizjournals.com/boston/stories/2005/06/27/daily5.html| publisher = Boston Business Journal| date = June 27, 2005| accessdate = 2009-04-10 }}</ref>

Analysis of ''Absolute Home & Office'' (LoJack) by Kaspersky Lab shows that in rare cases, the software was preactivated without user authorization. The software agent behaves like a rootkit, reinstalling a small installer agent into the Windows OS at boot time. This installer later downloads the full agent from Absolute Security's servers via the internet. This installer is vulnerable to certain local attacks,<ref name=securelist-2014>[https://securelist.com/absolute-computrace-revisited/58278/ Absolute Computrace Revisited] / SecureList, Vitaly Kamluk, February 12, 2014.</ref><ref name="Ortega">{{cite conference | url = https://www.blackhat.com/presentations/bh-usa-09/ORTEGA/BHUSA09-Ortega-DeactivateRootkit-PAPER.pdf | title = Deactivate the Rootkit: Attacks on BIOS anti-theft technologies | last = Ortega | first = Alfredo | last2 = Sacco | first2= Anibal | date = 2009-07-24 | conference = Black Hat USA 2009 | conference-url = https://www.blackhat.com/html/bh-usa-09/bh-usa-09-archives.html | publisher = Core Security Technologies | accessdate = 2014-06-12 | type = PDF | location = Boston, MA }}</ref> and attacks from hackers who can control network communications of the victim.<ref name="Kamluk14">{{cite conference | url = https://www.blackhat.com/docs/us-14/materials/us-14-Kamlyuk-Kamluk-Computrace-Backdoor-Revisited.pdf | title = Absolute Backdoor Revisited | last = Kamlyuk | first = Vitaliy | last2 = Belov | first2 = Sergey | last3 = Sacco | first3= Anibal | date = August 2014 | conference = Black Hat USA 2014 | conference-url = https://www.blackhat.com/us-14/ | accessdate = 2015-01-27 | type = PDF | location = Las Vegas }}</ref>

==Functionality== Once installed, the ''Absolute Home & Office'' agent makes itself persistent by making an initial call to the "Monitoring Center".<ref name="Kamluk14"/> The software may be updated by modules, downloaded from a command server.<ref name="Kamluk14"/> Subsequent contact occurs daily, checking to ensure the agent remains installed and provides detailed data such as location, user, software, and hardware.

If the device is stolen the owner is able to contact the company. Then, the next time the protected device connects to the internet, it switches to theft mode and accelerates Monitoring Center communication. The Investigations and Recovery team forensically mine the computer using key captures, registry and file scanning, geolocation, and other investigative techniques. The team works with local law enforcement to recover the protected device, and provides police with evidence to pursue criminal charges. In the event of theft, a user can log into their online account to remotely lock the computer or delete sensitive files to avoid identity theft.<ref>[https://www.zdnet.com/article/how-to-keep-your-laptop-from-being-stolen/ How to keep your laptop from being stolen] - by Andrew Nusca for The ToyBox, February 26, 2009</ref>

''Absolute Home & Office'' comes preinstalled in some Acer, Asus, Fujitsu, Panasonic, Toshiba, Dell, HP and Lenovo machines.<ref>[http://www.absolute.com/en/partners/bios-compatibility.aspx Absolute Software, Partner: BIOS Compatibility], ''absolute.com''</ref> Apple, unlike some other PC manufacturers, does not allow the software to be installed in the BIOS.<ref>{{cite web |url=http://store.apple.com/us/question/answers/product/TS294LL/A?pqid=QAHCAFA27C7TYA9UFXUDDJYKJKDCXJFDU |title=How can loJack be effective, if i have a password.... someone steals my laptop, they can't login to connect to the internet |accessdate=2012-06-18 |archive-url=https://web.archive.org/web/20120118195300/http://store.apple.com/us/question/answers/product/TS294LL/A?pqid=QAHCAFA27C7TYA9UFXUDDJYKJKDCXJFDU |archive-date=2012-01-18 |url-status=dead }}</ref> Absolute Home & Office can be installed on Apple computers, but it will be stored on the hard drive instead of the BIOS. If the hard drive is replaced or reformatted, the software will be lost.

The BIOS service is disabled by default and can be enabled by purchasing a license for ''Absolute Home & Office''; upon being enabled, the BIOS will copy a downloader agent named <code>rpcnetp.exe</code> from the BIOS flash ROM to the ''System32'' folder on Windows systems. On some Toshiba laptops, <code>rpcnetp.exe</code> is factory-preinstalled by Toshiba on the unit's hard drive. In turn, <code>rpcnetp.exe</code> will download the full agent software and install the <code>rpcnet.exe</code> Windows service. From then on, <code>rpcnet.exe</code> will phone home to ''Absolute Security'' servers once a day, querying for a possible theft report, and transmitting the results of a system scan, IP address, user- and machine names and location data, which it obtains either by tapping the GPS data stream on machines equipped with GPS hardware, or by triangulating available WLAN access points in the vicinity, by providing WLAN IDs and signal strengths so ''Absolute Security'' servers can geolocate the device using the Mexens Technology data base.{{Citation needed|date=April 2010}} If ''Absolute Security'' receives a theft report, the service can be remotely commanded to phone home every 15 minutes, install additional 3rd party vendor software, such as a key logger or a forensic package, make screenshots, and various other actions.

''Absolute Home & Office'' also supports Intel's ''AT-p'' anti-theft protection scheme. If it is unable to phone home within a configurable time interval it will require a special BIOS password upon the next reboot. It can be configured to shut down the machine's power supply immediately in this case, to force a reboot.

===Persistence=== The persistence module, installed as part of system BIOS/UEFI, detects when the ''Absolute Home & Office'' software has been removed. It ensures the software is automatically reinstalled even if the hard drive is replaced, or the firmware is flashed. ''Absolute Security'' partners with many original equipment manufacturers to embed this technology in the firmware of computers, netbooks, smartphones, and tablets by Acer, ASUS, Dell, Fujitsu, HP, Lenovo, Motion, Panasonic, Samsung and Toshiba.<ref>[https://www.bloomberg.com/news/2013-04-15/absolute-ceo-says-growth-to-accelerate-after-samsung-win.html Absolute CEO Says Growth to Accelerate After Samsung Win] / Bloomberg, by Hugo Miller - April 15, 2013</ref>

== Vulnerabilities == The ''Absolute Home & Office'' client has trojan and rootkit-like behavior, but some of its modules have been whitelisted by several antivirus vendors.<ref name=securelist-2014/><ref name="Kamluk14"/>

At the Black Hat Briefings conference in 2009, researchers showed that the implementation of the Computrace/LoJack agent embedded in the BIOS has vulnerabilities and that this "available control of the anti-theft agent allows a highly dangerous form of BIOS-enhanced rootkit that can bypass all chipset or installation restrictions and reutilize many existing features offered in this kind of software."<ref>{{Cite web | last = Sacco | first = Anibal |author2=Alfredo Ortéga | title = Deactivate the Rootkit | work = Exploiting Stuff | accessdate = 2009-10-06 | url = http://exploiting.wordpress.com/2009/09/11/138/ }}</ref><ref>{{Cite news |last=Robertson |first=Jordan |title=Anti-theft software could create security hole |work=The Associated Press |accessdate=2009-08-06 |url=https://www.google.com/hostednews/ap/article/ALeqM5gDEcxr3CSkM0RlVSqVzNWlccf6XwD99P33N82 |archive-url=https://web.archive.org/web/20090808013039/http://www.google.com/hostednews/ap/article/ALeqM5gDEcxr3CSkM0RlVSqVzNWlccf6XwD99P33N82 |url-status=dead |archive-date=2009-08-08 }}</ref><ref>{{Cite web | last = Sacco | first = Anibal | author2 = Alfredo Ortéga | title = Deactivate the Rootkit | work = Black Hat Briefings | accessdate = 2009-08-06 | url = http://www.coresecurity.com/content/Deactivate-the-Rootkit | archive-url = https://web.archive.org/web/20110708193041/http://www.coresecurity.com/content/Deactivate-the-Rootkit | archive-date = 2011-07-08 | url-status = dead }}</ref> ''Absolute Security'' rejected the claims made in the research, stating that "the presence of the Computrace module in no way weakens the security of the BIOS". Another independent analyst confirmed the flaws, noted that a malware hijacking attack would be a "highly exotic one", and suggested that the larger concern was that savvy thieves could disable the phone home feature.<ref>{{Cite news | title = Absolute Software downplays BIOS rootkit claims | work = ZDNet | accessdate = 2009-08-20 | url = http://blogs.zdnet.com/security/?p=3936 | archive-url = https://web.archive.org/web/20121014052719/http://www.zdnet.com/blog/security/absolute-software-downplays-bios-rootkit-claims/3936 | archive-date = 2012-10-14 }}</ref> Later, Core Security Technologies proved the researcher's finding by making publicly available several proofs of concept, videos, and utilities on its webpage.<ref>{{Cite web | last = Sacco | first = Anibal |author2=Alfredo Ortéga | title = Deactivate the Rootkit | work = Core Security Technologies | accessdate = 2009-09-08 | url = http://corelabs.coresecurity.com/index.php?module=Wiki&action=view&type=publication&name=Deactivate_the_Rootkit }}</ref>

Local and remote exploitation of the first stage CompuTrace agent, which is used to install the full version after activation or reinstallation of the operating system, was demonstrated at BlackHat USA 2014. This dropper agent is whitelisted by several antivirus vendors and can be used to set up some local attacks, for example to download and install software from different servers.<ref name="Kamluk14"/> ESET discovered a first attack in the wild with a rootkit called LoJax that infected vulnerable LoJack configurations.<ref>[https://www.welivesecurity.com/2018/09/27/lojax-first-uefi-rootkit-found-wild-courtesy-sednit-group/ LoJax: First UEFI rootkit found in the wild, courtesy of the Sednit group], ''WeLiveSecurity'' by ESET, 2018-09-27</ref>

==See also== *Prey (software)

==References== {{reflist|30em}}

==External links== * [http://www.pcworld.com/article/2023756/12-security-resolutions-for-2013.html 11 Security Resolutions for 2013] / PCWorld ** [http://www.pcworld.com/article/251719/how_to_protect_your_laptop.html How to Protect Your Laptop] / PCWorld * [http://mobileoffice.about.com/od/mobilesecurity/a/lojack-for-laptops-track-and-recover-a-stolen-laptop.htm Recover a Stolen Laptop with Anti-Theft Software] {{Webarchive|url=https://web.archive.org/web/20130511182458/http://mobileoffice.about.com/od/mobilesecurity/a/lojack-for-laptops-track-and-recover-a-stolen-laptop.htm |date=2013-05-11 }} / About.com * [https://www.usatoday.com/story/travel/2012/12/18/new-last-minute-gifts-for-business-travelers/1776373/ New last-minute gifts for business travelers] / USA Today * [http://thinkwiki.de/Computrace CompuTrace] at ThinkWiki {{in lang|de}} * [http://threatpost.com/millions-of-pcs-affected-by-mysterious-computrace-backdoor-2/107700 Millions of PCs Affected by Mysterious Computrace Backdoor] / Threatpost, 2014-08-11

{{DEFAULTSORT:Absolute Home and Office}} Category:Laptops Category:Security software Category:Emergency management software