Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Breaking Computrace LoJack Part II
From: <obnoxious () hush com>
Date: Sat, 7 Jan 2006 09:42:35 -0800

Hash: SHA1

Breaking Computrace's LoJack Part II

After my first hurried document, I figured I'd offer some follow
information. An employee from Absolute.com contacted my employer
rambling on about me being misinformed on their product. The
employee from Absolute was more than likely a salesman as he
couldn't answer technical questions so I requested that he send me
information about my laptop since he was "concerned" that it had
not "phoned home". But yet he was stating it had "phoned home" and
Absolute was still able to track my machine.

One thing this person stated was that "my machine was still calling
in, but not updating their database with information on the state
of my machine to their front end, but the back end was still
working". Meaning, although my machine was not phoning home, it was
phoning home. After a quick chuckle I again iterated that if this
were the case - that my machine still contacting his company - he
should be able to provide me with the information my machine was
supposedly sending. After I received his response I sent off a
detailed e-mail calling his bluff.

According to the staff at Absolute.com, my machine had called in
yesterday (January 06th 2006) morning at 9:45am. They even provided
me with an IP address. I was shocked and ready to throw in the
towel at that point, but decided to respond right back to them.

Firstly, on January 06th 2005, my machine was powered down.
Secondly, it was not physically plugged into any network. Thirdly,
Troppix was running on the machine and the CD was still in its
drive. Now I wondered what a marvelous feat it would be for 1)
Absolute to create a kinetic based program to power up my machine
at will. Such a great feat would bring them millions in revenue
from people seeking to conserve money on power. I then thought even
neater of them to have the ability to connect my machine to a
network without my knowledge. Zeroconf (www.zeroconf.org) must have
sped up production and given rights to Absolute or something.
Almost lastly would be the fact that they've ported over Windows
executable's and DLL's over to Linux.

If that wasn't enough of a slap in the face, Absolute graciously
provided me with what they labeled an IP address. The address they
gave me was 485819880. So I wondered? 1CFC05E8?
00011100111101010000010111101000? What kind of crap are they giving
me? If that's a decimal IP that would place me at
That would mean that my machine was "phoning home" from a
Department of Defense" network which would probably make me a
terrorist. Now I informed Absolute that I have a static address at
home, this I could verify with my company's syslog server as well
as 4 other (non company) servers which could provide them with my
IP address if they wanted it for verification purposes. Surely a
provider wouldn't pull Absolute's chain and give them false
information so any claims by Absolute of me "fabricating my IP
address" would be an insult.

[root () imposter security]# echo 485819880 | trans.pl
[root () imposter security]#

[root () imposter security]# whois -h whois.arin.net
[Querying whois.arin.net]

OrgName:    DoD Network Information Center
OrgID:      DNIC
Address:    3990 E. Broad Street
City:       Columbus
StateProv:  OH
PostalCode: 43218
Country:    US

NetRange: -
NetName:    DSI-NORTH2
NetHandle:  NET-28-0-0-0-1
NetType:    Direct Allocation
Comment:    ARPA DSI JPO
Comment:    7790 Science Applicationis Crt.,
Comment:    Vienna, VA 22183 US
RegDate:    1996-03-11
Updated:    2000-04-13

So now as it stands, Absolute has a kinetic, Zeroconf, password
cracking, interchangeable (Windows executable to Linux binary)
product capable of finding anyone anywhere on the planet. For those
wondering about the password cracking part, how else could it have
booted up Troppix and logged in - in order to send out information.

To be fair I decided to boot into Windows XP turn on my firewall
and watch whatever tries to connect to - where and why. Sure enough
Internet Explorer was trying to send out information to a site that
just so happened to be owned by Absolute. Packet data anyone?

Protocol :              TCP
Local Address :
Local Port :            1596
Remote Name :           search.namequery.com
Remote Address :
Remote Port :           80 (HTTP - World Wide Web)

Ethernet packet details:
Ethernet II (Packet Length: 76)
        Destination:    00-09-5b-6d-a0-9c
        Source:         00-12-f0-44-4e-4b
Type: IP (0x0800)
Internet Protocol
        Version: 4
        Header Length: 20 bytes
                .1.. = Don't fragment: Set
                ..0. = More fragments: Not set
        Fragment offset:0
        Time to live: 128
        Protocol: 0x6 (TCP - Transmission Control Protocol)
        Header checksum: 0xa878 (Correct)
Transmission Control Protocol (TCP)
        Source port: 1596
        Destination port: 80
        Sequence number: 3493489526
        Acknowledgment number: 0
        Header length: 28
                0... .... = Congestion Window Reduce (CWR): Not set
                .0.. .... = ECN-Echo: Not set
                ..0. .... = Urgent: Not set
                ...0 .... = Acknowledgment: Not set
                .... 0... = Push: Not set
                .... .0.. = Reset: Not set
                .... ..1. = Syn: Set
                .... ...0 = Fin: Not set
        Checksum: 0x1dfd (Correct)
        Data (0 Bytes)

Binary dump of the packet:
0000:  00 09 5B 6D A0 9C 00 12 : F0 44 4E 4B 08 00 45 00 |
0010:  00 30 7E 5B 40 00 80 06 : 78 A8 C0 A8 00 07 D1 35 |
..0~[ ()    x      5
0020:  71 DF 06 3C 00 50 D0 3A : 6B 76 00 00 00 00 70 02 |
0030:  40 00 FD 1D 00 00 02 04 : 05 B4 01 01 04 02 6E 61 |
0040:  6D 65 71 75 65 72 79 03 : 63 6F 6D 00             |

So what was the best thing to do? Block it via my firewall or play
with my hosts file:

echo "search.namequery.com" >> C:\PATH\TO MY\HOSTS ...

Maybe I could have played with Absolute using Scapy

<Ether dst=00:09:5b:6d:a0:9c src=00:00:00:31:33:17 type=0x800 |<IP
 ihl=5L tos=0x6 len=67 id=1 flags= frag=0L ttl=255 proto=TCP
 src= dst= options='' |<TCP sport=1337
dport=80 seq=0L
 ack=0L dataofs=5L reserved=0L flags=S window=8192 chksum=0xbb39
 options=[] |<Raw load='POST /1DJ1TS' |>>>>

Perhaps change IP addressing every 5 minutes on a script, call them
and ask them "Can you hear me now..." ... "Can you hear me now..."


Now I'd really like to know what Absolute has to say about 1) their
miraculous methods of finding my machine even when it is booted
into Windows with me redirecting via my hosts file. I'd also like
to know why if they were so concerned - as this salesperson's call
alluded to, why didn't he mention the 3-4 other laptops in my
stable that haven't "phoned home".

Anyhow, the jury is out on this... Absolute has yet to respond
(once again). So for those from Absolute reading this (you've done
so before... Obviously in order to contact me at work) let it be
known, prior to the original writing being posted, and prior to
this one being sent, your company was notified.

J. Oquendo
"Please no tears no sympathy" -- VNV Nation Epicentre
echo "\$|[\$_-
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 2.4


Concerned about your privacy? Instantly send FREE secure email, no account required

Get the best prices on SSL certificates from Hushmail

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]