A team of security researchers unveiled critical liabilities in popular HP, Lenovo, Dell, Acer and Asus laptops, showing how exposed the consumer sector is to exploits from malicious users.
The experts from Duo Security identified "bloatware" as one of the main culprits for the vulnerabilities, pointing out that the third-party software is not just unnecessary but also risky.
Duo Security tested 10 different laptops manufactured by companies such as Dell, HP, Acer, Lenovo and Asus, which are targeted at consumers in North America and the UK.
"Spoiler: we broke all of them (some worse than others)," Duo Security says.
It should be noted that every tested laptop came with bloatware and automatic updaters. The latter are tools set in place by OEMs to make it easier for consumers to update system drivers and the BIOs. However, the team discovered that each and every updater showed important security vulnerabilities.
IBTimes UK talked to Duo Security's director of security research Steve Manzuik and learned a thing or two about what average users can do to protect themselves.
"The end user can do very little to protect themselves from the vulnerabilities created by OEM update components," Manzuik notes.
He adds that a degree of technical knowledge and skill is required to address problems that appear in one's system. Knowing how to download and install software, for example, is an essential skill that people who aren't familiarized with IT simply lack.
The researchers observed that the embedded updaters keep in touch with the manufacturers' servers in order to get updates every few days, weeks or months. This is all fine and dandy, were it not for the lack of encryption.
Without encryption, an attacker can easily change the data packages that enter the laptop and add an inconspicuous file that can harm the system.
Darren Kemp, Duo security researcher, explains that some companies almost got it right. He points out that Lenovo put a lot of effort into securing its updater, only to have a process running in parallel, which came with zero security features.
The study took place between October 2015 and April 2016, and Duo Security notified the manufacturers about their particular vulnerabilities. However, the type and quickness of response varied greatly.
According to Manzuik, Acer and Asus were the unpleasant surprises. The security analyst reports that in Asus' case "it literally took less than 10 minutes to attack the system using that vulnerability."
The company told Duo Security that they are working on a patch, but the security experts are still waiting to see it happening. Duo Security says that it informed Asus about the issue as early as three months ago.
On the other hand, Duo Security commends HP and Lenovo for being handling the risks in their systems professionally. The two companies have special departments that receive feedback and work on digital security. After the report, Lenovo pulled the plug on the unsafe updater software that was present in its laptops.
The security team encourages users to let go of all third-party bloatware that comes pre-loaded in the machines.
One scenario where the security liabilities can wreak havoc is when people buy off-the-shelves laptops packed with bloatware and use them on corporate networks, increasing the vulnerability of the company as a whole.
Sometimes, companies go a bit out of their way so that updates are kept at bay. Read our coverage on Samsung disabling the automatic updates for Windows 10, which can also pose security risks.