Like many PC vendors, Asus ships computers with a utility that can download and install firmware updates. And last year hackers managed to create a version of that Asus Live Update utility with a backdoor that makes it possible to deliver malware to a user’s computer directly from Asus servers.
Security researchers at Kaspersky Lab identified the supply chain attack earlier this year, and was planning on discussing it in detail at a security conference next month, but released some information early due to reporting on the situation by Motherboard.
Asus, meanwhile, says that a fix for the problem has been released and that only a relatively small number of users were affected… although that last bit is up for debate.
Kaspersky has identified 57 thousand computers that had the backdoored version of Asus Live Update. But the company notes that the goal of the attack seems to have been to target a specific group of users based on the MAC addresses of their computers’ network adapters.
The security researchers identified more than 600 unique MAC addresses that were targeted — and that may be why Asus says “a small number of devices have been implanted with malicious code.”
But here’s the thing — Kaspersky says the number of MAC addresses targeted could be higher. And the number of computers with a backdoor in their firmware updating tool is almost certainly much higher.
Kaspersky’s 57-thousand figure is only for computers that are running Kaspersky security software. Most computers aren’t running that software, so the company estimates the real number of PCs with a backdoor could be as high as half a million.
According to Motherboard’s reporting, security company Symantec confirmed Kaspersky’s research and noted that at least 13 thousand more computers had a backdoored version of the update utility.
While some folks aren’t particularly impressed with the response from Asus, if you do have one of the company’s computers you should probably check out the Asus announcement for details on how to find out if your system is affected and/or how to make sure you have the latest (allegedly safe) version of Asus Live Update installed.
I’d like to think that all other makers that have a built-in update mechanism are double-checking their wares as we speak. Because, you know… they “take your security and privacy. Seriously”(TM).
I wonder if the governments of the world could agree on making malware distribution a capital offense.
There’s a good chance that a government was behind this one, so I’m going to go with… probably not.
Devious
Glad I don’t have Asus live installed on any of my PCs. My Android phone updates apps all the time… I wonder what would happen if malware was pushed as an update to a popular app? Or what if malware was inserted into an Ubuntu package update (one that usually runs as root).
I’m surprised if anything is malware-free these days.
The entire business models are pushing to have everyone have their wealth in digital currency (as in Banking, Payments, etc etc), yet, there are so many carelessness happening.
And in this era, your identity is just as important. So people stealing your details, then your passwords, via any route possible…. leads to losing thousands of dollars from millions of people.
Yep. Marketing cart before security horse. Pushing fast iteration products out the door is the game, bugs and security holes be damned! Thats modern marketing which is why China wins that game cuz they even faster and sleezier than we are.