Unhackable Netbooks Given To Students

nb

Where would be the best place to test out an unhackable netbook? The NSW department of education in Australia thinks that college is perfect . They plan on distributing netbooks, preloaded with Windows 7,and iTunes. They also have bios level tracking and security, allowing them to be remotely shut down on command. With 20,000 of these in circulation, we would think that we’ll see someone proving the “unhackable” statement wrong. We can only hope.

[via slashdot]

285 thoughts on “Unhackable Netbooks Given To Students

  1. @roar.

    and how about the onboard GPS/GSM home call? One could asume that would be wired to hardware and from other sources replacing or altering parts from the machine make the start up sequence fizzle.

    Was this just assumption or did you actually do this? if you actually did this please post more notes.

  2. I have one of these laptops and a few people have gotten suspended for ‘hacking’ them. They made it so that you cant open .exe files but all you do is run as admin, its really stupid and you can take apart the laptop with screwdrivers and lots of people have been doing. stupid school

  3. I heard last week that some kid had their home PC shut down remotely (to what extent “shut down” means I am unsure) using the tracking system. They had taken the HDD out and plugged it into their home PC.

    Several of these netbooks are reporting themselves to be Dells as well, since kids have plugged them into other machines :)

  4. They have remote self-destruct (as far as EEPROM is concerned – software side erasure) if the machine does not have certain data on the hard disk. this happens regardless of HDD partitioning scheme or installed OS. As soon as you connect to the internet, boom – dead. To do anything with these, you have to replace the BIOS and remove the tracking system.

  5. @jonathan: nah post the admin username and password to an anonymous blog or simply to pastebin, or even just here for all to see. Give power back to all the poor school kids.

    @Boeing: it really sounds like they are using a group policy. Just disable it via running gpedit.msc as and administrator.

  6. good job hacking mate
    i am one of the yr9 student that recived this laptop
    i can assure you the laptop is NOT unhackable
    the laptop is suppose to restrict me from running any .exe files but i run it any way
    simply right click and run as admin
    that unblock any program

  7. It’s not unhackable, nothing is.
    It is VERY easy to hack them.
    When you start it up it said that it has a tracking device in it from DET but they’re most likely just saying that ay..

  8. I pulled one of these apart. All you need is a small flat headed screw driver (2.4mm and a 1.4mm do the job). I found the RFID under the wrist rest. It reads ARIZON #### Powered by ALIEN H2 on the sticker. I saw no evidence of GPS/GPRS, although there was a slot for a sim card on the mainboard, next to a chip labled ENE.

    The comments from the owner were that it was so locked down it was useless. He had tried to install a simple program with no luck. I managed to install it by right clicking and selecting run as administrator, and installing it to his user folder. Then the program wouldn’t run, so I right clicked again and ran as administrator and the program ran fine… Not once did it ask for credentials.

    The tracing software seems to be a service, and the remote disable a vbs script located in C:\Program Files\Absolute Software Inc\Computrace\

    ctmstop.vbs – contents:

    Set WshShell = CreateObject(“WScript.Shell”)
    Call WshShell.Run (“rpcnet -r”, ,true)

    ctmdela.vbs – contents:

    Dim CommandString
    Set WshShell = CreateObject(“WScript.Shell”)
    CommandString = “rpcnet ”
    CommandString = CommandString & Session.Property(“CustomActionData”)
    Call WshShell.Run (CommandString ,0 ,true)

    I managed to get a beta of win7 freshly installed on the netbook, however the bios flash was unsuccsessful, with the message: “BIOS IS NOT FLASHABLE, ERROR CODE: -144”

  9. @anony mouse

    You can probably force flash with just a key combination… Im sure if you search it you’ll find the combination, heck if you called their company tech support im positive they will give it to you, just tell them your nerdsquad working, haha, no one asks questions now a days

  10. @anony mouse

    Try browsing the internet and see how long it takes for the system to kill itself. Apparently something hardware-level bricks itself if connected to the internet and not running computrace.

    Let me know.

    M

  11. Worked fine for a few hours. I seriously doubt there is any gps in the laptop and think that it is more likely to be the software that bricks the laptop on the original OS install. Maybe it triggers a rpc in the bios to stop it from starting. I imagine there would be a key combo when you start a bricked netbook to reset the bios. As for the tracking, you can do alot with an IP address of the internet connection when someone powers up the original software to see if it works before they wipe it. but it would only do something after it was reported stolen.

  12. @anony mouse
    yeah, see?

    I don’t know what you mean by the software bricking the laptop… you said you wiped & installed a different OS… where’s the software?

    From what I know, the laptop has a custom BIOS that looks for certain data on the hard disk (I don’t know where) and will brick if there’s anything different on the HD. So:
    1) Find out what data it looks for.
    2) Install a different OS.
    3) Add whatever it looks for to the hard disk.
    4) Go… :)

    OR

    Flash the BIOS (somehow – try an EEPROM programmer rather than software. or physically swap it out.)

    I might set up a wiki/forum for this stuff. Soung Good?

  13. A wiki would indeed be useful.

    How did you get yours confiscated? I’d like to do a few things (get that POS iTunes and the McAffee blacklister off and unlock foreign EXEs) without being detected, not interested in an OS reinstall.

  14. Haven’t tried it on one of those netbooks yet, but this might work: Run cmd.exe as administrator (apparently doing so doesn’t ask for credentials), then use Task Manager to kill explorer.exe and cmd.exe to respawn it with admin privileges.

  15. Not a bad plan, but the local admin account on the laptops doesn’t actually have admin rights, oddly enough. For example, running control.exe as admin or a .mmc or .msc management element gives a permissions error.

    Let me know if you find different, though.

  16. yea, the local admin does have admin rights. But running as admin doesnt run as the local admin, it just elevates privileges slightly.
    I hacked it in first period, and it got taken last period. The domain account I used to enable the local admin in cmd (net user administator /active:yes) was logged by the DET, and my school got notified almost immediately. Another way its been done has been by removing the hard drive and modifying the group policy and bluecoat from there, but you have 20 minutes before the DET sim card sends out a little check beacon. If it doesn’t detect a Hard drive in that 20 minute interval, then you are screwed :) Keep working on it guys!

  17. Anything you know about what they do/don’t log and when (while connected to NSWDET at school vs. disconnected from net at home) would be useful. And once you’ve enabled local admin, how are you logging into it? Blanking the password seems like it’d be detected too easily.

  18. Aaaa there was this great forum, uploaded hacks and all but some dumbass reported it to our TSO and the creator got suspended. Right now, the only thing worth hacking would be dis abling the blue coat proxy at home only; my home computer is screwed and it’s such a pain in the ass using phproxy to research. I’ve got a theory but is there anyway we could emulate the NSWDET wireless so that the proxy server would detect it and automaticaaly disable itself?

  19. Look into IP-over-DNS. Works well on non-DET laptops and school computers, worth testing on the laptops. However, on the laptops there is both filtering from the DET proxy (which is connected through via a VPN connection from the laptop) and on laptop-side software… which you’ll have to disable *somehow*. Let me know if you get anywhere.

  20. So i’ve got QEMU working with Debian, what can I do next? Any way to get the admin password via linux without force reset etc/?
    I visited their default gateway and got an eeeery message telling me it was my “last chance” or something.
    I’ve also looked into Bluecoat and apparently the logs are stored in Documents and Settings, which just so happends to be blocked. If there’s anyway I can access those folders, say through linux to my windows partition, I should be able to edit the logs and maybe get CMD working at SYSTEM level.
    But how?

  21. Which, upon further research, means that the kids who get to keep these after they finish school will be locked out of their machines after half a year, because it requires reactivation from the DET’s KMS server every 180 days. Ouch.

  22. Any source for them changing the key after Yr12? I know they turn most of the locks off but there really doesn’t seem to be a point of installing with KMS keys in the first place if they’re just going to replace them with MAKs later. Unless they’re going to be giving each kid their own retail key.

  23. Hey there guys :D
    Man these laptops are so hackable LOL
    Hacked it without taking out the HDD ^^
    Just to let you guys know that there IS a domain administrator account in one of the start up scripts located here:
    \\DETNSW.WIN\

    You can only access that area when your connected to the school net.

    Also guys, thought i would include some things about the laptop :)
    1. The software used to filter out websites is Blue Coat Proxyclient which runs on a whitelist which is located in:
    C:\Program Files\Blue Coat\Proxy Client\ProxyClientConfig.xml

    If you wish to download this file to see it for yourself, knock yourself out!:
    https://update.bluecoat.det.nsw.edu.au:8084/proxyclient/ProxyClientConfig.xml

    Please note that you can only download this file through the school internet.

    2. These laptops are managed by the DET via Group Policy which automatically updates at 11am every school day while your connected to the school network. There is no way to disable this unless you remove youreslf from the domain whilst your administrator.

    3. If you try to install a fresh OS of anything, the laptop will automatically be disabled and a message will be shown as something along the lines of this:
    The laptop image has been modified. Please contact your TSO

    I’m sure that it isn’t worded like that, but it’s something along the lines of that.

    4. Your laptop will get disabled if you create a new administrator account (i’m not sure exactly how it works) and a message will come up in an internet explorer window when you try to login to an account that will be something like this:
    Anomalies have been detected in this laptop. Please see your TSO

    There is temporary way to fix this but it’s really troublesome.. Boot in to safe mode, log in to the domain administrator account, open up msconfig, disable all computrace shit (rpcnet.exe or something), reboot and you’ll be fine :D

    Also, the sim card and the rumoured gps chip (if there is one) aren’t used in any way by the DET. The sim card is simply used by Lenovo for updates. It even says so in the manual. The way that DET go abouts disabling the laptop is through the internet. If you don’t connect to the internet, you’re fine.

    I have also heard (quite a while ago) that something called SCCM has been implemented in to the laptops, to make sure that there aren’t any prohibited things in them. Things they are looking out for are pirated movies and such.

    Principals in the school have A LOT of power with the laptops. They can track where the laptops are in the school, and what user account you are logged in with. They have the list of laptops and who their assigned to, if their loaned, handed out, or disabled. If you are on administrator and the principal is watching this, they KNOW you are and you’ll get busted.

    I posted this info here to inform all you year 9s out there, and to hack the laptop at your own risk. People have been automatically suspended for this, and i think i’ll be one of the next victims. Also posted this for the people who are curious about what this laptop is made out of :)

    Hope this post helped. Cya guys

  24. Thanks er… anonymous, I’ll add this to the wiki (http://breakout.ath.cx/wiki). If you change the config file, of course, it’s overwritten by the server. Modifying the hosts file to point a locally run lighttpd with the file in the correct location may resolve this.

    I should say, though, that in our school at least, the principal does little to monitor the laptops… the TSO however, does. Personally, I’d avoid using the domain admin because even if it’s not noticed live, it IS logged on Active Directory (Our TSO monitors these logs) such that any use of the account can be traced to the laptop, and the owner. Thanks for your contribution, if you could post the configuration file to the wiki that would be brilliant.

  25. @Pharoah
    I believe there’s an OEM key associated with each laptop, as with your average PC. If this is right, I imagine they’d restore them to the state that they arrived in from Lenovo.
    Thoughts?

  26. Yeah, that’d work.

    I find it ironic that even as the government issues warnings against using Internet Explorer students are considered to be ‘hacking’ if they install anything else. I assume taking the virus-disguised-as-media-player iTunes would be quickly reported and ‘repaired’ by the group policy.

    You mention that creating a new administrator triggers detection, what about using the pre-existing (but disabled) local admin?

  27. ummm…im getting this laptop this year and its way harder to hack!!
    u cant just take out the screws and modify the hardware cuz the screws are part of a circut !!if one goes cirtcut stops alerts DET via gps !!
    BOOM!! blocked!
    there r stuff u can do in the software itself
    run as admin
    u can use ultra surf if u open port 9666!!

  28. Damn Kids now-a-days, not willing to risk anything. I would have had this little baby popped three ways from sunday by end of first period.
    Oh you can’t do blah cause they will send a magic message via a one way medium such as GPS. Please grow some, then come back to the internet.
    Microsoft and every other IT vendor in the world knows it, physical access trumps all security measures.
    Grab the local admin hash then use pass the hash to admin other kids laptops.
    Write your own local policy and set it to block inheritence of the group policy from the domain.
    Build a cheap farraday cage, or go somewhere that has no mobile and gps signal and then pop it open.
    If the screws are used to complete a circuit drop a washer around them, or simply remove the battery there probably isn’t enough power in the CMOS battery to do all that wiring, even if there is when they drag you up for opening what your parent have essentially paid for and they question your inquisitiveness you can yell 1981, and book burning all in one.
    This comment thread needs to die, people who have enough guts to hack have their Wiki, people who are too chicken to pickup a screw driver for fear of taking out one of their eyes can go back to studying for an exciting life as a tax agent.

  29. @Anon only a true newfag calls someone else a newfag let me guess been on the internets all of about a year, since mummy and daddy gave you a crapple, you found a certain chan website and hack-a-day and that makes you 1337.

  30. @oldhacker you’re probably just some faggot who thinks he’s all too pro. If you’re so 1337 then why did you want follow up mails? If your really that awesome then why bother posting then? Pfft ‘oldhacker’ only tryhards would name themselves that. I better back away before you hack my ass

  31. Yes it does trigger a warning sent to the DET if you enable it from within Windows. That’s why you put a copy of Hiren’s, Bart’s or any Linux distro you like onto a USB stick and do it from there.

    “S1RollOutV1”

  32. Anon: you do realise this is HACK a day not whiny little bitch a day. I was simply complaining about the “The fuckin reaper” and xeriok whining. But of course you had to but in and be the biggest whiner of them app.
    I have been hardware hacking for 30 years, and yes software hacking for probably 20, but I don’t consider myself all that good, I am old and a hacker so the name is I believe very apt. You chose Anon either as you are a try hard wanna be linking yourself to a group you probably only found out about last week, or are too unimaginitve to think of a self discriptive nickname.

  33. OK EVERYBODY…CALM DOWN, I AM HERE.
    To tell you that there is currently a server which has been set up as analternate proxy for these things…Theconnection speed is quite good and its possible to access all websites from it. It’s called Moopsnet or something similar. Look it up on youtube

    And ALL OF YOU WHINEY BITCHES HAVING A CATFIGHT, TAKE IT SOMEWHERE ELSE, AND IF YOU ALL DECIDE TO ACTUALLY GROW A PAIR, GO AND HAVE A PHYSICAL FIGHT YOU BUNCH OF PUSSIES. NOBODY WANTS TO SEE YOU THROW YOUR NERDY SHIT JOKES AT EACH OTHER. ITS PEOPLE LIKE YOU THAT CONVINCE NON-DIGITALLY LITERATE PEOPLE THAT WE ARE A GROUP OF FUCKED UP SOCIAL OUTCASTS. PLEASE, OLDHACKER, ANON, AND ANY OTHER LOSERS ON THIS THREAD TO HATE ON SOMEONE ELSE. DO US ALL A FAVOUR AND GET FUCKED!

  34. And oldhacker you cocky little piece of dogshit.You think you wouldve had this hacked in one night? So did I. And I did. And I got caught. Until you actually see what youre dealing with, dont start making your bullshit claims.

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.