LogMeIn can control some PCs, even when off

During a recent talk with LogMeIn CEO Michael Simon, I learned about the company's new LogMeIn Central dashboard for IT managers, designed to help them keep tabs on thousands of computers at a time.

I also heard about the new version of virtual network service Hamachi, which makes it a competitor to standard (and expensive) virtual private-networking products in the enterprise.

We chuckled a bit about the version of LogMeIn that's embedded in the dashboard of some Ford F150 pickup trucks, so their owners can remotely control their office PCs. And I heard about a LogMeIn technology, just now reaching the market, that enables not just remote diagnostics of computers but also access to data on the hard drives of PCs that are turned completely off. Gulp.

That last technology, part of Intel's VPro system architecture, has just started to ship in a few new PCs. It's designed for corporate networks so that support personnel can get into a machine--to run a backup, for example--regardless of whether it's running Windows, has crashed into a blue screen, or has been shut down. As long as the PC is plugged into the wall and to an Ethernet connection, the computer, even though in an off state, will continue to draw a small amount of power (about 4 watts) while it monitors the network for control packets.

The technology is getting built into motherboards using the Q45 support chipset. Only a few corporate desktops use this technology, in particular HP's DC 7900 and Lenovo's ThinkCentre M58 lines.

Simon told me that the technology does not provide a wide-open backdoor. There are security protocols. The user has to agree to use the technology, and like all LogMeIn remote-control products, remote access isn't possible unless the computer's owner agrees to it. And in many ways, it is similar to current remote-access products that rely on "Wake-on-LAN" packets to power up a PC so it can then be controlled remotely. The difference here is of degree.

And I don't worry about this in the enterprise. If you're using a computer provided to you by your company, it is owned by your company, not you. If your employer want to get your data or mess with your work, it does not need a tool like this to do so. This technology just gives IT pros more capabilities, and it sounds like a very useful tool.

Even for home users, in most cases, this won't be a problem, mostly because VPro PCs aren't marketed to home users. But assuming that they were, the VPro protocols still specify that the user must consent to remote access each time someone wants to use it.

So let's say Dell sells me a computer, and it crashes. I am happy to have Dell customer support see what's going on during a phone call. It might save everyone the annoyance and expense of a repair visit or the need to ship the computer back to Dell for examination.

Michael Simon, LogMeIn's CEO

(Credit: Rafe Needleman/CNET)

What I am concerned about are VPro home computers for which remote control is preconfigured by a seller. A machine sold by an unscrupulous builder. A used computer sold via eBay or Craigslist by someone bent on identity theft. The opportunities for crime here are just too great to ignore.

And it's LogMeIn's exceptionally robust connection technology that makes it all the more so. Unlike Wake-on-LAN technologies and other remote-control products, LogMeIn is very good at connecting to a computer, no matter how far away it is on the Internet or how deep behind firewalls it is. It's robust--and secure in the hands of its users--but it's a scary tool, if the wrong people get into it.

Simon did say that perhaps this technology needs a protocol that specifies that whenever it's used, whether it's been configured for unattended access or not, it "drops a receipt on the desktop" so the computer's owner can see it when he or she turns the machine on.

That's a start. I'd recommend disabling this feature entirely. And to be fair, computers with this capability come with remote access turned off in the BIOS by default. But chances are that crimes over VPro, if any are committed, will be against people who simply don't know that this kind of access is possible.

Other LogMeIn representatives also took pains to remind me that this capability can be used to fight crime as well: a computer that had been stolen could be remotely wiped of data, for example, even if it's powered down. Also, there are no consumer desktops yet with this BIOS-level support for remote access.

I have been a big fan of LogMeIn's free remote-control product for years, and I have never heard of any security breaches due to a technical issue with the company's products. Furthermore, I congratulate Simon for landing this deal with Intel. Nice move. But I think that my relationship with this capable maker of remote-access and network utility services just got more complicated. I am going to try very hard to avoid VPro products, if they start to proliferate in the consumer market.

Alternatives include switching to AMD-powered computers or unplugging a VPro PC when not using it, which would be a ridiculous hassle. I know it seems crazy and paranoid, but if "off" doesn't really mean "off" anymore, we do have to be more careful.

[MyRightEye]

Well I WAS going to download their iPhone app, but not anymore.

[rafe]

I would still do it. It's pretty cool. I use LMI on my home PCs and Macs and still love it. The iPhone app is expensive but very functional.

[satchev]

It is ridiculous to base your decision to get the iPhone app on this article.
1) the hardware required is ONLY on Intel based system that are just now being delivered to corporate customers
2) the iPhone app does NOT provide remote access to your iPhone

[CraigC2000]

So, because Intel has built in the ability to remotely connect to a business level PC, you are going to protest software companies that support the technology that corporate users would specifically go out of their way to purchase, but would not in any way affect your PC - and your going to protest it by not getting an app that also has nothing to do with this feature? This feature is extremely beneficial to those of us in corporate IT, and it needs to be specifically enabled at a BIOS level as well as a software level. If someone has that level of access to your computer, the least of your worries is legitimate remote access software.

Not that anyone really cares, but if your so offended, your false outrage would be better directed at Intel, since they are the ones building the technology into the hardware. There are dozens of ways to access it once it's enabled, so picking one of them seems arbitrary and simply ignorant, especially since the software that will be built to surreptitiously steal your data would not be using logmein anyway.

[jaguar717]

So the main concern is that this is more reliable than wake-on-LAN, which has been around for years and years?

Then again, before now we didn't have legislation to give the Pres "emergency control" over anything on the internet.

[gggg sssss]

runs over http so hidden from firewalls

[Goodbye Helicopter]

There's always a way in.
They'll never tell you themselves about holes, man.

[Ryan_Phx]

If the computer is plugged directly into the wall, I can see where unplugging might be a hassle. But if it's plugged into a power strip, turning off the strip would cut all power to the plugs, and would be just as good as unplugging, with a lot less hassle.

[SergeM256]

Only if it is desktop, laptop is always "plugged on" to battery. Removing battery from laptop sounds kind of extreme. I don't know how many people still using traditional desktops at home, I switched to laptop a couple of years ago.

[z386]

If you turn off a laptop - as opposed to just shutting the lid - wouldn't it turn off the power to WiFi and any means to communicate with the computer?

I have my Airport plugged into a power strip. It takes just a few seconds to power on.

[gggg sssss]

unplug the little blue LAn wire is even easier.

[ucansellvoip]

It all comes down to risk vs. reward. Servers have had RAC (remote access control) cards for years. If you'd rather be less productive in the name of security then you must have some top secret stuff, so it's a no go, you pay more for slower response times to fix your system. However, if you have a support staff who can be more productive using the technology, and save more money by increasing the companies overall productivity (down systems mean no work gets done) you have to make a decision. If it's supporting a workstation that houses no data (which no station should on a corporate network) it's a no brainer. As a vendor of a MSP this is great progress, and at least the discussion is there. If you get screwed by an IT vendor, sue em. If they are any good they'll have insurance to protect from that.

[TWHL]

Maybe I'm missing something here. Are you saying that the only real difference between using the current logmein, which is arguably secure, and this new update is the ability to connect when the computer is off? Is the security the same? If so, I am unclear why you have a problem with that. Do you really turn your computers off for security?

As long as Intel does this right with security firmly in mind from the beginning, it frankly seems like a small issue. If I am not mistaken, most successful computer penetration attacks are phishing attacks and social engineering. Well, and the use of extremely weak passwords. That being the case, this is close to a non issue. They could mandate password complexity to deal with that problem.

[pentest]

Most? I don't know the exact percentage, maybe 75%.

Drive byes are still possible on Vista and 7, and always have been on XP.

All this does is broaden your attack surface, always a foolish thing to do. You have to find a balance between usability and security, this looks like it tips the balance in the wrong direction.

[santuccie]

@pentest:

'Drive byes are still possible on Vista and 7, and always have been on XP.'
>>>>How possible? Do you have any links to articles of something like this happening since IE8? I rather doubt it. You're still comparing your platform to an eight-year-old operating system that was released before drive-by downloads existed. When Microsoft learned about it, they did something about it. That's why you can surf the Web with impunity on Vista, and W7 as well. Sorry to bust your bubble, but science trumps religion here.

[damiandennison]

I like the idea, I think as long as it is as secure as their current products or even more secure then all should be fine.

My only problem is if Intel will only allow one company to provide this type of service.

[explodingzebras]

The only way something can access the hard drive is with the machine turned on, the standby voltage is not enough to power a hard drive, you'd have to have a little embedded PC-on-a-card to achieve that.

[tech_crazy]

You are thinking in the conventional way. With this bios-level feature, the PC (screen etc.) can be off while the bios can enable (power up) the HD to access it.

On a different note, wouldn't unplugging the internet connection defeat this?

[z386]

@tech_crazy
I think data can be transferred over the powerline. Unplugging the internet connection wouldn't stop that.

[Rad1calEn1gma]

@z386
you're kidding, right?

[z386]

@Rad1calEn1gma
No, not kidding.
http://www.sciencedaily.com/releases/2005/01/050106105340.htm
http://en.wikipedia.org/wiki/Power_line_communication

[pentest]

z386

Yeah, it is possible, but not with a system that does not use it. Unless you think you can use the power lines to access any machine. LOL

[z386]

@pentest
First, I'm no expert on BPL so LOL if you wish.
However, I've read that power companies are already using the power lines to read meters so some general communication via power lines is already taking place. While delivery of broadband over power lines seems to be having difficulties getting off the ground I don't see how it is possible to deny the possibility of security breaches via the power grid. However, if that is totally impossible I'm certain you will set me straight.

[rafe]

@Z386 While powerline networking technology is out there (I've used it in my home), the technology covered in this story does not use it. Unplugging *either* the power cable or the Ethernet cord would disable the capability for remote access when the PC is off.

[z386]

Rafe,
Thank you for the clarification.

[newsho]

I thought powerline data technolgy had to have special equipment plugged in the power socket to use for data. (It's not available in my area) Surely data can't travel through a power supply in a PC or laptop. What inside a computer would put data on one of the voltage rails?

wow, this has to be the most ignorant article i've read in years...this isn't big brother or a security loophole. It's managed services hardware set that's primarily used with programs like Altiris. That LOGMEIN uses it is nothing malicious. For the record it has been around for at least 2-3 years, starting with Intel's Q965 chipset.

Such paranoia is funny/pathetic. Hey My DVR Dials home and records shows even when its powered down, OH NO i guess i'll stop using it because off doesnt mean off anymore.... get a grip

[pjk0]

I don't think the article is paranoid.

The difference between "LogMeIn", "GoToMyPC" and other similiar remote-access systems compared to something like PCAnywhere or RemoteDesktop is that they are designed to circumvent traditional network security by initiating the communication from INSIDE the trusted network instead of from outside. This is how they get around NAT and the usual "default block everything from Untrusted to Trusted" and "default allow everything from Trusted to Untrusted". (Which is how probably 98% of all home networks are configured right now.)

That's why people are not typically prepared for something that potentially allows external entities access to one's private machines, with or without consent, whether or not they are powered-up.

Presumably what this BIOS-level implementation does is A) keep the NIC powered up, B) install a rudimentary BIOS-level IP stack, C) use that connectivity to initiate an "always on" connection from the "powered off" PC to one or more external LogMeIn hosts, thus D) then allowing anyone with the required LogMeIn credentials to gain complete control over the PC.

The reason it's more insidious than "WakeOnLAN" is because it is very difficult to send a WOL wakeup command over the internet to a host behind a NAT or firewall, unless you have some sort of proxy or relay host you already have access to on the trusted side of that network.

[rafe]

Thank you.

[Seething Ganglia]

This is just another reason why I build my own systems out of raw parts.

[gggg sssss]

most intel mother baords and most nics have wake on lan

interesting article and i want to install LogMeIn software.

[Random_Walk]

Err, a couple of things:

1) I never shut my Mac off... don't need or want to
2) I use ssh to hit it up, and have the appropriate firewall settings to patch it through

But, to answer your premise, if you're that worried about getting hit with the computer off, unplug the thing, or just turn WoL off in your BIOS.

[jamartin76]

The senerio they are talking about is this.
1) Bad guy buys computer with this capability and turns it on giving him access
2) Bad guy sells/gives computer to unsuspecting victim
3) Bad guy logs in during the middle of the night and harvests whatever interesting data he can find

[Dalkorian]

I see the risk there, but it seems like an awful amount of effort for little gain (wherever interesting data he can find on that one machine, which will have interesting data on a handful of people at best).

[santuccie]

I don't see this happening at all, really. Doesn't mean it won't happen, but criminals would have to be desperate to go there. The thing about LogMeIn is that the owner could be alerted by the startup sound, and check his computer to see it on, with the mouse pointer moving around and opening files. I have a few customers connected to LogMeIn whose machines are always on, but I would never try and exploit them for two reasons: 1) it's wrong, which is reason enough alone for me 2) I'd be risking my business and reputation.

[Hokulea]

Regarding security, a simple solution would be to use a smart power strip that automatically turns off when your desktop computer is shut down. This can be used to shut down just your modem, while leaving your LAN router on, or to shut down all network equipment.

There's an interesting story on PC World about a guy that used LogMein to recover his stolen laptops. Since he had his laptop set up to auto logon without requiring a password, the new "owner" was able to power up and get online. By using LogMein, the real owner was able to track down the location of the laptop which led to its recovery by the local police.

PC World "An Amazing Laptop Recovery Story" , Todd R. Weiss Sept 16, 2009

[gggg sssss]

wake on lan has been around since the 486. You just found out?

[robert180197]

Since this is low power why couldn't a person use the back-up (on board battery) power to enter the pc even if it was unplugged they may not be able to look at the hard drive but it could be used by a cracker to modify the bios to allow them access when the cumputer was power up before the operating system started you would never know.

[TV James]

The most useful and relevant (and newsy) article news.com has had in quite a while. Thanks!

[stewt1982]

Is LogMeIn ever thinking of reducing prices on the Rescue version? I mean, they keep adding new features but the price is just ridiculous. I had to switch to a service called Techinline (http://www.techinline.com) which is not as fully-featured (noone is) but is more than enough to support my customers at a fraction of the cost. I heard LMI's investors are convincing them to abandon the Free version, which I am sure will happen sooner or later

[choicefresh]

> What I am concerned about are VPro home computers for which remote control is preconfigured by a seller. A machine sold by an unscrupulous builder. A used computer sold via eBay or Craigslist by someone bent on identity theft. The opportunities for crime here are just too great to ignore.

If you buy a laptop not from the manufacturer, there's always a chance of a hardware keylogger installed, which could do basically the same thing in the long run.