Blog | G5 Cyber Security

Remove Computrace & Secure SSDs on Linux

G5 Cyber Security

TL;DR

This guide shows you how to remove the Computrace BIOS rootkit and securely wipe the Hidden Partition Area (HPA) of your Solid State Drive (SSD) on a Linux system. It also explains how to protect your SSD with custom encryption.

Removing Computrace

Computrace is a BIOS-level rootkit often pre-installed on business laptops. Removing it requires flashing a clean BIOS image. Warning: Incorrectly flashing the BIOS can brick your device. Proceed with extreme caution and only if you are comfortable with these risks.

  1. Identify Your BIOS Version: Use the command 
    dmidecode -t bios

    to find the manufacturer, version, and date of your current BIOS.

  2. Download Clean BIOS Image: Visit the laptop manufacturer’s website (e.g., Dell, HP, Lenovo) and download the latest BIOS image for your exact model. Ensure it’s from a trusted source.
  3. Create Bootable USB Drive: Use a tool like Rufus or Etcher to create a bootable USB drive with the downloaded BIOS image.
  4. Boot into BIOS Flashing Utility: Restart your laptop and enter the BIOS setup (usually by pressing Del, F2, F10, or Esc during startup). Look for an option to flash the BIOS from a USB drive. The exact wording varies depending on the manufacturer.
  5. Flash the BIOS: Select the downloaded BIOS image from the USB drive and follow the on-screen instructions carefully. Do not interrupt the process!
  6. Verify Removal: After flashing, reboot your laptop and check if Computrace options are gone in the BIOS setup. You can also use tools like Computrace Check to confirm its removal.

Wiping SSD HPA

The Hidden Partition Area (HPA) is a section of the SSD that can be used to hide data, potentially by malware or for other security purposes. Wiping it ensures all data is removed.

  1. Identify Your SSD: Use 
    lsblk

    to list your block devices and identify your SSD (e.g., /dev/nvme0n1).

  2. Use hdparm: Install hdparm if not already present: 
    sudo apt install hdparm

    .

  3. Set HPA to Maximum: This command sets the HPA to the maximum supported size. Replace /dev/nvme0n1 with your SSD’s device name. 
    sudo hdparm -I /dev/nvme0n1

    Look for ‘HPA’ information in the output, and then use:

    sudo hdparm --user-master u --security-erase EnhancedSecurityErase /dev/nvme0n1
  4. Secure Erase (Alternative): If the above doesn’t work or you want a more thorough wipe, use secure erase. This will take longer. 
    sudo hdparm --user-master u --security-erase SecureErase /dev/nvme0n1
  5. Verify Wipe: After the process completes, check if any HPA is reported using 
    sudo hdparm -I /dev/nvme0n1

    . The ‘HPA’ section should show 0 or a very small value.

Protecting Your SSD with Custom Encryption

Full disk encryption protects your data if the drive is lost or stolen.

  1. LUKS Encryption: LUKS (Linux Unified Key Setup) is a standard for disk encryption.
    • Format the Drive: Replace /dev/nvme0n1 with your SSD’s device name. Warning: This will erase all data on the drive! 
      sudo cryptsetup luksFormat /dev/nvme0n1
    • Open the Encrypted Volume: Choose a strong passphrase. 
      sudo cryptsetup luksOpen /dev/nvme0n1 myencryptedvolume
    • Create Filesystem: Format the encrypted volume with your preferred filesystem (e.g., ext4). 
      sudo mkfs.ext4 /dev/mapper/myencryptedvolume
    • Mount the Volume: Create a mount point and mount the volume. 
      sudo mkdir /mnt/myencryptedvolume
      sudo mount /dev/mapper/myencryptedvolume /mnt/myencryptedvolume
  2. Automounting at Boot: Configure your system to automatically unlock the encrypted volume during boot. This involves editing /etc/crypttab and /etc/fstab files. Consult a guide specific to your Linux distribution for detailed instructions (e.g., Arch Wiki, Ubuntu documentation).
Exit mobile version