Uncovering Undercover

I read about the anti-theft software Undercover and want to share my opinion with you.

I will not run this piece of software on my Mac, but I have done a quick static analysis. Some interesting and scary details:

The program is launched via LaunchDaemon, then it uses
a NSTimer to loop (the guys at TUAW were wondering how it could get started without a user logging in – I wonder if the U is for unofficial or for unskilled).

The very authentic „hardware damage“ that they are talking about seems to be a dialogue with the following message:

Mac OS X detected a logic board failure
It is recommended to take this computer to an authorized Apple support center.

There are also other nice messages that will be displayed:
This Mac has been stolen. Identifying information about you and your location has already been collected. This Mac will
become unusable in the next 5 days.
Please contact info@orbicule.com for instructions on how to return this computer.
You will receive a reward if this computer is returned.

It’s questionable if it’s really a good idea to inform the thief that a protection software is running…

It’s also quite funny that they use the speech synthesis to alert, the following AppleScript is used:

say "Help. Help. Help. I'm a stolen macintosh computer... Please return me to the rightful owner"

Instead of sending the MAC address and receiving a message if it’s stolen, the program downloads a list of ALL stolen Macs and seems to then check.
The lists can be found here and here – so far, only one Mac was stolen :-)

The IP address check is done by some obscure third party website, checkip.dyndns.org, instead of just sending to http://www.orbicule.com and let them examine their logfiles…

And now for the big bummer, please sit down!
The upload of the screenshots that the program takes are uploaded via FTP, not some fancy or even not quite as fancy asynchronous push method.
So, you wonder where they are uploaded to? Yes, his webserver, into the document root, with user privileges that can add, delete or modify ANY file on the webserver, including the disk image of the software itself. So backdooring that software is just a matter of evilness. Ah, yes, of course, username and password are hardcoded.

The software is terribly designed, if it was designed at all,
the version number should rather be 0.1 and it’s a joke to
demand money for it.
I STRONGLY advise to NOT download and especially NOT RUN this software.
If you are concerned about theft, get an insurance, this program wouldn’t help you anyways…

2 comments on “Uncovering Undercover

  1. mike3k
    2008-10-16 at 00:08 #


    I suggest looking at Absolute Software’s Computrace instead. Right now we only have the enterprise version available for the Mac, but we’re getting ready to release the end user version, Lojack for Laptops. It contacts Absolute’s server directly (or in the case of the enterprise version, they can have their own server), and Absolute has a recovery team to trace the location and contact local law enforcement.

    This comment was originally posted on 20060120T18:03:20

  2. mdornseif
    2008-10-16 at 00:08 #

    You really want us to look at it? Usually things look bad when we look at the. But why not. Just mail us the thing.

    This comment was originally posted on 20060120T22:55:15

Kommentar verfassen

Trage deine Daten unten ein oder klicke ein Icon um dich einzuloggen:


Du kommentierst mit Deinem WordPress.com-Konto. Abmelden / Ändern )


Du kommentierst mit Deinem Twitter-Konto. Abmelden / Ändern )


Du kommentierst mit Deinem Facebook-Konto. Abmelden / Ändern )

Google+ Foto

Du kommentierst mit Deinem Google+-Konto. Abmelden / Ändern )

Verbinde mit %s