A common issue with laptop and all-in-one computers sold through the popular retail channels is the supply of “bloatware” or “crapware” with these computers. This is typically low-value software including trial or demo packages that are pre-installed on consumer-grade computers but doesn’t necessarily include drivers or manufacturer-supplied software that enables the particular features that the computer has. I have covered this issue before in relationship to the Superfish software that Lenovo had furnished with some of their consumer-focused laptops.
This can also apply to software delivered on a CD-ROM with retail-pack system parts, peripheral devices or consumer-electronics devices like digital cameras or keyboards. Some of the software is ostensibly supplied as a way to give the customer a “foot in the door” when it comes to a particular function or computing task, which tends to apply to trial versions of desktop security software or entry-level video editors and DVD / Blu-Ray playback software.
This wouldn’t necessarily happen with computer systems supplied to big businesses or contractor-supplied equipment because it is easier for these customer groups to call for a standard operating environment when they purchase their technology. Similarly, the traditional desktop computers that are built and sold be independent computer stores and dedicated computer-store chains aren’t as likely to be full of the “bloatware”.
The key issue that has been raised is the poor quality-assurance that occurs when it comes to supplying and maintaining this software. Here, there isn’t a secure path for software delivery especially whenever the software is updated or upgraded to a paid-up premium version. The software can be substituted by a man-in-the-middle attack that can be easily facilitated on an unsecured public-access Wi-Fi network. As well, there isn’t any way to verify the authenticity of the software updates, whether it is the software intended to be or actually delivered as part of the update.
This is part of the culture associated with the low-value software that the OEMs are paid to deliver with the systems that they sell to consumers and small businesses, but can affect the device drivers and functionality-enablement software.
Respected software names like Microsoft and Apple implement a secure delivery path for both server-to-device delivery and backend data transfer. As well, they implement a digitally-signed manifest (“shopping list” of files to be substituted in an update) and digitally-verified software files so that the programs can’t be altered surreptitiously.
Dell and Lenovo implement a TLS secure path for the software-manifest delivery while Lenovo implements a digitally-signed software manifest. But these policies are not applied across a manufacturer’s product line.
What can we do?
The best practice for consumers, small businesses and community organisations to do is to “strip back” the bloatware that isn’t being used. Most such software can be uninstalled through the “Programs and Features” option in the Windows Control Panel or through the uninstall routine in the software. Preferably, they should keep just the drivers and functionality software on their system.
On the other hand, they could facilitate a supervised semi-automatic software update for the OEM-supplied software and do this on their home or small-business network. If they are using any of the third-party software that has been provisioned by the OEM, it may be a better idea to visit the software developer’s Website and draw down newer versions of that software from there.
What is needed for OEM-supplied software update processes
If an OEM wishes to provision extra software with a computer, peripheral or consumer-electronics device; they need to make sure that this software is of high-quality, and respects customers’ security, privacy and data sovereignty wishes.
This includes a secure software-maintenance policy such as:
- a secure software-delivery path with latest standards and protocols between the device and the software-provisioning servers and the software distribution backbone
- digitally-signed software files and update manifests with verification occurring before and after delivery
Third-party software developers who wish to package software with a computer systems should be required to maintain this software to the same standard as what would be expected if they sold the software to customers themselves or through a traditional retailer. This includes allowing a person to upgrade from an OEM version to a premium version or instigate a subscription through their storefront rather the OEM’s storefront.