First party malware

Manufacturer: Fine, I’ll do it myself

Alienware force rescuing a user

A little while ago, I caught on to the news of Intel’s recent desktop processors degrading. Since I use an affected part (thanks Intel), I’ve been regularly updating my BIOS. Nothing went wrong until the most recent update, which brought an unexpected surprise: borderline malware.

I use an MSI motherboard. After the most recent BIOS update, I booted into Windows to find a mysterious installer called “MSI Center” pop up. I have never installed this software or the installer myself, nor did it come pre-installed on the OS. After some investigation, I discovered that the latest BIOS update snuck the installer in on a firmware level. MSI being a generous company allowed me to disable the installer from showing up, which I immediately did.

The funny part is that I didn’t notice this part about the BIOS update right away. The installer is hardcoded for Windows, so I never saw a popup when booted into Linux. Maybe it’s a sign that I should just ditch Windows for good soon.

While some people might not really care about this, I was deeply disturbed. The fact that something as low level as BIOS can so easily inject anything into the higher level OS above it seems like a massive security and privacy hole. Sometime last year, MSI was victim to a hacking attack that exposed their private signing keys. With that info, hackers can make malware that appears to have officially come from MSI. People who aren’t tech-literate could install whatever Trojan a malicious actor set up, which can lead to fun things like botnets and ransomeware.

In short, I find the act of manufacturer’s injecting software into the OS by low level firmware changes to be disturbing. This type of software delivery simply should not exist. But MSI isn’t the only one who does this; there are way more companies that also engage in this behaviour. And some of them are even more ridiculous.

Recently, I got an Alienware monitor. It’s the popular AW3423DWF, which is regarded as one of the best ultrawide OLED monitors released so far. I got it on a sale for nearly half price and it provided a great upgrade over my previous monitor. I have no complaints about the monitor, except for one thing.

Yes, out of all tech products you can imagine, a god damn monitor started to download software to my computer. I was completely blindsided by a Windows notification saying “Alienware Command Centre is downloading”. I couldn’t even stop the download process. I had to wait for the program to download and install, then manually uninstall it. Even worse, the program re-downloaded itself when I performed a monitor firmware upgrade. And again, Linux is immune from this garbage.

The motherboard BIOS injecting software is something I can comprehend. But a monitor? Really? The only connection between the Alienware monitor and my PC was a DisplayPort cable. First, I had no idea DisplayPort was capable of doing this. Second, just why? What’s the point of forcing unwanted software down users’s throats? It’s really hard to put into words how flabbergasted I was when I saw the download notification, twice.

Actually that’s a lie; I saw it download 3 times. The third time is when I connected my work laptop to the monitor, after forgetting about the borderline malware. And because my laptop is security controlled, I can’t even get rid of the software. So I just have “Alienware Command Centre” installed on a business laptop with no way to remove it. Great.

Like I said earlier, I find this method of forced software installation to be disturbing. Getting an unwanted program downloaded without voluntary download or consent sounds awfully similar to how malware works. If their software is bloated to the point where I experience performance drops, I’d consider that legitimate malware; there’s no distinction.

Imagine installing a Samsung smart fridge in your house and immediately finding the Samsung smart home app magically downloaded on your phone. Or you pair a new Sony wireless headphone to your computer and immediately get a Sony app download. Or plug in a Razer keyboard/mouse to your computer and get their infamously terrible software force downloaded. Oh wait, that last one is real.

This kind of first party malware should not exist. It’s annoying and unwanted. The software behaves like borderline malware, except the source is someone you paid for a product, so you’re technically paying for the crap. You don’t even get a chance to opt out, so even those privacy/cookie opt-out banners on websites are better. The most that should happen is a sheet of paper in the product package that recommends you to download the product’s complementary software.

I just want to plug in a peripheral to my computer and just have it work, without forcing a software download. Is it too much to ask for?