What you need to know about Dell’s root certificate security debacle
Dell Acknowledges Security Hole in New Laptops.
In an attempt to streamline remote support, Dell installed a self-signed root certificate and corresponding private key on its customers’ computers, apparently without realizing that this exposes users’ encrypted communications to potential spying. Major U.S. computer company Dell Inc said on Monday a security hole exists in some of its recently shipped laptops that could make it easy for hackers to access users’ private data. Even more surprising is that the company did this while being fully aware of a very similar security blunder by one of its competitors, Lenovo, that came to light in February.
A pre-installed program on some newly purchased Dell laptops that can only be removed manually by consumers makes them vulnerable to cyber intrusions that may allow hackers to read encrypted messages and redirect browser traffic to spoofs of real websites such as Google or those belonging to a bank, among other attacks. “The recent situation raised is related to an on-the-box support certificate intended to provide a better, faster and easier customer support experience,” Dell said in a statement to Reuters. “Unfortunately, the certificate introduced an unintended security vulnerability.” Dell declined to say how many computers or which specific models are affected. The issue affects laptops and desktop PCs sold as early as July this year, and potentially exposes users’ web traffic to decryption, due to a web certificate bundled with a key designed to help Dell’s online customer support services swiftly identify the model. The company has published a guide to removing the certificate, called eDellRoot, from new models in the Inspiron, XPS and Precision ranges, saying its staff “deeply regret that this has happened and are taking steps to address it”.
In Dell’s case it was one of the company’s own support tools, which is arguably even worse because Dell bears full responsibility for the decision. If you have a new Dell computer, go to Start -> type “certmgr.msc” -> (accept on UAC prompt) -> Trusted Root Certification Authorities -> Certificates and check if you have an entry with the name “eDellRoot”. Dell said it would provide customers with instructions to permanently remove the certificate by email and on its support website, a process that will likely be highly technical. On Monday, Duo Security published a report saying that it had also recently come across the eDellRoot issue while checking out a Dell Inspiron 14 laptop it recently bought.
Reports from social media have shown that models including the XPS 15, Latitude E7450, Inspirion 5548, Inspirion 5000, Inspiron 3647, and the Precision M4800 were affected. The product pages for Dell’s Inspiron 20 and XPS 27 All-in-One desktops, Inspiron 14 5000 Series, Inspiron 15 7000 Series, Inspiron 17 7000 Series laptops and probably other products, read: “Worried about Superfish? As part of its investigation, the company’s analysts scanned the Internet using a tool from Censys to see if there are systems on the Internet using eDellRoot to encrypt traffic.
Dell has also created a software update it will be pushing out from November 24, searching for the certificate – which was installed by the company’s Dell Foundation Services – and removing it where necessary. Each application we pre-load undergoes security, privacy and usability testing to ensure that our customers experience the best possible computing performance, faster set-up and reduced privacy and security concerns.” The eDellRoot self-signed certificate is installed in the Windows certificate store under the “Trusted Root Certification Authorities.” This means that any SSL/TLS or code-signing certificate that is signed with the eDellRoot certificate’s private key will be trusted by browsers, desktop email clients and other applications that run on affected Dell systems. For example, attackers can use the eDellRoot private key, which is now publicly available online, to generate certificates for any HTTPS-enabled websites. In these so-called Man-in-the-Middle (MitM) attacks, the attackers intercept users’ HTTPS requests to a secure website—bankofamerica.com for example. The finding, Duo Security wrote, suggests that Dell may have shipped other computers and devices with identical cryptographic keys, another major mistake.
The users will see a valid HTTPS-encrypted connection to Bank of America in their browsers, but the attackers will actually be able to read and modify their traffic. Dell officials did not have an immediate comment on that update, saying it would post instructions for how to fix eDellRoot later on Monday on this page. But the advisory listed models that use DFS, which include Dell’s XPS, Inspiron, Vostro, and Precision laptops and the OptiPlex and Precision Tower desktop models. Researchers from security firm Duo Security found a second eDellRoot certificate with a different fingerprint on 24 systems scattered around the world.
The eDell plugin must be dumped, which can be done by eliminating a module called “Dell.Foundation.Agent.Plugins.eDell.dll.” The company also found another problem on the Dell laptop it bought. Most surprisingly, one of those systems appears to be part of a SCADA (Supervisory Control and Data Acquisition) set-up, like those used to control industrial processes.
The certificate expired on March 13, 2013, but Manzuik said that “our research shows that there was a period of about 11 days where it was a valid certificate meaning that it could be easily used, for example, to sign malware.” Roaming corporate users, especially traveling executives, could be the most attractive targets for man-in-the-middle attackers exploiting this flaw, because they likely have valuable information on their computers. “If I were a black-hat hacker, I’d immediately go to the nearest big city airport and sit outside the international first class lounges and eavesdrop on everyone’s encrypted communications,” said Robert Graham, the CEO of security firm Errata Security, in a blog post. In addition to stealing information, including log-in credentials, from encrypted traffic, man-in-the-middle attackers can also modify that traffic on the fly.
This means someone receiving an email from an affected Dell computer or a website receiving a request on behalf of a Dell user can’t be sure of its authenticity.
Share this article:
Other articles of the category "Dell":
Dell XPS 13 review: The best Windows laptop just g...
Dell acknowledges security hole in new laptops
What the Dell? Laptops shipped with exact security...
Dell Promised Security … Then Delivered a Huge Sec...
And then there were two: Another dangerous Dell ro...
And then there were two: Another dangerous Dell ro...
A second dangerous Dell root certificate discovere...
Dell Issues Removal Tool for Superfish-Like Vulner...