Menu
What you need to know about Dell's root certificate security debacle

What you need to know about Dell's root certificate security debacle

The full scope of the incident is still unclear, but there's a removal tool available

In an attempt to streamline remote support, Dell installed a self-signed root certificate and corresponding private key on its customers' computers, apparently without realizing that this exposes users' encrypted communications to potential spying.

Even more surprising is that the company did this while being fully aware of a very similar security blunder by one of its competitors, Lenovo, that came to light in February.

In Lenovo's case it was an advertising program called Superfish that came preinstalled on some of the company's consumer laptops and which installed a self-signed root certificate. In Dell's case it was one of the company's own support tools, which is arguably even worse because Dell bears full responsibility for the decision.

Ironically, Dell actually took advantage of Lenovo's mishap to highlight its own commitment to privacy and to advertise its products. The product pages for Dell's Inspiron 20 and XPS 27 All-in-One desktops, Inspiron 14 5000 Series, Inspiron 15 7000 Series, Inspiron 17 7000 Series laptops and probably other products, read: "Worried about Superfish? Dell limits its pre-loaded software to a small number of high-value applications on all of our computers. Each application we pre-load undergoes security, privacy and usability testing to ensure that our customers experience the best possible computing performance, faster set-up and reduced privacy and security concerns."

Why should you care

The eDellRoot self-signed certificate is installed in the Windows certificate store under the "Trusted Root Certification Authorities." This means that any SSL/TLS or code-signing certificate that is signed with the eDellRoot certificate's private key will be trusted by browsers, desktop email clients and other applications that run on affected Dell systems.

For example, attackers can use the eDellRoot private key, which is now publicly available online, to generate certificates for any HTTPS-enabled websites. They can then use public wireless networks or hacked routers to decrypt traffic from affected Dell systems to those websites.

In these so-called Man-in-the-Middle (MitM) attacks, the attackers intercept users' HTTPS requests to a secure website -- bankofamerica.com for example. They then start acting as a proxy by establishing a legitimate connection to the real website from their own machine and passing the traffic back to the victims after re-encrypting it with a rogue bankofamerica.com certificate generated with the eDellRoot key.

The users will see a valid HTTPS-encrypted connection to Bank of America in their browsers, but the attackers will actually be able to read and modify their traffic.

Attackers could also use the eDellRoot private key to generate certificates that could be used to sign malware files. Those files would generate less scary User Account Control prompts on affected Dell systems when executed, because they would appear to the OS as if they were signed by a trusted software publisher. Malicious system drivers signed with such a rogue certificate would also bypass the driver signature verification in 64-bit versions of Windows.

It's not just laptops

Initial reports were about finding the eDellRoot certificate on various Dell laptop models. However, the certificate is actually installed by the Dell Foundation Services (DFS) application which, according to its release notes, is available on laptops, desktops, all-in-ones, two-in-ones, and towers from various Dell product lines, including XPS, OptiPlex, Inspiron, Vostro and Precision Tower.

Dell said Monday that it began loading the current version of this tool on "consumer and commercial devices" in August. However, it's unclear if this refers to devices sold since August or if existing devices that already had DFS installed got updated with the problematic version.

More than one certificate

Researchers from security firm Duo Security found a second eDellRoot certificate with a different fingerprint on 24 systems scattered around the world. Most surprisingly, one of those systems appears to be part of a SCADA (Supervisory Control and Data Acquisition) set-up, like those used to control industrial processes.

Other users also reported the presence of another certificate called DSDTestProvider on some Dell computers. Some people have speculated that this is related to the Dell System Detect utility, although this is not yet confirmed.

There's a removal tool available

Dell released a removal tool and also published manual removal instructions for the eDellRoot certificate. However, the instructions might prove too difficult for a user with no technical knowledge to follow. The company also plans to push a software update today that will search for the certificate and remove it from systems automatically.

Corporate users are high-value targets

Roaming corporate users, especially traveling executives, could be the most attractive targets for man-in-the-middle attackers exploiting this flaw, because they likely have valuable information on their computers.

"If I were a black-hat hacker, I'd immediately go to the nearest big city airport and sit outside the international first class lounges and eavesdrop on everyone's encrypted communications," said Robert Graham, the CEO of security firm Errata Security, in a blog post.

As a matter of course, companies should deploy their own, clean and pre-configured Windows images on the laptops they buy. They should also make sure that their roaming employees are always connecting back to corporate offices over secure virtual private networks (VPNs).

It's not just Dell computer owners who should care

The implications of this security hole reach beyond just owners of Dell systems. In addition to stealing information, including log-in credentials, from encrypted traffic, man-in-the-middle attackers can also modify that traffic on the fly. This means someone receiving an email from an affected Dell computer or a website receiving a request on behalf of a Dell user can't be sure of its authenticity.


Follow Us

Join the New Zealand Reseller News newsletter!

Error: Please check your email address.

Tags Dell

Featured

Slideshows

Kiwi channel comes together for another round of After Hours

Kiwi channel comes together for another round of After Hours

The channel came together for another round of After Hours, with a bumper crowd of distributors, vendors and partners descending on The Jefferson in Auckland. Photos by Maria Stefina.​

Kiwi channel comes together for another round of After Hours
Consegna comes to town with AWS cloud offerings launch in Auckland

Consegna comes to town with AWS cloud offerings launch in Auckland

Emerging start-up Consegna has officially launched its cloud offerings in the New Zealand market, through a kick-off event held at Seafarers Building in Auckland.​ Founded in June 2016, the Auckland-based business is backed by AWS and supported by a global team of cloud specialists, leveraging global managed services partnerships with Rackspace locally.

Consegna comes to town with AWS cloud offerings launch in Auckland
Veritas honours top performing trans-Tasman partners

Veritas honours top performing trans-Tasman partners

Veritas honoured its top performing partners across the channel in Australia and New Zealand, recognising innovation and excellence on both sides of the Tasman. Revealed under the Vivid lights in Sydney, Intalock claimed the coveted Partner of the Year 2017 (Pacific) award, with Data#3 acknowledged for 12 months of strong growth across the market. Meanwhile, Datacom took home the New Zealand honours, with Global Storage and Insentra winning service provider and consulting awards respectively. Dicker Data was recognised as the standout distributor of the year, while Hitachi Data Systems claimed the alliance partner award. Photos by Bob Seary.

Veritas honours top performing trans-Tasman partners
Show Comments