Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Privacy Businesses Security

Dell Accused of Installing 'Superfish-Like' Rogue Certificates On Laptops (theregister.co.uk) 92

Mickeycaskill writes: Dell has been accused of pre-installing rogue self-signing root certificate authentications on its laptops. A number of users discovered the 'eDellRoot' certificate on their machines and say it leaves their machines, and any others with the certificate, open to attack. "Anyone possessing the private key which is on my computer is capable of minting certificates for any site, for any purpose and the computer will programmatically and falsely conclude the issued certificate to be valid," said Joe Nord, a Citrix product manager who found the certificate on his laptop. It is unclear whether it is Dell or a third party installing the certificate, but the episode is similar to the 'Superfish' incident in which Lenovo was found to have installed malware to inject ads onto users' computers.
This discussion has been archived. No new comments can be posted.

Dell Accused of Installing 'Superfish-Like' Rogue Certificates On Laptops

Comments Filter:
  • Let me Guess (Score:5, Insightful)

    by Anonymous Coward on Monday November 23, 2015 @04:07PM (#50988497)

    He is running a pre-installed Windows?

    First thing I do is wipe any new computer clean. The OEMs can't be trusted anymore.

    • Re: Let me Guess (Score:2, Interesting)

      by Anonymous Coward

      Apparently it reinstalls itself on updates and also is installed onto Ubuntu.

      This is lawsuit worthy IMO. Either maliciousness or gross negligence. One doesn't just accidentally do this.

      • The FA doesn't mention anything about Ubuntu. Do you have a link?

        Is it just the pre-loaded versions of Ubuntu, like the preloaded versions of Windows?

        • Re: Let me Guess (Score:5, Informative)

          by LinuxIsGarbage ( 1658307 ) on Monday November 23, 2015 @05:28PM (#50989201)

          The FA doesn't mention anything about Ubuntu. Do you have a link?

          Is it just the pre-loaded versions of Ubuntu, like the preloaded versions of Windows?

          I can't speak to Ubuntu, but on Windows for Lenovo, Lenovo can install bloatware even on a clean install using Microsoft's Windows Platform Binary Table [theregister.co.uk]. Primarily intended for Drivers, or security software like LoJack.

        • YHBT
    • Re:Let me Guess (Score:5, Informative)

      by Lead Butthead ( 321013 ) on Monday November 23, 2015 @04:14PM (#50988567) Journal

      He is running a pre-installed Windows?

      First thing I do is wipe any new computer clean. The OEMs can't be trusted anymore.

      Except if you bought a Lenovo, it'll helpfully replaces OS components through Lenovo Service Engine [thenextweb.com] entirely on its own. So a clean install won't save you. Nice eh?

      • Enabled by Windows, of course, which provides a mechanism of doing this for OEMs to (ab)use.

        • by Anonymous Coward

          Enabled by Windows, of course, which provides a mechanism of doing this for OEMs to (ab)use.

          Ahem. The bios recognizing the file system and replacing files before booting the OS would work against any OS. Yes, Windows will accept a vendor-signed file in it's place, but Windows was really the only OS to feature secure boot anyway.

          At best you could claim that Windows - unlike other OSes - had the opportunity to protect against this, but Microsoft chose not to. Yes, Microsoft has described the technique (not a mechanism - there is nothing in Windows to support this) - to allow vendors a way to ensure

  • by swb ( 14022 )

    ...a root certificate store that is locked and can only have NSA-approved certificates installed.

    • by Dr_Barnowl ( 709838 ) on Monday November 23, 2015 @04:16PM (#50988587)

      No chance.

      This "install your own root CA" trick is being used widely in corporate environments to allow proxies to snoop your HTTPS connections ; caused no end of trouble with clients using independent Firefox installs (Chrome uses the system certificate store, Firefox has it's own) navigating to our pages (with properly signed certificates) and being told they were a security risk.

      We also had something that directed traffic while we were out of the corporate network through a third-party proxy that used the same trick (Websense).

      • by swb ( 14022 )

        That's easy to solve. MS will sell you an Enterprise Root CA Server system which _can_ install into client root CA stores. It's only $10,000 plus $100 per CAL for every client system the root CA is installed on.

      • by Luthair ( 847766 )
        They could remove the ability out of the non-enterprise editions. More obviously they could also add it to their licensing agreement with OEMs to prohibit changing them.
      • by sexconker ( 1179573 ) on Monday November 23, 2015 @04:48PM (#50988909)

        No chance.

        This "install your own root CA" trick is being used widely in corporate environments to allow proxies to snoop your HTTPS connections ; caused no end of trouble with clients using independent Firefox installs (Chrome uses the system certificate store, Firefox has it's own) navigating to our pages (with properly signed certificates) and being told they were a security risk.

        Firefox told them it's an untrusted cert and a security risk because it's an untrusted cert and a security risk.
        What you are doing is bad, evil, and wrong. And it's technically illegal under the DMCA as well, because you're breaking encryption. No, an employee agreement that says you can monitor their computer use doesn't get you past the DMCA.

        Fuck you and all the places that do this. If I were asked to implement such a thing at my job I'd raise all hell and strike.

        • Oh, believe me, I was deeply uncomfortable about the whole thing. I think I even reported it to the IT department as a security problem (the certs they were using were self-signed and not even remotely plausible as belonging to our organization at face value - I thought it was a rootkit). I made a point of telling everyone I liked not to do anything even remotely compromising on their work machine.

          I've since left that workplace and control my own infrastructure.

          I think it was the routine analysis of all our

        • Exactly why should you (as an employee) have any rights to privacy on a computer you do not own, and agree to being monitored on?

        • by ( 4348431 )

          No chance.

          This "install your own root CA" trick is being used widely in corporate environments to allow proxies to snoop your HTTPS connections ; caused no end of trouble with clients using independent Firefox installs (Chrome uses the system certificate store, Firefox has it's own) navigating to our pages (with properly signed certificates) and being told they were a security risk.

          Firefox told them it's an untrusted cert and a security risk because it's an untrusted cert and a security risk. What you are doing is bad, evil, and wrong. And it's technically illegal under the DMCA as well, because you're breaking encryption. No, an employee agreement that says you can monitor their computer use doesn't get you past the DMCA.

          Fuck you and all the places that do this. If I were asked to implement such a thing at my job I'd raise all hell and strike.

          Why would they use a certificate in a clean install? I've said this many times irl. I HATE DELL

      • by mlts ( 1038732 )

        In companies, using a device like BlueCoat, or another, and dropping the root cert into AD for it to be auto-trusted isn't unheard of.

        However, I'm seeing this being done more and more with adware. In fact, when helping to clean some infections, when I was doing a quick forensic check before saving documents and wiping the box, almost all the machines with adware/scumware had a root cert added, and all traffic going through some local VPN or proxy. This is of course fixable, but if this is done, who knows

  • if the private key is also available on the machine. Otherwise its another sort of questionable.
  • Test your system. (Score:5, Informative)

    by khasim ( 1285 ) <brandioch.conner@gmail.com> on Monday November 23, 2015 @04:13PM (#50988553)

    https://edell.tlsfun.de/ [tlsfun.de]

    I don't think it is "accused" any more. It's pretty much proven.

    • It's worth noting that my Alienware 15 and my E7240 don't have any such cert on them. Both are still OEM builds... though the AW15 has been upgraded to Windows 10 while the E7240 is still running 7 (because I actually like to get work done on that :)

      Just also tested my Venue 11 Pro and it DOES have the cert. Interesting.

  • David Hannum is quoted as saying "There's a sucker born every minute" (In reference to a P.T. Barnum hoax)

    People in the know will quickly repair this huge hole, unfortunately the masses aka "suckers" will leave this vulnerability open to the world.

    Mission accomplished.

  • Whoa, thanks man. Want to burn one after school?
  • by BoRegardless ( 721219 ) on Monday November 23, 2015 @04:58PM (#50988983)

    So Dell satisfies its corporate customers.

  • by lkcl ( 517947 ) <lkcl@lkcl.net> on Monday November 23, 2015 @05:23PM (#50989163) Homepage

    ... y'know... it has to be said, this is precisely why thinkpenguin (and other FSF-Endorsed hardware) do wipe-it-down-to-the-bedrock products, even to the extent of replacing the standard BIOS with coreboot, and why the purism librem laptop exists (and was successfully funded last year). but even there, the problem is that for the past 15 years all intel processors have to have an RSA-signed bootloader that goes into EEPROM on-board the processor, where there's absolutely no chance of obtaining the source code for that proprietary firmware blob. you have absolutely no idea what goes into that bootloader, but it's already been demonstrated that your laptop - and your desktop - can be woken up by external network signals - without your consent or knowledge - *even when you powered them down*.

    the only possible solution here is... to not use intel (or AMD) processors. and that opens up a whole can of worms, which is why i've been sponsored to make an upgradeable laptop. if any one CPU is ever found to have problems, the whole CPU Card can be popped out and replaced... *without* having to throw away the entire laptop.

    designing a laptop from the ground up so that its main CPU module can be replaced... only two years ago that could have been said to be "total paranoia". now we have the kinds of stunts being pulled by Dell, Lenovo and the NSA which were only previously believed to *potentially* be carried out...

    • Comment removed based on user account deletion
      • by mlts ( 1038732 )

        For home/SOHO usage, what also might help is adding a router and virtualization. The router ideally should be a small PFSense appliance with snort on it.

        Virtualization helps because it keeps things isolated. Nothing is perfect (as in theory, the hypervisor can be compromised), but with a layer separating the desktop OS from the bare metal, and an active gatekeeper that can easily block stuff phoning home, this will help with mitigation.

        For example, web browsing. Running the day to day browser in a VM [1]

    • That's not enough, to a large degree.
      It must also be designed so that no peripheral outside of the CPU is trusted, if you're going that far.
      Hard drives, network peripherals, ... all today have CPUs of their own, usually with entirely secret firmware, and often access to the bus.

    • by AmiMoJo ( 196126 )

      Presumably that's only for the on-board LAN. Just use a PCIe LAN card instead (non Intel chipset).

  • Not just laptops (Score:4, Informative)

    by Interpreting Tech. ( 4345667 ) on Monday November 23, 2015 @07:25PM (#50990061)
    It's not just laptops. We confirmed it was on a Dell Precision 5810 desktop workstation, purchased early May 2015.
  • Guess I shouldn't trust Lenovo or Dell for new machines.

  • What impact would these self-signing root certificates have on security?
    • What impact would these self-signing root certificates have on security?

      All root certificates are self signed. It's just a matter of whether you choose to trust them or not. Your system comes with a bunch of certificates that it trusts as root certificates. Dell just added an extra one to the mix.

    • Re: (Score:2, Informative)

      by Anonymous Coward

      The problem isn't that it's self-signed - it's that they gave it the maximum possible authority and shipped it *with the private key included*, rather than just the public key.

      So, now *anyone* on the internet can sign their malicious web traffic, application, or driver with Dell's key and it will be trusted by all affected Dell computers. This would allow, for example, impersonating financial or e-commerce websites to steal people's credit card numbers or other personal data.

      When Lenovo did the same thing a

  • Even HTTP Public Key Pinning [mozilla.org] (HPKP) is not a solution against this kind of mess, since intercepting software could alter the Public-Key-Pins header.
    • It would work with a preloaded pin list similar to the HSTS preload list, for sites that should use HTTPS even on the first visit. It would also work for sites like Google properties (in Chrome) or Mozilla properties (in Firefox) where the expected cert is baked into the browser even in advance of HPKP deployment.

      It would also work if nobody was intercepting your traffic the first time you visited the site. You would only be in danger if you were being intercepted every single time, including the first time

  • So not only do these machines have a preinstalled, Dell generated root certificate, but they included the private key? WTF? The private key for a root certificate should only exist on a locked down, air gapped computer in an access controlled environment. The fact that this was included is downright scary.

    A good tinfoil hat wearing individual might conclude that one of the TLAs told them to install a system that could automatically load signed executables without user's knowledge. In a fit of defiance

  • Well, the good news is that with the private key available I believe that anyone could generate a revocation for this certificate. First person to revoke this key on every major key repository wins a bag of gummy bears!
  • by gweihir ( 88907 ) on Tuesday November 24, 2015 @03:22AM (#50992205)

    According to heise.de, just marked "non-exportable" (sorry, no English link):

            http://www.heise.de/newsticker... [heise.de]

    Person that reported this initially:

        https://www.reddit.com/r/techn... [reddit.com]

    Apparently being non-exportable is no protection whatsoever, and people are already offering the CA cert for download, which then lets everybody sign for this CA.

    It is hard to display more fundamental incompetence with regards to certificate handling.

  • 1. Go to your Services... either run "services.msc", "compmgmt.msc" or "Open Services" from Task Manager.
    2. Stop the Dell Foundation Service
    3. Browse to c:\Program Files\Dell\Dell Foundation Services directory and delete the Dell.Foundation.Agent.Plugins.eDell.dll file
    4. Launch Certificate Manager by running "certmgr.msc"
    5. Browse to "Trusted Root Certificates \ Certificates"
    6. Locate the eDellRoot certificate and delete it.
    7. Restart your Dell Foundation Services. Voila... doesn't come back after a reboot.

We must believe that it is the darkest before the dawn of a beautiful new world. We will see it when we believe it. -- Saul Alinsky

Working...