Dell Accused of Installing 'Superfish-Like' Rogue Certificates On Laptops (theregister.co.uk) 92
Mickeycaskill writes: Dell has been accused of pre-installing rogue self-signing root certificate authentications on its laptops. A number of users discovered the 'eDellRoot' certificate on their machines and say it leaves their machines, and any others with the certificate, open to attack. "Anyone possessing the private key which is on my computer is capable of minting certificates for any site, for any purpose and the computer will programmatically and falsely conclude the issued certificate to be valid," said Joe Nord, a Citrix product manager who found the certificate on his laptop. It is unclear whether it is Dell or a third party installing the certificate, but the episode is similar to the 'Superfish' incident in which Lenovo was found to have installed malware to inject ads onto users' computers.
Let me Guess (Score:5, Insightful)
He is running a pre-installed Windows?
First thing I do is wipe any new computer clean. The OEMs can't be trusted anymore.
Re: Let me Guess (Score:2, Interesting)
Apparently it reinstalls itself on updates and also is installed onto Ubuntu.
This is lawsuit worthy IMO. Either maliciousness or gross negligence. One doesn't just accidentally do this.
Re: (Score:3)
The FA doesn't mention anything about Ubuntu. Do you have a link?
Is it just the pre-loaded versions of Ubuntu, like the preloaded versions of Windows?
Re: Let me Guess (Score:5, Informative)
The FA doesn't mention anything about Ubuntu. Do you have a link?
Is it just the pre-loaded versions of Ubuntu, like the preloaded versions of Windows?
I can't speak to Ubuntu, but on Windows for Lenovo, Lenovo can install bloatware even on a clean install using Microsoft's Windows Platform Binary Table [theregister.co.uk]. Primarily intended for Drivers, or security software like LoJack.
Re: (Score:2)
I probably shouldn't reply to an AC, but while I'm "remembering old news", in the case of Lenovo, on Windows, it's installing crapware out of the BIOS onto a clean install from a clean disc. The Great Grandfather of my post is talking about:
He is running a pre-installed Windows?
First thing I do is wipe any new computer clean. The OEMs can't be trusted anymore.
With the " Microsoft's Windows Platform Binary Table", a clean Windows install becomes irrelevant, OEMs can still infect you by installing binaries without your permission on a clean install. Not just certificates.
Re: (Score:2)
Re: Let me Guess (Score:3)
Or copy it into the untrusted store.
Re: Let me Guess (Score:2)
Or copy it to the untrusted store.
Re:Let me Guess (Score:5, Informative)
He is running a pre-installed Windows?
First thing I do is wipe any new computer clean. The OEMs can't be trusted anymore.
Except if you bought a Lenovo, it'll helpfully replaces OS components through Lenovo Service Engine [thenextweb.com] entirely on its own. So a clean install won't save you. Nice eh?
Re: (Score:2)
Enabled by Windows, of course, which provides a mechanism of doing this for OEMs to (ab)use.
Re: (Score:1)
Enabled by Windows, of course, which provides a mechanism of doing this for OEMs to (ab)use.
Ahem. The bios recognizing the file system and replacing files before booting the OS would work against any OS. Yes, Windows will accept a vendor-signed file in it's place, but Windows was really the only OS to feature secure boot anyway.
At best you could claim that Windows - unlike other OSes - had the opportunity to protect against this, but Microsoft chose not to. Yes, Microsoft has described the technique (not a mechanism - there is nothing in Windows to support this) - to allow vendors a way to ensure
Re: (Score:1)
You can just download your ISO of choice from MS's digital distributor or use the media creation tool.
Re: Let me Guess (Score:1)
And then you need to purchase a retail license to go with it. The OEM key won't work (which sucks for virtual machines too).
Coming soon in Windows 11 (Score:2, Interesting)
...a root certificate store that is locked and can only have NSA-approved certificates installed.
Re:Coming soon in Windows 11 (Score:5, Interesting)
No chance.
This "install your own root CA" trick is being used widely in corporate environments to allow proxies to snoop your HTTPS connections ; caused no end of trouble with clients using independent Firefox installs (Chrome uses the system certificate store, Firefox has it's own) navigating to our pages (with properly signed certificates) and being told they were a security risk.
We also had something that directed traffic while we were out of the corporate network through a third-party proxy that used the same trick (Websense).
Re: (Score:3)
That's easy to solve. MS will sell you an Enterprise Root CA Server system which _can_ install into client root CA stores. It's only $10,000 plus $100 per CAL for every client system the root CA is installed on.
Re: (Score:3)
and then the people who use Linux based systems will just do it the free way and it's antitrust to block that.
Re: (Score:2)
Yeah, but thanks to Justice Department "internal security guidance", there will be no anti-trust suit against Windows' new "root ca secure store".
Re: (Score:2)
What about the EU?
Re: (Score:2)
Re:Coming soon in Windows 11 (Score:5, Interesting)
No chance.
This "install your own root CA" trick is being used widely in corporate environments to allow proxies to snoop your HTTPS connections ; caused no end of trouble with clients using independent Firefox installs (Chrome uses the system certificate store, Firefox has it's own) navigating to our pages (with properly signed certificates) and being told they were a security risk.
Firefox told them it's an untrusted cert and a security risk because it's an untrusted cert and a security risk.
What you are doing is bad, evil, and wrong. And it's technically illegal under the DMCA as well, because you're breaking encryption. No, an employee agreement that says you can monitor their computer use doesn't get you past the DMCA.
Fuck you and all the places that do this. If I were asked to implement such a thing at my job I'd raise all hell and strike.
Re: (Score:2)
Oh, believe me, I was deeply uncomfortable about the whole thing. I think I even reported it to the IT department as a security problem (the certs they were using were self-signed and not even remotely plausible as belonging to our organization at face value - I thought it was a rootkit). I made a point of telling everyone I liked not to do anything even remotely compromising on their work machine.
I've since left that workplace and control my own infrastructure.
I think it was the routine analysis of all our
Re: (Score:2)
Indeed, I tunnelled all my web traffic through my router at home via SSH.
Re: Coming soon in Windows 11 (Score:2)
Use Google authenticator with openvpn at home, keyloggers won't help them.
Re: (Score:2)
Exactly why should you (as an employee) have any rights to privacy on a computer you do not own, and agree to being monitored on?
Re: (Score:2)
Re: (Score:2)
Re: (Score:1)
No chance.
This "install your own root CA" trick is being used widely in corporate environments to allow proxies to snoop your HTTPS connections ; caused no end of trouble with clients using independent Firefox installs (Chrome uses the system certificate store, Firefox has it's own) navigating to our pages (with properly signed certificates) and being told they were a security risk.
Firefox told them it's an untrusted cert and a security risk because it's an untrusted cert and a security risk. What you are doing is bad, evil, and wrong. And it's technically illegal under the DMCA as well, because you're breaking encryption. No, an employee agreement that says you can monitor their computer use doesn't get you past the DMCA.
Fuck you and all the places that do this. If I were asked to implement such a thing at my job I'd raise all hell and strike.
Why would they use a certificate in a clean install? I've said this many times irl. I HATE DELL
Re: (Score:3)
In companies, using a device like BlueCoat, or another, and dropping the root cert into AD for it to be auto-trusted isn't unheard of.
However, I'm seeing this being done more and more with adware. In fact, when helping to clean some infections, when I was doing a quick forensic check before saving documents and wiping the box, almost all the machines with adware/scumware had a root cert added, and all traffic going through some local VPN or proxy. This is of course fixable, but if this is done, who knows
Its only SuperFish-like (Score:2, Insightful)
Re:Its only SuperFish-like (Score:5, Informative)
Reading the FA: yes, the private key is on the machine.
Re: (Score:2)
Re:Its only SuperFish-like (Score:5, Informative)
Not only is the private key supplied with the certificate, unlike with SuperFish the certificate can also be used to sign executables. Which means that the bad guys can now sign their malware with eDellRoot and gain unwarranted trust. It figures that slashdot doesn't provide a good link. Try http://arstechnica.com/securit... [arstechnica.com]
Re:Its only SuperFish-like (Score:4, Interesting)
Heh, as pointed out at the bottom of that article someone in Dell marketing needs to eat some serious humble pie:
http://www.dell.com/us/p/xps-1... [dell.com]
"Dell is serious about your privacy
Worried about Superfish? Dell limits its pre-loaded software to a small number of high-value applications on all of our computers. Each application we pre-load undergoes security, privacy and usability testing to ensure that our customers experience the best possible computing performance, faster set-up and reduced privacy and security concerns."
Youch.
Re: (Score:3)
Re: Its only SuperFish-like (Score:1)
it's the case it has the private key and it is publicly available. my xps13 windows install bought Feb this year (which I rarely use) has it.
actually got a dell engineer coming round this week for an issue which I highly suspect is the result of this being abused.
Re: Its only SuperFish-like (Score:1)
it's the case. my xps13 windows install bought Feb this year (which I rarely use) has it.
actually got an engineer coming round this week for an issue which I highly suspect is the result of this being abused.
Test your system. (Score:5, Informative)
https://edell.tlsfun.de/ [tlsfun.de]
I don't think it is "accused" any more. It's pretty much proven.
Re: (Score:2)
It's worth noting that my Alienware 15 and my E7240 don't have any such cert on them. Both are still OEM builds... though the AW15 has been upgraded to Windows 10 while the E7240 is still running 7 (because I actually like to get work done on that :)
Just also tested my Venue 11 Pro and it DOES have the cert. Interesting.
I don't know it's a fact, I just know it's true... (Score:1)
David Hannum is quoted as saying "There's a sucker born every minute" (In reference to a P.T. Barnum hoax)
People in the know will quickly repair this huge hole, unfortunately the masses aka "suckers" will leave this vulnerability open to the world.
Mission accomplished.
DUDE, you're getting a superfish certificate! (Score:2)
Drucker said "Satisfy Your Customer" (Score:3)
So Dell satisfies its corporate customers.
thinkpenguin, librem and eoma68 laptops (Score:5, Insightful)
... y'know... it has to be said, this is precisely why thinkpenguin (and other FSF-Endorsed hardware) do wipe-it-down-to-the-bedrock products, even to the extent of replacing the standard BIOS with coreboot, and why the purism librem laptop exists (and was successfully funded last year). but even there, the problem is that for the past 15 years all intel processors have to have an RSA-signed bootloader that goes into EEPROM on-board the processor, where there's absolutely no chance of obtaining the source code for that proprietary firmware blob. you have absolutely no idea what goes into that bootloader, but it's already been demonstrated that your laptop - and your desktop - can be woken up by external network signals - without your consent or knowledge - *even when you powered them down*.
the only possible solution here is... to not use intel (or AMD) processors. and that opens up a whole can of worms, which is why i've been sponsored to make an upgradeable laptop. if any one CPU is ever found to have problems, the whole CPU Card can be popped out and replaced... *without* having to throw away the entire laptop.
designing a laptop from the ground up so that its main CPU module can be replaced... only two years ago that could have been said to be "total paranoia". now we have the kinds of stunts being pulled by Dell, Lenovo and the NSA which were only previously believed to *potentially* be carried out...
Re: (Score:2)
Re: (Score:3)
For home/SOHO usage, what also might help is adding a router and virtualization. The router ideally should be a small PFSense appliance with snort on it.
Virtualization helps because it keeps things isolated. Nothing is perfect (as in theory, the hypervisor can be compromised), but with a layer separating the desktop OS from the bare metal, and an active gatekeeper that can easily block stuff phoning home, this will help with mitigation.
For example, web browsing. Running the day to day browser in a VM [1]
Re: (Score:2)
That's not enough, to a large degree. ... all today have CPUs of their own, usually with entirely secret firmware, and often access to the bus.
It must also be designed so that no peripheral outside of the CPU is trusted, if you're going that far.
Hard drives, network peripherals,
Re: (Score:2)
Presumably that's only for the on-board LAN. Just use a PCIe LAN card instead (non Intel chipset).
Not just laptops (Score:4, Informative)
Two down... (Score:2)
Guess I shouldn't trust Lenovo or Dell for new machines.
Re:Two down... (Score:4, Funny)
Yeah. Good thing we can still trust Huawei.
Self-signing root certificates on laptops .. (Score:2)
Re: (Score:2)
What impact would these self-signing root certificates have on security?
All root certificates are self signed. It's just a matter of whether you choose to trust them or not. Your system comes with a bunch of certificates that it trusts as root certificates. Dell just added an extra one to the mix.
Re: (Score:2, Informative)
The problem isn't that it's self-signed - it's that they gave it the maximum possible authority and shipped it *with the private key included*, rather than just the public key.
So, now *anyone* on the internet can sign their malicious web traffic, application, or driver with Dell's key and it will be trusted by all affected Dell computers. This would allow, for example, impersonating financial or e-commerce websites to steal people's credit card numbers or other personal data.
When Lenovo did the same thing a
Re: (Score:3)
Public key pinnng (Score:2)
Re: (Score:2)
It would work with a preloaded pin list similar to the HSTS preload list, for sites that should use HTTPS even on the first visit. It would also work for sites like Google properties (in Chrome) or Mozilla properties (in Firefox) where the expected cert is baked into the browser even in advance of HPKP deployment.
It would also work if nobody was intercepting your traffic the first time you visited the site. You would only be in danger if you were being intercepted every single time, including the first time
Private Key? (Score:2)
So not only do these machines have a preinstalled, Dell generated root certificate, but they included the private key? WTF? The private key for a root certificate should only exist on a locked down, air gapped computer in an access controlled environment. The fact that this was included is downright scary.
A good tinfoil hat wearing individual might conclude that one of the TLAs told them to install a system that could automatically load signed executables without user's knowledge. In a fit of defiance
Key Revocation (Score:2)
The CA secret cert is also present (Score:3)
According to heise.de, just marked "non-exportable" (sorry, no English link):
http://www.heise.de/newsticker... [heise.de]
Person that reported this initially:
https://www.reddit.com/r/techn... [reddit.com]
Apparently being non-exportable is no protection whatsoever, and people are already offering the CA cert for download, which then lets everybody sign for this CA.
It is hard to display more fundamental incompetence with regards to certificate handling.
Removal Instructions (Score:2)
1. Go to your Services... either run "services.msc", "compmgmt.msc" or "Open Services" from Task Manager.
2. Stop the Dell Foundation Service
3. Browse to c:\Program Files\Dell\Dell Foundation Services directory and delete the Dell.Foundation.Agent.Plugins.eDell.dll file
4. Launch Certificate Manager by running "certmgr.msc"
5. Browse to "Trusted Root Certificates \ Certificates"
6. Locate the eDellRoot certificate and delete it.
7. Restart your Dell Foundation Services. Voila... doesn't come back after a reboot.