Dell does a Lenovo: ships laptops with rogue root CA - gHacks Tech News

Dell does a Lenovo: ships laptops with rogue root CA

Some Dell laptops ship with a self-signed root certificate eDellRoot and private key that attackers can exploit. The issue, first reported on Reddit, has resemblances to the Lenovo incident earlier this year when the company shipped some of its laptops with a pre-installed third-party root certificate that could be exploited in a similar fashion.

The self-signed root certificate and private key appear to be identical on all affected Dell machines.

Update: Dell published an official response on the official Dell website. stating that the purpose of the certificate was "not malware or adware", but to "provide system service tag to Dell online support" and here specifically to allow Dell to "quickly identify the computer model".

The company has posted instructions on how to remove the certificate from Dell systems. End

Update 2: A second certificate vulnerability similar to the first has been discovered. The certificate DSDTestProvider is installed by Dell System Detect and includes the private key as well making systems running with it vulnerable as well to attacks. End

The preinstalled root certificate is accepted by browsers who use the system's certificate store, and that is Chrome and Internet Explorer on Windows for instance. Mozilla Firefox on the other hand is not affected by this as it uses its own certificate store.

The issue is severe, as it enables attackers to sign fake certificates for use on websites, and users would  not notice this unless they pay attention to the certificate chain.

edell rogue certificate
screenshot by rotorcowboy

The certificate, which is installed on laptops by default, is installed by the software Dell Foundation Services which, according to the description on Dell's website, "provides foundational services facilitating customer serviceability, messaging and support functions".

The private key is not exportable by default but there are tools that can export it. The key has been posted in the meantime on Reddit.

It is unclear why Dell added the certificate in this way to some of its machines. It seems unlikely that spying is the reason for this, considering that the company would not include the private key if this would be the case.

It is surprising however that another manufacturer of Windows PCs and devices would make the same mistake that Lenovo did earlier that year considering that the company should have paid close attention to the fallout afterwards.

Test your laptop

bad edell test

Hanno Böck created a web test to find out if the bad eDell certificate is installed on the system. Simply connect to the test website and you will receive information whether your system is vulnerable or not.

Remove the certificate

If the root certificate is installed on your laptop, you may want to remove it immediately to block any attacks from being carried out successfully against your system.

Windows users need to do the following to remove the certificate:

  1. Tap on the Windows-key.
  2. Type certmgr.msc and hit enter.
  3. Accept the UAC prompt if it is shown.
  4. Switch to Trusted Root Certification Authorities > Certificates.
  5. Locate the eDellRoot certificate in the list.
  6. Right-click the certificate and select Delete.

 

Summary
Dell does a Lenovo: ships laptops with rogue root CA
Article Name
Dell does a Lenovo: ships laptops with rogue root CA
Description
At least some Dell laptops ship with a self-signed root certificate and private key that attackers can abuse to create valid certificates for malicious sites.
Author

We need your help

Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.

We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats or subscription fees.

If you like our content, and would like to help, please consider making a contribution:

Comments

  1. Pants said on November 23, 2015 at 8:13 pm
    Reply

    In the Ars Technica article’s comments .. someone said the cert comes back on the next reboot

    1. Tom Hawack said on November 23, 2015 at 9:23 pm
      Reply

      If so perhaps disabling/uninstalling the Dell Foundation Services, though I ignore what they are, if they run as a service, if any uninstall procedure is available, what would be the impact on the computer. I just hope the culprit is not in the system disk’s boot sector.

      I am stunned with this repetition of Lenovo’s root certificate odyssey; I would be even more should the true story be that of an attack of the company at the manufacturing stage, involving Dell as the certificate issuer to prove its implication. We’ve already seen in the past similar attacks via viruses distributed on a famous hard disk manufacturer…

      Who can you trust? “Paranoia, the true story” soon in your bookstores …

      1. clas said on November 24, 2015 at 5:51 pm
        Reply

        ok, another company goes on my shit list….once bitten…done. too many others out there not doing this to even give them a second chance.

  2. Anon said on November 23, 2015 at 10:07 pm
    Reply

    Revoking rather than deleting the certificate should prevent it from being made available again at reboot.

    Open a CMD prompt as Admin.
    certutil -v -revoke “6b c5 7b 95 18 93 aa 97 4b 62 4a c0 88 fc 3b b6” 1

    The “6b c5 7b 95 18 93 aa 97 4b 62 4a c0 88 fc 3b b6” is the eDellRoot certificate serial number, the 1 indicates a compromised key as the reason for revocation.

  3. Derpy said on November 23, 2015 at 10:31 pm
    Reply

    This issue also affects Dell desktops. I found the certificate on my XPS 8900. I uninstalled Dell Foundation Services, deleted the certificate, then rebooted to make sure it didn’t come back.

  4. Tony said on November 23, 2015 at 11:46 pm
    Reply

    I uninstalled every dell product and then certificate. It has not come back.

  5. Huzzyz said on November 24, 2015 at 1:14 am
    Reply

    Not only that. It even comes installed on the new Alienware Laptops. :shock:

  6. bho said on November 24, 2015 at 4:47 am
    Reply

    Inspiron 15 7000 Series Laptop infected too with the government backdoor.

  7. CHEF-KOCH said on November 24, 2015 at 10:17 am
    Reply

    @Martin, just an info to simplify the steps. Just right click in certmgr.msc – right click on ‘Certicificates current users’ – ‘Search certificates’ – SHA1 and type in the certificate hash.

  8. Anonymous said on November 24, 2015 at 2:56 pm
    Reply
  9. Tom Hawack said on November 24, 2015 at 3:23 pm
    Reply

    Concerns this article as it concerns all system certificates : an interesting application I’ve discovered called RCC which aims at checking your system’s trusted root certificate store :

    Source : http://www.wilderssecurity.com/threads/rcc-check-your-systems-trusted-root-certificate-store.373819/
    Application’s home & download page : http://trax.x10.mx/apps.html
    Application’s latest beta download page : http://trax.x10.mx/beta/

    I’ve ran it and discovered one “interesting” certificate. “Interesting” is the application’s terminology to indicate possibly suspicions certificates as the idea is to search for information before removing it if applicable. RCC does not provide any certificate removal procedure, it only scans, analyses and informs.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

Please note that your comment may not appear immediately after you post it.