What you need to know about Dell's root certificate security debacle

24.11.2015
In an attempt to streamline remote support, Dell installed a self-signed root certificate and corresponding private key on its customers' computers, apparently without realizing that this exposes users' encrypted communications to potential spying.

Even more surprising is that the company did this while being fully aware of a very similar security blunder by one of its competitors, Lenovo, that came to light in February.

In Lenovo's case it was an advertising program called Superfish that came preinstalled on some of the company's consumer laptops and which installed a self-signed root certificate. In Dell's case it was one of the company's own support tools, which is arguably even worse because Dell bears full responsibility for the decision.

Ironically, Dell actually took advantage of Lenovo's mishap to highlight its own commitment to privacy and to advertise its products. The product pages for Dell's Inspiron 20 and XPS 27 All-in-One desktops, Inspiron 14 5000 Series, Inspiron 15 7000 Series, Inspiron 17 7000 Series laptops and probably other products, read: "Worried about Superfish Dell limits its pre-loaded software to a small number of high-value applications on all of our computers. Each application we pre-load undergoes security, privacy and usability testing to ensure that our customers experience the best possible computing performance, faster set-up and reduced privacy and security concerns."

Why should you care

The eDellRoot self-signed certificate is installed in the Windows certificate store under the "Trusted Root Certification Authorities." This means that any SSL/TLS or code-signing certificate that is signed with the eDellRoot certificate's private key will be trusted by browsers, desktop email clients and other applications that run on affected Dell systems.

For example, attackers can use the eDellRoot private key, which is now publicly available online, to generate certificates for any HTTPS-enabled websites. They can then use public wireless networks or hacked routers to decrypt traffic from affected Dell systems to those websites.

In these so-called Man-in-the-Middle (MitM) attacks, the attackers intercept users' HTTPS requests to a secure website -- bankofamerica.com for example. They then start acting as a proxy by establishing a legitimate connection to the real website from their own machine and passing the traffic back to the victims after re-encrypting it with a rogue bankofamerica.com certificate generated with the eDellRoot key.

The users will see a valid HTTPS-encrypted connection to Bank of America in their browsers, but the attackers will actually be able to read and modify their traffic.

Attackers could also use the eDellRoot private key to generate certificates that could be used to sign malware files. Those files would generate less scary User Account Control prompts on affected Dell systems when executed, because they would appear to the OS as if they were signed by a trusted software publisher. Malicious system drivers signed with such a rogue certificate would also bypass the driver signature verification in 64-bit versions of Windows.

It's not just laptops

Initial reports were about finding the eDellRoot certificate on various Dell laptop models. However, the certificate is actually installed by the Dell Foundation Services (DFS) application which, according to its release notes, is available on laptops, desktops, all-in-ones, two-in-ones, and towers from various Dell product lines, including XPS, OptiPlex, Inspiron, Vostro and Precision Tower.

Dell said Monday that it began loading the current version of this tool on "consumer and commercial devices" in August. This may refer both to devices sold since August as well as those sold prior and which received an updated version of the DFS tool. The certificate has been found on at least one older machine: a Dell Venue Pro 11 tablet dating from April.

More than one certificate

Researchers from security firm Duo Security found a second eDellRoot certificate with a different fingerprint on 24 systems scattered around the world. Most surprisingly, one of those systems appears to be part of a SCADA (Supervisory Control and Data Acquisition) set-up, like those used to control industrial processes.

Other users also reported the presence of another certificate called DSDTestProvider on some Dell computers. Some people have speculated that this is related to the Dell System Detect utility, although this is not yet confirmed.

There's a removal tool available

Dell released a removal tool and also published manual removal instructions for the eDellRoot certificate. However, the instructions might prove too difficult for a user with no technical knowledge to follow. The company also plans to push a software update today that will search for the certificate and remove it from systems automatically.

Corporate users are high-value targets

Roaming corporate users, especially traveling executives, could be the most attractive targets for man-in-the-middle attackers exploiting this flaw, because they likely have valuable information on their computers.

"If I were a black-hat hacker, I'd immediately go to the nearest big city airport and sit outside the international first class lounges and eavesdrop on everyone's encrypted communications," said Robert Graham, the CEO of security firm Errata Security, in a blog post.

As a matter of course, companies should deploy their own, clean and pre-configured Windows images on the laptops they buy. They should also make sure that their roaming employees are always connecting back to corporate offices over secure virtual private networks (VPNs).

It's not just Dell computer owners who should care

The implications of this security hole reach beyond just owners of Dell systems. In addition to stealing information, including log-in credentials, from encrypted traffic, man-in-the-middle attackers can also modify that traffic on the fly. This means someone receiving an email from an affected Dell computer or a website receiving a request on behalf of a Dell user can't be sure of its authenticity.

Lucian Constantin