What you need to know about Dell's root certificate security debacle

The full scope of the incident is still unclear, but there's a removal tool available

In an attempt to streamline remote support, Dell installed a self-signed root certificate and corresponding private key on its customers' computers, apparently without realizing that this exposes users' encrypted communications to potential spying.

Even more surprising is that the company did this while being fully aware of a very similar security blunder by one of its competitors, Lenovo, that came to light in February.

In Lenovo's case it was an advertising program called Superfish that came preinstalled on some of the company's consumer laptops and which installed a self-signed root certificate. In Dell's case it was one of the company's own support tools, which is arguably even worse because Dell bears full responsibility for the decision.

Ironically, Dell actually took advantage of Lenovo's mishap to highlight its own commitment to privacy and to advertise its products. The product pages for Dell's Inspiron 20 and XPS 27 All-in-One desktops, Inspiron 14 5000 Series, Inspiron 15 7000 Series, Inspiron 17 7000 Series laptops and probably other products, read: "Worried about Superfish? Dell limits its pre-loaded software to a small number of high-value applications on all of our computers. Each application we pre-load undergoes security, privacy and usability testing to ensure that our customers experience the best possible computing performance, faster set-up and reduced privacy and security concerns."

Why should you care

The eDellRoot self-signed certificate is installed in the Windows certificate store under the "Trusted Root Certification Authorities." This means that any SSL/TLS or code-signing certificate that is signed with the eDellRoot certificate's private key will be trusted by browsers, desktop email clients and other applications that run on affected Dell systems.

For example, attackers can use the eDellRoot private key, which is now publicly available online, to generate certificates for any HTTPS-enabled websites. They can then use public wireless networks or hacked routers to decrypt traffic from affected Dell systems to those websites.

In these so-called Man-in-the-Middle (MitM) attacks, the attackers intercept users' HTTPS requests to a secure website -- bankofamerica.com for example. They then start acting as a proxy by establishing a legitimate connection to the real website from their own machine and passing the traffic back to the victims after re-encrypting it with a rogue bankofamerica.com certificate generated with the eDellRoot key.

The users will see a valid HTTPS-encrypted connection to Bank of America in their browsers, but the attackers will actually be able to read and modify their traffic.

Attackers could also use the eDellRoot private key to generate certificates that could be used to sign malware files. Those files would generate less scary User Account Control prompts on affected Dell systems when executed, because they would appear to the OS as if they were signed by a trusted software publisher. Malicious system drivers signed with such a rogue certificate would also bypass the driver signature verification in 64-bit versions of Windows.

It's not just laptops

Initial reports were about finding the eDellRoot certificate on various Dell laptop models. However, the certificate is actually installed by the Dell Foundation Services (DFS) application which, according to its release notes, is available on laptops, desktops, all-in-ones, two-in-ones, and towers from various Dell product lines, including XPS, OptiPlex, Inspiron, Vostro and Precision Tower.

Dell said Monday that it began loading the current version of this tool on "consumer and commercial devices" in August. However, it's unclear if this refers to devices sold since August or if existing devices that already had DFS installed got updated with the problematic version.

More than one certificate

Researchers from security firm Duo Security found a second eDellRoot certificate with a different fingerprint on 24 systems scattered around the world. Most surprisingly, one of those systems appears to be part of a SCADA (Supervisory Control and Data Acquisition) set-up, like those used to control industrial processes.

Other users also reported the presence of another certificate called DSDTestProvider on some Dell computers. Some people have speculated that this is related to the Dell System Detect utility, although this is not yet confirmed.

There's a removal tool available

Dell released a removal tool and also published manual removal instructions for the eDellRoot certificate. However, the instructions might prove too difficult for a user with no technical knowledge to follow. The company also plans to push a software update today that will search for the certificate and remove it from systems automatically.

Corporate users are high-value targets

Roaming corporate users, especially traveling executives, could be the most attractive targets for man-in-the-middle attackers exploiting this flaw, because they likely have valuable information on their computers.

"If I were a black-hat hacker, I'd immediately go to the nearest big city airport and sit outside the international first class lounges and eavesdrop on everyone's encrypted communications," said Robert Graham, the CEO of security firm Errata Security, in a blog post.

As a matter of course, companies should deploy their own, clean and pre-configured Windows images on the laptops they buy. They should also make sure that their roaming employees are always connecting back to corporate offices over secure virtual private networks (VPNs).

It's not just Dell computer owners who should care

The implications of this security hole reach beyond just owners of Dell systems. In addition to stealing information, including log-in credentials, from encrypted traffic, man-in-the-middle attackers can also modify that traffic on the fly. This means someone receiving an email from an affected Dell computer or a website receiving a request on behalf of a Dell user can't be sure of its authenticity.

Join the CSO newsletter!

Error: Please check your email address.

Tags Dell

More about Bank of AmericaDellLenovoPrecision

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place