Stories
Slash Boxes
Comments

SoylentNews is people

Breaking News
posted by martyb on Tuesday November 24 2015, @03:21AM   Printer-friendly
from the who-pwns-my-computer? dept.

Various Dell laptops and desktops are shipping with a pre-installed root certificate:

The US IT titan installs a powerful root CA certificate, including its private key, on its Windows notebooks and desktops. These can be abused by eavesdropping miscreants to silently decrypt encrypted web browser traffic without victims noticing.

If you try to remove the dodgy certificate, the file is automatically reinstalled during or after the next boot up. The root CA cert appears to have been created in early April this year, and expires in the year 2039.

How can this certificate be abused? Well, an attacker could, for example, set up a malicious Wi-Fi hotspot in a cafe or hospital, intercept connections from Dell machines, and then automatically strip away the encryption – a classic man-in-the-middle attack, all enabled by Dell's security blunder. The decrypted traffic will include usernames, passwords, session cookies, and other sensitive information. The root CA certificate – eDellRoot – can even be used to sign programs, allowing scumbags to dress up malware as legit apps.

The problem was spotted by Joe Nord (Reddit). Reaching this page without a privacy error means your machine is affected, and this page includes a test for the certificate. Mozilla Firefox ignores (does not trust) the Dell certificate, and thus should be safe to use. To remove:

According to an analysis [PDF] by Duo Security, a bundled plugin reinstalls the root CA file if it is removed. First, you must delete Dell.Foundation.Agent.Plugins.eDell.dll from your system (search for it) and then remove the eDellRoot root CA certificate.

Dell has admitted the mistake and will provide its own guide to fixing it soon (the above information):

The recent situation raised is related to an on-the-box support certificate intended to provide a better, faster and easier customer support experience. Unfortunately, the certificate introduced an unintended security vulnerability.

How about a little comedy courtesy of Reuters?

Dell said it would provide customers with instructions to permanently remove the certificate by email and on its support website, a process that will likely be highly technical.


Original Submission

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 1, Funny) by Anonymous Coward on Tuesday November 24 2015, @04:10AM

    by Anonymous Coward on Tuesday November 24 2015, @04:10AM (#267298)

    Seems more and more that a Commodore 64 would be safer to use.

    • (Score: 2) by K_benzoate on Tuesday November 24 2015, @04:25AM

      by K_benzoate (5036) on Tuesday November 24 2015, @04:25AM (#267301)

      An abacus would be even safer, and since neither can use the Internet they're both about equally useful these days.

      --
      Climate change is real and primarily caused by human activity.
      • (Score: 2) by TheRaven on Tuesday November 24 2015, @11:34AM

        by TheRaven (270) on Tuesday November 24 2015, @11:34AM (#267390) Journal
        Contiki on the C64 includes a web browser. It doesn't do JavaScript and it can only really handle pages that are a few KB or smaller, but it does work. Of course, it doesn't do SSL, so it's less safe than a Dell (which, at least, requires an active adversary to compromise).
        --
        sudo mod me up
    • (Score: 3, Funny) by q.kontinuum on Tuesday November 24 2015, @05:20AM

      by q.kontinuum (532) on Tuesday November 24 2015, @05:20AM (#267312) Journal

      Abacus, C64, all modern devils work. It's not as much that we shouldn't have left the trees, it's more that we should have stayed in the ocean in the first place...

      --
      Registered IRC nick on chat.soylentnews.org: qkontinuum
  • (Score: 2) by q.kontinuum on Tuesday November 24 2015, @05:24AM

    by q.kontinuum (532) on Tuesday November 24 2015, @05:24AM (#267314) Journal

    According to an analysis [PDF] by Duo Security, a bundled plugin reinstalls the root CA file if it is removed. First, you must delete Dell.Foundation.Agent.Plugins.eDell.dll from your system (search for it) and then remove the eDellRoot root CA certificate.

    Why wouldn't they simply provide an update which removes the dodgy certificate? That wouldn't be so highly technical for the end user.

    --
    Written on my DELL laptop - Windows free, hopefully backdoor free.

    --
    Registered IRC nick on chat.soylentnews.org: qkontinuum
    • (Score: 5, Informative) by tibman on Tuesday November 24 2015, @05:37AM

      by tibman (134) Subscriber Badge on Tuesday November 24 2015, @05:37AM (#267319)
      --
      SN won't survive on lurkers alone. Write comments.
    • (Score: 1, Funny) by Anonymous Coward on Tuesday November 24 2015, @05:39AM

      by Anonymous Coward on Tuesday November 24 2015, @05:39AM (#267321)

      Why wouldn't they simply provide an update which removes the dodgy certificate?

      Because it would be useless for those running Linux.

      • (Score: 0) by Anonymous Coward on Tuesday November 24 2015, @08:12AM

        by Anonymous Coward on Tuesday November 24 2015, @08:12AM (#267352)

        Are you implying the said dll was in any way useful for those running Linux?

  • (Score: 2, Insightful) by Anonymous Coward on Tuesday November 24 2015, @06:31AM

    by Anonymous Coward on Tuesday November 24 2015, @06:31AM (#267332)

    "If your laptop is affected you should remove the certificate with the Windows Certificate Manager. Alternatively you can install Linux and delete Windows."
    BEST ADVICE EVER.

  • (Score: 4, Informative) by patella.whack on Tuesday November 24 2015, @10:36AM

    by patella.whack (3848) on Tuesday November 24 2015, @10:36AM (#267363)

    "[The certificate] was intended to provide the system service tag to Dell online support allowing us to quickly identify the computer model," says a Dell spokesperson. "This certificate is not being used to collect personal customer information." Dell has posted instructions to permanently remove the certificate from affected systems here [dell.com]

    and the company will also publish a software update today that will automatically check for the certificate and remove it. The company has not confirmed how many machines are affected, but the Inspiron 5000, XPS 15, and XPS 13 are known to ship with the certificate pre-installed.

  • (Score: 4, Informative) by Justin Case on Tuesday November 24 2015, @11:07AM

    by Justin Case (4239) on Tuesday November 24 2015, @11:07AM (#267376) Journal

    Dell said it would provide customers with instructions to permanently remove the certificate ... on its support website

    How will I know I've connected to the real Dell support website?

  • (Score: 2) by Justin Case on Tuesday November 24 2015, @11:13AM

    by Justin Case (4239) on Tuesday November 24 2015, @11:13AM (#267381) Journal

    America Worst Airlines today announced that they "accidentally forgot" to put pilots on 700 flights. "But it's OK" a spokesbabe insisted, "because we're sorry. And we've provided instructions for the passengers on how to safely land the plane."

    Like hell.

    If your primary business reason for existing is to provide X and you demonstrate yourself spectacularly incompetent at X, you should receive the Corporate Death Penalty. After a few of those, maybe the remaining corporate execs will wake up and pay attention.

    • (Score: 2) by isostatic on Tuesday November 24 2015, @05:27PM

      by isostatic (365) on Tuesday November 24 2015, @05:27PM (#267599) Journal

      Corporate death penalties affect Joe Bloggs struggling to pay his rent on a $60k a year salary.

      Instead, force-issue stock - something like 1000 times as much stock as currently exists - to the wronged parties. The company can still exist, still provide the services, people still have jobs, it's the owners of the company (the ones who have ultimate control) that lose out, and the victims that gain.

      Now this isn't exactly a deepwater horizon scale cockup, in those situations you might issue 1000 times stock to basically transfer ownership from the guilty. In Dell's case you might issue 1/10th the stock, or even 1/100th. So for every 100 shares, you create 10 new shares (or 1), and spread them out between anyone who had this root CA installed.

  • (Score: 5, Informative) by TheRaven on Tuesday November 24 2015, @11:42AM

    by TheRaven (270) on Tuesday November 24 2015, @11:42AM (#267398) Journal
    Soylent is focusing on the wrong bit of this story. There are two parts. One is that they shipped their own root cert and marked it as trusted. This is a bit stupid, but by itself is not really a problem if they carefully control access to the private key. The important part of the story is that they shipped the private key along with the public one. That means that anyone who has a Dell machine with this rogue cert can sign arbitrary other certs that will be trusted (irrespective of what they're signing) by all machines with this cert. The attacker doesn't need to do anything clever - Dell has given everyone the signing key for a root CA cert that all of their machines trust.
    --
    sudo mod me up
    • (Score: 3, Informative) by FatPhil on Tuesday November 24 2015, @01:36PM

      by FatPhil (863) <pc-soylentNO@SPAMasdf.fi> on Tuesday November 24 2015, @01:36PM (#267449) Homepage
      Indeed, some seem to have it completely backasswards:
      "check if you have an entry with the name "eDellRoot". If so, congratulations, you've been pwned by Dell, the very company you paid for your computer!"

      They've given you something of extreme value to them, which they are desperately regretting, and that magically that makes *them* pwn *you*?!!!yks! They've given everyone the chance of pwning them, and nuking their reputation. Of course, that's bad for Dell's customers, but it's not Dell that can now pwn you, it's other customers, and those who get a copy of the key from Dell's customers, so basically everyone. However, that's exactly the opposite of it now being Dell who could pwn you. Dell could always pwn you by design, as Dell always had the root certificate, and could ship updates that you would feel obliged to install. Dell pwned you as soon as you handed over your money. All this has changed is to remove the walls around the Dell-ecosystem that you probably didn't even really chose to be in.
      --
      Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
      • (Score: 2) by Fnord666 on Tuesday November 24 2015, @03:59PM

        by Fnord666 (652) on Tuesday November 24 2015, @03:59PM (#267550) Homepage

        They've given you something of extreme value to them, which they are desperately regretting ...

        Exactly. I personally do not own one of these machines. If anyone does that has this certificate, please export it including the private key and post it to pastebin.

        • (Score: 3, Informative) by Fnord666 on Tuesday November 24 2015, @04:14PM

          by Fnord666 (652) on Tuesday November 24 2015, @04:14PM (#267560) Homepage

          If anyone does that has this certificate, please export it including the private key and post it to pastebin.

          Never mind. You can download everything here [mega.nz].

        • (Score: 2) by FatPhil on Tuesday November 24 2015, @11:30PM

          by FatPhil (863) <pc-soylentNO@SPAMasdf.fi> on Tuesday November 24 2015, @11:30PM (#267749) Homepage
          I can't parse the thing (a "p7b" file, whatever that is) I downloaded, but apparently this is it bytewise:

          phil@geespaz:tmp$ od -tx1 eDellRoot.p7b
          0000000 30 82 03 22 06 09 2a 86 48 86 f7 0d 01 07 02 a0
          0000020 82 03 13 30 82 03 0f 02 01 01 31 00 30 0b 06 09
          0000040 2a 86 48 86 f7 0d 01 07 01 a0 82 02 f7 30 82 02
          0000060 f3 30 82 01 df a0 03 02 01 02 02 10 6b c5 7b 95
          0000100 18 93 aa 97 4b 62 4a c0 88 fc 3b b6 30 09 06 05
          0000120 2b 0e 03 02 1d 05 00 30 14 31 12 30 10 06 03 55
          0000140 04 03 13 09 65 44 65 6c 6c 52 6f 6f 74 30 1e 17
          0000160 0d 31 35 30 34 30 37 31 30 32 33 32 37 5a 17 0d
          0000200 33 39 31 32 33 31 32 33 35 39 35 39 5a 30 14 31
          0000220 12 30 10 06 03 55 04 03 13 09 65 44 65 6c 6c 52
          0000240 6f 6f 74 30 82 01 22 30 0d 06 09 2a 86 48 86 f7
          0000260 0d 01 01 01 05 00 03 82 01 0f 00 30 82 01 0a 02
          0000300 82 01 01 00 bd d1 26 0d 6e cd 5b 84 5f 41 f0 e1
          0000320 75 86 ce ce a8 23 d5 be a3 b1 d9 75 57 41 30 c5
          0000340 5b e0 6c db e2 e6 63 09 33 63 6c fc 78 6f c2 cd
          0000360 14 bd 6e 02 b5 2d fb 95 55 31 00 ec 39 36 37 2e
          0000400 0f d7 7b f5 0d ba 46 36 6f ed 25 95 43 b3 cc 16
          0000420 18 a5 bb 05 71 ca 38 9f a4 ac 4e f0 e1 36 2e 6d
          0000440 fa 43 e8 ed cd b7 66 b6 01 3e 63 ae f3 67 84 27
          0000460 a7 1a be cf ed df db be c0 53 a4 5d 7c 2f 44 28
          0000500 87 03 f9 56 c8 d5 8d 10 f8 75 ef e6 c2 10 fd ea
          0000520 e4 df 89 ad 5f ba 1e 8d f3 40 f1 2f e5 05 09 61
          0000540 d9 97 b0 c9 83 d8 23 10 a2 37 90 52 3e bc 27 dd
          0000560 4f e7 0e 41 2a 3b ab 1b 4c 63 8a fc e1 4a 88 9e
          0000600 f7 29 bb 55 1c 0b 16 35 92 71 1b b0 ff d5 d5 e8
          0000620 22 ea 4f 22 f9 c6 ba a2 88 3a 75 b9 33 ae a8 d8
          0000640 f7 bb 1c ad b3 da 1c 6e ca 09 5e ec 63 e6 21 18
          0000660 91 23 35 9e f2 ee a4 4b fe 96 0c bd 5a ac c8 10
          0000700 53 26 d6 5f 02 03 01 00 01 a3 49 30 47 30 45 06
          0000720 03 55 1d 01 04 3e 30 3c 80 10 60 0f df 13 33 f0
          0000740 99 a4 5c 66 e4 9a 6b f5 59 d4 a1 16 30 14 31 12
          0000760 30 10 06 03 55 04 03 13 09 65 44 65 6c 6c 52 6f
          0001000 6f 74 82 10 6b c5 7b 95 18 93 aa 97 4b 62 4a c0
          0001020 88 fc 3b b6 30 09 06 05 2b 0e 03 02 1d 05 00 03
          0001040 82 01 01 00 2b 7d d7 12 72 c7 b3 8f ca 28 27 dd
          0001060 94 c3 09 cf 82 0d fa 9e 83 a0 89 4b 39 5f 33 cb
          0001100 3f 88 74 26 95 18 41 52 81 f6 16 35 59 30 f0 45
          0001120 47 d3 28 68 7b a0 d3 a8 c1 dd 36 ed af eb 55 26
          0001140 ff 4c d7 a8 88 92 2f 30 a9 f8 81 bb d5 09 60 22
          0001160 1e 13 bc bb 6b b4 46 41 c2 0d 5b 1a ed ed 22 e2
          0001200 77 29 b9 e5 ac 8a 18 e7 ea 30 6b 63 c4 fe ed e0
          0001220 d8 c2 21 53 fc 5d 37 03 c3 49 ee 62 b9 95 90 3c
          0001240 48 57 79 09 30 f2 dc 40 54 53 95 30 cd 75 1c e4
          0001260 7a 08 45 4c 57 48 fc 9c bb 76 88 05 66 b0 83 7b
          0001300 02 74 a8 80 a2 29 12 70 f0 16 8f 46 cc d2 f9 ac
          0001320 3f ff 10 4a 54 ce 06 a3 be 40 54 3a 47 cd 81 b5
          0001340 3b c1 35 4d ea 6d 52 02 57 84 0e 6e cc 62 6f ef
          0001360 85 00 52 f9 e8 d0 29 3e ab 24 83 b5 73 2d f3 48
          0001400 02 32 9a 6c 75 1c 8d bb 99 92 68 3a 8e be 01 7d
          0001420 85 bb fa 84 03 1c 2b 18 80 00 e3 8c a1 9d 2b 3f
          0001440 fc 53 f7 cf 31 00
          0001446

          phil@geespaz:tmp$ ls -al !$
          ls -al eDellRoot.p7b
          -rw-r--r-- 1 phil phil 806 Nov 24 15:18 eDellRoot.p7b
          --
          Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
  • (Score: 1, Informative) by Anonymous Coward on Tuesday November 24 2015, @01:48PM

    by Anonymous Coward on Tuesday November 24 2015, @01:48PM (#267461)

    Shit like this seems to get more and more popular! There is all kind of bloat and down right malware installed on new computers. Fortunately the solution is simple.

    Low level format.

    Afterwards, don't install any user abusing software yourself but a free GNU/Linux distro instead.

    • (Score: 1, Informative) by Anonymous Coward on Wednesday November 25 2015, @01:54AM

      by Anonymous Coward on Wednesday November 25 2015, @01:54AM (#267818)
      Is it possible to get a Windows refund [wikipedia.org] if you do this? If you can, you should, otherwise you're still paying Microsoft and making them richer.