Stories
Slash Boxes
Comments

SoylentNews is people

Dell Ships Computers With Root Certificate Security Flaw

posted by martyb on Tuesday November 24 2015, @03:21AM   Printer-friendly
from the who-pwns-my-computer? dept.

takyon writes:

Various Dell laptops and desktops are shipping with a pre-installed root certificate:

The US IT titan installs a powerful root CA certificate, including its private key, on its Windows notebooks and desktops. These can be abused by eavesdropping miscreants to silently decrypt encrypted web browser traffic without victims noticing.

If you try to remove the dodgy certificate, the file is automatically reinstalled during or after the next boot up. The root CA cert appears to have been created in early April this year, and expires in the year 2039.

How can this certificate be abused? Well, an attacker could, for example, set up a malicious Wi-Fi hotspot in a cafe or hospital, intercept connections from Dell machines, and then automatically strip away the encryption – a classic man-in-the-middle attack, all enabled by Dell's security blunder. The decrypted traffic will include usernames, passwords, session cookies, and other sensitive information. The root CA certificate – eDellRoot – can even be used to sign programs, allowing scumbags to dress up malware as legit apps.

The problem was spotted by Joe Nord (Reddit). Reaching this page without a privacy error means your machine is affected, and this page includes a test for the certificate. Mozilla Firefox ignores (does not trust) the Dell certificate, and thus should be safe to use. To remove:

According to an analysis [PDF] by Duo Security, a bundled plugin reinstalls the root CA file if it is removed. First, you must delete Dell.Foundation.Agent.Plugins.eDell.dll from your system (search for it) and then remove the eDellRoot root CA certificate.

Dell has admitted the mistake and will provide its own guide to fixing it soon (the above information):

The recent situation raised is related to an on-the-box support certificate intended to provide a better, faster and easier customer support experience. Unfortunately, the certificate introduced an unintended security vulnerability.

How about a little comedy courtesy of Reuters?

Dell said it would provide customers with instructions to permanently remove the certificate by email and on its support website, a process that will likely be highly technical.

Original Submission

 
This discussion has been archived. No new comments can be posted.
Dell Ships Computers With Root Certificate Security Flaw | Log In/Create an Account | Top | 20 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 2) by K_benzoate on Tuesday November 24 2015, @04:25AM

    by K_benzoate (5036) on Tuesday November 24 2015, @04:25AM (#267301)

    An abacus would be even safer, and since neither can use the Internet they're both about equally useful these days.

    --
    Climate change is real and primarily caused by human activity.
    Starting Score:    1  point
    Karma-Bonus Modifier   +1  
    Total Score:   2  

  • (Score: 2) by TheRaven on Tuesday November 24 2015, @11:34AM

    by TheRaven (270) on Tuesday November 24 2015, @11:34AM (#267390) Journal
    Contiki on the C64 includes a web browser. It doesn't do JavaScript and it can only really handle pages that are a few KB or smaller, but it does work. Of course, it doesn't do SSL, so it's less safe than a Dell (which, at least, requires an active adversary to compromise).
    --
    sudo mod me up