This week it emerged that Dell started rolling out an updated version of it’s Dell Foundation Services software (or crapware as I call it) that comes with a root certificate that gets installed into Windows. The certificate shows up in the Windows Certificate Manager as eDellRoot.
Initially it was thought it only affected laptops sold since August, then it emerged that it was on Desktops too, and the last shoe to drop was that the cert was also being pushed to people with older Dell computers via updates to the Dell software.
This root cert is installed with its ‘PRIVATE’ key, and all computers have certs with the same private key, and the password ‘protecting’ that private key is dell.
A second, similar cert was found later in the week also from Dell called DSDTestProvider.
The second cert is not pre-installed on Dells, but comes along for the ride when ever a user installs the Dell System Detect support tool, which Dell support often ask users to do. Dell say: “The impact from Dell System Detect is limited to customers who used the ‘detect product’ functionality on our support site between October 20 and November 24, 2015”
Reports also emerged that Dell Foundation Services can be tricked into revealing a Dell’s unique service tag to any website.
What The Bad Root Certs Mean:
It is trivial for attackers to get a copy of the private key (it can be extracted from any affected Dell, and it is now all over the internet) and issue fraudulent TLS certs for any website on the planet. All Dell computers with the eDellRoot cert installed will see these fraudulent certs as valid – effectively removing all the protection HTTPS should provide, and rendering every secure website on the planet insecure.
Dell did not even apply limitations to this cert, so, it can be used for everything a cert can be used for, not just HTTPS – e.g. it can be used for creating fake S/MIME email certs, fake VPN certs, and even fake code signing certs. Basically, everything that relies on the PKI (public key infrastructure) is insecure on an infested Dell.
Bottom Line – if your computer has the eDellRoot cert installed, every single website on the planet is insecure, every single VPN is insecure, every single signed and/or encrypted email is insecure, basically, everything that relies on the PKI (Public Key Infrastructure) is insecure for you.
Comparisons to Lenovo’s SuperFish Debacle:
Lenovo’s motivations were different – they installed an utterly insecure root certificate to advertise at you, while Dell say they did it to make customer support easier.
However, why they did what they did is irrelevant – both made the same blunder, and both torpedoed their users security in the same way. The only small difference is that Dell’s cert is even more powerful than SuperFish’s one, so Dell managed to make the same mistake just that little bit worse.
What the Service Tag Disclosure Bug Means:
The service tag is unique to each computer, so having it available to websites makes it the absolute ultimate cookie – a unique ID for your computer that you cannot change that follows you everywhere you go on the net.
Privacy is impossible if websites can access your service tag.
You have a Dell – now what?
There are many free testers to check if you have the dodgy certs (the tests have to be done from IE or Chrome, not from FireFox) – e.g. edell.tlsfun.de
My advice is to un-install all the Dell crapware on your computer – personally, I do a full nuke-and-pave of all PCs because all manufacturers put crap on Windows PCs, and I don’t trust any of them. Once the Dell rubbish is removed, then remove the certs. (if you remove the certs first they may be put back by the apps before they get killed.)
Well, this only affects computers users accept the Dell pre-installed operating system.
But seriously, I would never trust a preinstalled operating system (especially Windows). I have seen what gets done on those OEM systems (I have over 500 million Windows OEM deploys under my belt).
There is super amounts of garbage on those OEM pre-installs. Be smart, and just say NO!
ARM Tablets and Phones perhaps excluded, we get get a machine, burn the recovery media (for when we will sell the machine), wipe the disk, and install our own “paid for” versions of the OS.
It’s probably harder to that these days. FWIW, I consider Windows 8 and 10 to only be suitable to run in a contained VM (I no longer trust Microsoft for some very good reasons). Be smart, get Linux, and run your Windows 8 or 10 in a VM.
Windows 7 is still “ok-ish” if you disable a few of the “security” updates that have nothing to do with security.
Well, this only affects computers users accept the Dell pre-installed operating system.
But seriously, I would never trust a preinstalled operating system (especially Windows). I have seen what gets done on those OEM systems (I have over 500 million Windows OEM deploys under my belt).
There is super amounts of garbage on those OEM pre-installs. Be smart, and just say NO!
ARM Tablets and Phones perhaps excluded, we get get a machine, burn the recovery media (for when we will sell the machine), wipe the disk, and install our own “paid for” versions of the OS.
It’s probably harder to that these days. FWIW, I consider Windows 8 and 10 to only be suitable to run in a contained VM (I no longer trust Microsoft for some very good reasons). Be smart, get Linux, and run your Windows 8 or 10 in a VM.
Windows 7 is still “ok-ish” if you disable a few of the “security” updates that have nothing to do with security.
Joe