Slashdot Mirror

← Back to Stories (view on slashdot.org)

Dell Accused of Installing 'Superfish-Like' Rogue Certificates On Laptops (theregister.co.uk)

Posted by samzenpus on from the was-that-wrong? dept.

Mickeycaskill writes: Dell has been accused of pre-installing rogue self-signing root certificate authentications on its laptops. A number of users discovered the 'eDellRoot' certificate on their machines and say it leaves their machines, and any others with the certificate, open to attack. "Anyone possessing the private key which is on my computer is capable of minting certificates for any site, for any purpose and the computer will programmatically and falsely conclude the issued certificate to be valid," said Joe Nord, a Citrix product manager who found the certificate on his laptop. It is unclear whether it is Dell or a third party installing the certificate, but the episode is similar to the 'Superfish' incident in which Lenovo was found to have installed malware to inject ads onto users' computers.

7 of 92 comments (clear)

  1. Test your system. by khasim · · Score: 5, Informative

    https://edell.tlsfun.de/

    I don't think it is "accused" any more. It's pretty much proven.

  2. Re:Let me Guess by Lead+Butthead · · Score: 5, Informative

    He is running a pre-installed Windows?

    First thing I do is wipe any new computer clean. The OEMs can't be trusted anymore.

    Except if you bought a Lenovo, it'll helpfully replaces OS components through Lenovo Service Engine entirely on its own. So a clean install won't save you. Nice eh?

    --
    ELOI, ELOI, LAMA SABACHTHANI!?
  3. Re:Its only SuperFish-like by Chmarr · · Score: 4, Informative

    Reading the FA: yes, the private key is on the machine.

  4. Re:Its only SuperFish-like by thoromyr · · Score: 5, Informative

    Not only is the private key supplied with the certificate, unlike with SuperFish the certificate can also be used to sign executables. Which means that the bad guys can now sign their malware with eDellRoot and gain unwarranted trust. It figures that slashdot doesn't provide a good link. Try http://arstechnica.com/securit...

  5. Re: Let me Guess by LinuxIsGarbage · · Score: 4, Informative

    The FA doesn't mention anything about Ubuntu. Do you have a link?

    Is it just the pre-loaded versions of Ubuntu, like the preloaded versions of Windows?

    I can't speak to Ubuntu, but on Windows for Lenovo, Lenovo can install bloatware even on a clean install using Microsoft's Windows Platform Binary Table. Primarily intended for Drivers, or security software like LoJack.

  6. Not just laptops by INTPTT · · Score: 4, Informative

    It's not just laptops. We confirmed it was on a Dell Precision 5810 desktop workstation, purchased early May 2015.

  7. Re:Self-signing root certificates on laptops .. by Anonymous Coward · · Score: 2, Informative

    The problem isn't that it's self-signed - it's that they gave it the maximum possible authority and shipped it *with the private key included*, rather than just the public key.

    So, now *anyone* on the internet can sign their malicious web traffic, application, or driver with Dell's key and it will be trusted by all affected Dell computers. This would allow, for example, impersonating financial or e-commerce websites to steal people's credit card numbers or other personal data.

    When Lenovo did the same thing a while back, they were using it to spy on and inject ads into people's web traffic - even supposedly private encrypted sessions.