Slashdot Mirror

← Back to Stories (view on slashdot.org)

Dell Accused of Installing 'Superfish-Like' Rogue Certificates On Laptops (theregister.co.uk)

Posted by samzenpus on from the was-that-wrong? dept.

Mickeycaskill writes: Dell has been accused of pre-installing rogue self-signing root certificate authentications on its laptops. A number of users discovered the 'eDellRoot' certificate on their machines and say it leaves their machines, and any others with the certificate, open to attack. "Anyone possessing the private key which is on my computer is capable of minting certificates for any site, for any purpose and the computer will programmatically and falsely conclude the issued certificate to be valid," said Joe Nord, a Citrix product manager who found the certificate on his laptop. It is unclear whether it is Dell or a third party installing the certificate, but the episode is similar to the 'Superfish' incident in which Lenovo was found to have installed malware to inject ads onto users' computers.

3 of 92 comments (clear)

  1. Let me Guess by Anonymous Coward · · Score: 5, Insightful

    He is running a pre-installed Windows?

    First thing I do is wipe any new computer clean. The OEMs can't be trusted anymore.

  2. Its only SuperFish-like by Luthair · · Score: 1, Insightful

    if the private key is also available on the machine. Otherwise its another sort of questionable.

  3. thinkpenguin, librem and eoma68 laptops by lkcl · · Score: 4, Insightful

    ... y'know... it has to be said, this is precisely why thinkpenguin (and other FSF-Endorsed hardware) do wipe-it-down-to-the-bedrock products, even to the extent of replacing the standard BIOS with coreboot, and why the purism librem laptop exists (and was successfully funded last year). but even there, the problem is that for the past 15 years all intel processors have to have an RSA-signed bootloader that goes into EEPROM on-board the processor, where there's absolutely no chance of obtaining the source code for that proprietary firmware blob. you have absolutely no idea what goes into that bootloader, but it's already been demonstrated that your laptop - and your desktop - can be woken up by external network signals - without your consent or knowledge - *even when you powered them down*.

    the only possible solution here is... to not use intel (or AMD) processors. and that opens up a whole can of worms, which is why i've been sponsored to make an upgradeable laptop. if any one CPU is ever found to have problems, the whole CPU Card can be popped out and replaced... *without* having to throw away the entire laptop.

    designing a laptop from the ground up so that its main CPU module can be replaced... only two years ago that could have been said to be "total paranoia". now we have the kinds of stunts being pulled by Dell, Lenovo and the NSA which were only previously believed to *potentially* be carried out...