Dell Accused of Installing 'Superfish-Like' Rogue Certificates On Laptops (theregister.co.uk)

← Back to Stories (view on slashdot.org)

Dell Accused of Installing 'Superfish-Like' Rogue Certificates On Laptops (theregister.co.uk)

Posted by samzenpus on Monday November 23, 2015 @08:58AM from the was-that-wrong? dept.

Mickeycaskill writes: Dell has been accused of pre-installing rogue self-signing root certificate authentications on its laptops. A number of users discovered the 'eDellRoot' certificate on their machines and say it leaves their machines, and any others with the certificate, open to attack. "Anyone possessing the private key which is on my computer is capable of minting certificates for any site, for any purpose and the computer will programmatically and falsely conclude the issued certificate to be valid," said Joe Nord, a Citrix product manager who found the certificate on his laptop. It is unclear whether it is Dell or a third party installing the certificate, but the episode is similar to the 'Superfish' incident in which Lenovo was found to have installed malware to inject ads onto users' computers.

60 of 92 comments (clear)

Min score:

Reason:

Sort:

Let me Guess by Anonymous Coward · 2015-11-23 09:07 · Score: 5, Insightful

He is running a pre-installed Windows?
First thing I do is wipe any new computer clean. The OEMs can't be trusted anymore.
1. Re: Let me Guess by Anonymous Coward · 2015-11-23 09:12 · Score: 2, Interesting
  
  Apparently it reinstalls itself on updates and also is installed onto Ubuntu.
  This is lawsuit worthy IMO. Either maliciousness or gross negligence. One doesn't just accidentally do this.
2. Re:Let me Guess by Lead+Butthead · 2015-11-23 09:14 · Score: 5, Informative
  
  He is running a pre-installed Windows?
  First thing I do is wipe any new computer clean. The OEMs can't be trusted anymore.
  Except if you bought a Lenovo, it'll helpfully replaces OS components through Lenovo Service Engine entirely on its own. So a clean install won't save you. Nice eh?
  
  --
  ELOI, ELOI, LAMA SABACHTHANI!?
3. Re: Let me Guess by ilsaloving · 2015-11-23 09:16 · Score: 2
  
  The FA doesn't mention anything about Ubuntu. Do you have a link?
  Is it just the pre-loaded versions of Ubuntu, like the preloaded versions of Windows?
4. Re:Let me Guess by Dr_Barnowl · 2015-11-23 10:11 · Score: 1
  
  Enabled by Windows, of course, which provides a mechanism of doing this for OEMs to (ab)use.
5. Re: Let me Guess by LinuxIsGarbage · 2015-11-23 10:28 · Score: 4, Informative
  
  The FA doesn't mention anything about Ubuntu. Do you have a link?
  Is it just the pre-loaded versions of Ubuntu, like the preloaded versions of Windows?
  I can't speak to Ubuntu, but on Windows for Lenovo, Lenovo can install bloatware even on a clean install using Microsoft's Windows Platform Binary Table. Primarily intended for Drivers, or security software like LoJack.
6. Re: Let me Guess by Zero__Kelvin · 2015-11-23 11:49 · Score: 1
  
  YHBT
  
  --
  Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
7. Re: Let me Guess by afidel · 2015-11-23 16:12 · Score: 2
  
  Or copy it into the untrusted store.
  
  --
  There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
8. Re: Let me Guess by afidel · 2015-11-23 16:14 · Score: 1
  
  Or copy it to the untrusted store.
  
  --
  There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
9. Re:Let me Guess by Anonymous Coward · 2015-11-23 17:52 · Score: 1
  
  Enabled by Windows, of course, which provides a mechanism of doing this for OEMs to (ab)use.
  Ahem. The bios recognizing the file system and replacing files before booting the OS would work against any OS. Yes, Windows will accept a vendor-signed file in it's place, but Windows was really the only OS to feature secure boot anyway.
  At best you could claim that Windows - unlike other OSes - had the opportunity to protect against this, but Microsoft chose not to. Yes, Microsoft has described the technique (not a mechanism - there is nothing in Windows to support this) - to allow vendors a way to ensure vital customized components to be configured without shipping those customizations on every Windows. The abuse of the technique is entirely on Lenovo.
10. Re:Let me Guess by Anonymous Coward · 2015-11-23 19:06 · Score: 1
  
  You can just download your ISO of choice from MS's digital distributor or use the media creation tool.
11. Re: Let me Guess by LinuxIsGarbage · 2015-11-24 13:42 · Score: 1
  
  I probably shouldn't reply to an AC, but while I'm "remembering old news", in the case of Lenovo, on Windows, it's installing crapware out of the BIOS onto a clean install from a clean disc. The Great Grandfather of my post is talking about:
  
  He is running a pre-installed Windows?
  First thing I do is wipe any new computer clean. The OEMs can't be trusted anymore.
  With the " Microsoft's Windows Platform Binary Table", a clean Windows install becomes irrelevant, OEMs can still infect you by installing binaries without your permission on a clean install. Not just certificates.
12. Re: Let me Guess by nullchar · 2015-11-28 04:17 · Score: 1
  
  And then you need to purchase a retail license to go with it. The OEM key won't work (which sucks for virtual machines too).
Coming soon in Windows 11 by swb · 2015-11-23 09:07 · Score: 1, Interesting

...a root certificate store that is locked and can only have NSA-approved certificates installed.
1. Re:Coming soon in Windows 11 by Dr_Barnowl · 2015-11-23 09:16 · Score: 5, Interesting
  
  No chance.
  This "install your own root CA" trick is being used widely in corporate environments to allow proxies to snoop your HTTPS connections ; caused no end of trouble with clients using independent Firefox installs (Chrome uses the system certificate store, Firefox has it's own) navigating to our pages (with properly signed certificates) and being told they were a security risk.
  We also had something that directed traffic while we were out of the corporate network through a third-party proxy that used the same trick (Websense).
2. Re:Coming soon in Windows 11 by swb · 2015-11-23 09:21 · Score: 2
  
  That's easy to solve. MS will sell you an Enterprise Root CA Server system which _can_ install into client root CA stores. It's only $10,000 plus $100 per CAL for every client system the root CA is installed on.
3. Re:Coming soon in Windows 11 by Luthair · 2015-11-23 09:40 · Score: 1
  
  They could remove the ability out of the non-enterprise editions. More obviously they could also add it to their licensing agreement with OEMs to prohibit changing them.
4. Re:Coming soon in Windows 11 by Joe_Dragon · 2015-11-23 09:42 · Score: 2
  
  and then the people who use Linux based systems will just do it the free way and it's antitrust to block that.
5. Re:Coming soon in Windows 11 by sexconker · 2015-11-23 09:48 · Score: 5, Interesting
  
  No chance.
  This "install your own root CA" trick is being used widely in corporate environments to allow proxies to snoop your HTTPS connections ; caused no end of trouble with clients using independent Firefox installs (Chrome uses the system certificate store, Firefox has it's own) navigating to our pages (with properly signed certificates) and being told they were a security risk.
  Firefox told them it's an untrusted cert and a security risk because it's an untrusted cert and a security risk.
  What you are doing is bad, evil, and wrong. And it's technically illegal under the DMCA as well, because you're breaking encryption. No, an employee agreement that says you can monitor their computer use doesn't get you past the DMCA.
  Fuck you and all the places that do this. If I were asked to implement such a thing at my job I'd raise all hell and strike.
6. Re:Coming soon in Windows 11 by swb · 2015-11-23 09:57 · Score: 1
  
  Yeah, but thanks to Justice Department "internal security guidance", there will be no anti-trust suit against Windows' new "root ca secure store".
7. Re:Coming soon in Windows 11 by Joe_Dragon · 2015-11-23 10:03 · Score: 1
  
  What about the EU?
8. Re:Coming soon in Windows 11 by Dr_Barnowl · 2015-11-23 10:08 · Score: 1
  
  Oh, believe me, I was deeply uncomfortable about the whole thing. I think I even reported it to the IT department as a security problem (the certs they were using were self-signed and not even remotely plausible as belonging to our organization at face value - I thought it was a rootkit). I made a point of telling everyone I liked not to do anything even remotely compromising on their work machine.
  I've since left that workplace and control my own infrastructure.
  I think it was the routine analysis of all our VoIP calls in a voice-processing SIGINT program that really creeped me out though. I only twigged to that one because we used to get the IT dept changelogs for operational reasons) and they were talking about moving it's storage folder to a different SAN.
9. Re:Coming soon in Windows 11 by Dr_Barnowl · 2015-11-23 10:25 · Score: 1
  
  Indeed, I tunnelled all my web traffic through my router at home via SSH.
10. Re:Coming soon in Windows 11 by queazocotal · 2015-11-23 12:47 · Score: 1
  
  Exactly why should you (as an employee) have any rights to privacy on a computer you do not own, and agree to being monitored on?
11. Re:Coming soon in Windows 11 by Velox_SwiftFox · 2015-11-23 14:44 · Score: 1
  
  Note: the urinal cameras are for scientific research purposes only
12. Re:Coming soon in Windows 11 by FrozenGeek · 2015-11-23 15:04 · Score: 1
  
  You don't (usually) use the urinal for work purposes. You do use your employer's computer for work purposes. Personally, I use my employer's resources for absolutely nothing personal. I use my resources for absolutely nothing work-related. I keep a very strict separation between personal and work resources to minimize my employer's claim to anything I do outside of work. Certainly not an iron-clad guarantee, but it should help.
  
  --
  linquendum tondere
13. Re: Coming soon in Windows 11 by afidel · 2015-11-23 16:19 · Score: 1
  
  Use Google authenticator with openvpn at home, keyloggers won't help them.
  
  --
  There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
14. Re:Coming soon in Windows 11 by mlts · 2015-11-23 18:16 · Score: 2
  
  In companies, using a device like BlueCoat, or another, and dropping the root cert into AD for it to be auto-trusted isn't unheard of.
  However, I'm seeing this being done more and more with adware. In fact, when helping to clean some infections, when I was doing a quick forensic check before saving documents and wiping the box, almost all the machines with adware/scumware had a root cert added, and all traffic going through some local VPN or proxy. This is of course fixable, but if this is done, who knows what other stuff is installed, so it is best to just save critical stuff and start all over.
  There is one way around the WPBT install (which has been around for almost a decade, mainly used to reinstall LoJack for Laptops), and that is to install an OS which acts as a hypervisor (ideally a non-Windows OS which doesn't give a hoot about WPBT), then do the rest of your work in a VM. Of course, this makes gaming almost impossible, but it is a way to mitigate the damage that WPBT installed software is able to do.
  I personally don't mind software that an OEM wants to have installed with Windows, especially drivers for NICs and core items which are difficult to just fetch and download. However, the ideal would be to have an install/recovery image of Windows on a read-only flash partition, ideally with the ability to boot more than one Windows edition (so a machine that initially came with Windows 7, got upgraded to Windows 10 has the option to boot and install from either.) At the minimum, the user should be prompted and given the option to install each signed package, or just decline everything.
15. Re:Coming soon in Windows 11 by roadsonblarb · 2015-11-25 10:37 · Score: 1
  
  No chance.
  This "install your own root CA" trick is being used widely in corporate environments to allow proxies to snoop your HTTPS connections ; caused no end of trouble with clients using independent Firefox installs (Chrome uses the system certificate store, Firefox has it's own) navigating to our pages (with properly signed certificates) and being told they were a security risk.
  Firefox told them it's an untrusted cert and a security risk because it's an untrusted cert and a security risk. What you are doing is bad, evil, and wrong. And it's technically illegal under the DMCA as well, because you're breaking encryption. No, an employee agreement that says you can monitor their computer use doesn't get you past the DMCA.
  Fuck you and all the places that do this. If I were asked to implement such a thing at my job I'd raise all hell and strike.
  Why would they use a certificate in a clean install? I've said this many times irl. I HATE DELL
Its only SuperFish-like by Luthair · 2015-11-23 09:08 · Score: 1, Insightful

if the private key is also available on the machine. Otherwise its another sort of questionable.
1. Re:Its only SuperFish-like by Chmarr · 2015-11-23 09:30 · Score: 4, Informative
  
  Reading the FA: yes, the private key is on the machine.
2. Re:Its only SuperFish-like by Luthair · 2015-11-23 09:38 · Score: 1
  
  I find it hard to tell from the article whether that is the case.
3. Re:Its only SuperFish-like by thoromyr · 2015-11-23 09:44 · Score: 5, Informative
  
  Not only is the private key supplied with the certificate, unlike with SuperFish the certificate can also be used to sign executables. Which means that the bad guys can now sign their malware with eDellRoot and gain unwarranted trust. It figures that slashdot doesn't provide a good link. Try http://arstechnica.com/securit...
4. Re: Its only SuperFish-like by mSparks43 · 2015-11-23 10:25 · Score: 1
  
  it's the case it has the private key and it is publicly available. my xps13 windows install bought Feb this year (which I rarely use) has it.
  actually got a dell engineer coming round this week for an issue which I highly suspect is the result of this being abused.
5. Re: Its only SuperFish-like by mSparks43 · 2015-11-23 10:35 · Score: 1
  
  it's the case. my xps13 windows install bought Feb this year (which I rarely use) has it.
  actually got an engineer coming round this week for an issue which I highly suspect is the result of this being abused.
6. Re:Its only SuperFish-like by theskipper · 2015-11-23 11:34 · Score: 3, Interesting
  
  Heh, as pointed out at the bottom of that article someone in Dell marketing needs to eat some serious humble pie:
  http://www.dell.com/us/p/xps-1...
  "Dell is serious about your privacy
  Worried about Superfish? Dell limits its pre-loaded software to a small number of high-value applications on all of our computers. Each application we pre-load undergoes security, privacy and usability testing to ensure that our customers experience the best possible computing performance, faster set-up and reduced privacy and security concerns."
  Youch.
7. Re:Its only SuperFish-like by exomondo · 2015-11-23 17:11 · Score: 2
  
  At least they're honest, apparently you get faster set-up, you get reduced privacy and you get security concerns.
Test your system. by khasim · 2015-11-23 09:13 · Score: 5, Informative

https://edell.tlsfun.de/
I don't think it is "accused" any more. It's pretty much proven.
1. Re:Test your system. by Thumper_SVX · 2015-11-24 02:04 · Score: 1
  
  It's worth noting that my Alienware 15 and my E7240 don't have any such cert on them. Both are still OEM builds... though the AW15 has been upgraded to Windows 10 while the E7240 is still running 7 (because I actually like to get work done on that :)
  Just also tested my Venue 11 Pro and it DOES have the cert. Interesting.
I don't know it's a fact, I just know it's true... by Kevin+by+the+Beach · 2015-11-23 09:36 · Score: 1

David Hannum is quoted as saying "There's a sucker born every minute" (In reference to a P.T. Barnum hoax)
People in the know will quickly repair this huge hole, unfortunately the masses aka "suckers" will leave this vulnerability open to the world.
Mission accomplished.
DUDE, you're getting a superfish certificate! by JoeyRox · 2015-11-23 09:38 · Score: 1

Whoa, thanks man. Want to burn one after school?
Drucker said "Satisfy Your Customer" by BoRegardless · 2015-11-23 09:58 · Score: 2

So Dell satisfies its corporate customers.
thinkpenguin, librem and eoma68 laptops by lkcl · 2015-11-23 10:23 · Score: 4, Insightful

... y'know... it has to be said, this is precisely why thinkpenguin (and other FSF-Endorsed hardware) do wipe-it-down-to-the-bedrock products, even to the extent of replacing the standard BIOS with coreboot, and why the purism librem laptop exists (and was successfully funded last year). but even there, the problem is that for the past 15 years all intel processors have to have an RSA-signed bootloader that goes into EEPROM on-board the processor, where there's absolutely no chance of obtaining the source code for that proprietary firmware blob. you have absolutely no idea what goes into that bootloader, but it's already been demonstrated that your laptop - and your desktop - can be woken up by external network signals - without your consent or knowledge - *even when you powered them down*.
the only possible solution here is... to not use intel (or AMD) processors. and that opens up a whole can of worms, which is why i've been sponsored to make an upgradeable laptop. if any one CPU is ever found to have problems, the whole CPU Card can be popped out and replaced... *without* having to throw away the entire laptop.
designing a laptop from the ground up so that its main CPU module can be replaced... only two years ago that could have been said to be "total paranoia". now we have the kinds of stunts being pulled by Dell, Lenovo and the NSA which were only previously believed to *potentially* be carried out...
1. Re:thinkpenguin, librem and eoma68 laptops by hairyfeet · 2015-11-23 12:45 · Score: 1
  
  Sorry but you are incorrect, AMD doesn't have any nasty shit in the CPU. There was talk a couple years back of adding an ARM DRM chip for those business customers that wanted a TPM style system but nothing ever came of it.
  You can now happily go buy an AMD CPU based system which they opened the docs on a couple years back (they even go so far as to pay devs on both the Coreboot and FOSS driver teams so to speed up support of their chips) and as far as their APUs are concerned the only part of the docs you cannot have are the parts concerning HDMI HDCP, which is property of Intel and thus cannot be shared. Of course if you do not use HDCP protected content you won't have to worry about it as the whitepapers show the AMD APUs simply use a small "shim" to protect the memory on a part of the GPU normally used for graphics, as unlike Intel they do not dedicate silicon for HDCP.
  BTW if you want to make an "upgradeable" laptop your best bet would be AMD socket AM1, it uses less than 25w under load for the fastest chip, has a nice Radeon GPU capable of 1080P over HDMI for all 4 chips in the line, and is very affordable with the most expensive (2.07 Ghz quad APU) only costing $54, which means you could make a really nice affordable laptop with those chips rather easily.
  
  --
  ACs don't waste your time replying, your posts are never seen by me.
2. Re:thinkpenguin, librem and eoma68 laptops by queazocotal · 2015-11-23 12:51 · Score: 1
  
  That's not enough, to a large degree.
  It must also be designed so that no peripheral outside of the CPU is trusted, if you're going that far.
  Hard drives, network peripherals, ... all today have CPUs of their own, usually with entirely secret firmware, and often access to the bus.
3. Re:thinkpenguin, librem and eoma68 laptops by mlts · 2015-11-23 18:36 · Score: 2
  
  For home/SOHO usage, what also might help is adding a router and virtualization. The router ideally should be a small PFSense appliance with snort on it.
  Virtualization helps because it keeps things isolated. Nothing is perfect (as in theory, the hypervisor can be compromised), but with a layer separating the desktop OS from the bare metal, and an active gatekeeper that can easily block stuff phoning home, this will help with mitigation.
  For example, web browsing. Running the day to day browser in a VM [1] will go far in ensuring that a compromise via the browser won't go far. Since most browsers will sync bookmarks, a complete rollback to a known good snapshot every so often (Patch Tuesday, for example) will not waste much time.
  Later companies/enterprises are a different story. However, they have a lot more tools, such as VDI, better IDS/IPS monitors, and so on.
  On a side note, the parent poster has presented a good argument about why a desktop should be AMD. Definite food for thought.
  [1]: Running the VM on a SSD will help performance out, otherwise the main OS and the VM will always be fighting for control of the drive heads.
4. Re:thinkpenguin, librem and eoma68 laptops by AmiMoJo · 2015-11-24 05:15 · Score: 1
  
  Presumably that's only for the on-board LAN. Just use a PCIe LAN card instead (non Intel chipset).
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
Not just laptops by INTPTT · 2015-11-23 12:25 · Score: 4, Informative

It's not just laptops. We confirmed it was on a Dell Precision 5810 desktop workstation, purchased early May 2015.
Two down... by MrKrillls · 2015-11-23 12:38 · Score: 2

Guess I shouldn't trust Lenovo or Dell for new machines.

--
Don't step on the baby.
1. Re:Two down... by Intron · 2015-11-23 13:00 · Score: 3, Funny
  
  Yeah. Good thing we can still trust Huawei.
  
  --
  Intron: the portion of DNA which expresses nothing useful.
Self-signing root certificates on laptops .. by nickweller · 2015-11-23 13:17 · Score: 1

What impact would these self-signing root certificates have on security?
1. Re:Self-signing root certificates on laptops .. by Fnord666 · 2015-11-23 16:06 · Score: 1
  
  What impact would these self-signing root certificates have on security?
  All root certificates are self signed. It's just a matter of whether you choose to trust them or not. Your system comes with a bunch of certificates that it trusts as root certificates. Dell just added an extra one to the mix.
  
  --
  'The tyrant will always find pretext for his tyranny.' - Aesop's Fables
2. Re:Self-signing root certificates on laptops .. by Anonymous Coward · 2015-11-23 17:51 · Score: 2, Informative
  
  The problem isn't that it's self-signed - it's that they gave it the maximum possible authority and shipped it *with the private key included*, rather than just the public key.
  So, now *anyone* on the internet can sign their malicious web traffic, application, or driver with Dell's key and it will be trusted by all affected Dell computers. This would allow, for example, impersonating financial or e-commerce websites to steal people's credit card numbers or other personal data.
  When Lenovo did the same thing a while back, they were using it to spy on and inject ads into people's web traffic - even supposedly private encrypted sessions.
3. Re:Self-signing root certificates on laptops .. by nickweller · 2015-11-23 18:15 · Score: 2
  
  Brilliant reply, I take back anything negative I've ever said about Slashdot and the commentators.
Public key pinnng by manu0601 · 2015-11-23 14:19 · Score: 1

Even HTTP Public Key Pinning (HPKP) is not a solution against this kind of mess, since intercepting software could alter the Public-Key-Pins header.
1. Re:Public key pinnng by cbhacking · 2015-11-23 19:59 · Score: 1
  
  It would work with a preloaded pin list similar to the HSTS preload list, for sites that should use HTTPS even on the first visit. It would also work for sites like Google properties (in Chrome) or Mozilla properties (in Firefox) where the expected cert is baked into the browser even in advance of HPKP deployment.
  It would also work if nobody was intercepting your traffic the first time you visited the site. You would only be in danger if you were being intercepted every single time, including the first time, with this rogue certificate. That's a relatively low-risk threat, though the possibility of such interception does exist and this is why HSTS has a preload list.
  But yes, this kind of pwned-before-you-even-start thing is Really Bad.
  
  --
  There's no place I could be, since I've found Serenity...
Private Key? by Fnord666 · 2015-11-23 16:15 · Score: 1

So not only do these machines have a preinstalled, Dell generated root certificate, but they included the private key? WTF? The private key for a root certificate should only exist on a locked down, air gapped computer in an access controlled environment. The fact that this was included is downright scary.
A good tinfoil hat wearing individual might conclude that one of the TLAs told them to install a system that could automatically load signed executables without user's knowledge. In a fit of defiance they created this certificate knowing that it would be discovered and would call into question the reasons behind it.

--
'The tyrant will always find pretext for his tyranny.' - Aesop's Fables
Key Revocation by Fnord666 · 2015-11-23 16:37 · Score: 1

Well, the good news is that with the private key available I believe that anyone could generate a revocation for this certificate. First person to revoke this key on every major key repository wins a bag of gummy bears!

--
'The tyrant will always find pretext for his tyranny.' - Aesop's Fables
The CA secret cert is also present by gweihir · 2015-11-23 20:22 · Score: 2

According to heise.de, just marked "non-exportable" (sorry, no English link):
http://www.heise.de/newsticker...
Person that reported this initially:
https://www.reddit.com/r/techn...
Apparently being non-exportable is no protection whatsoever, and people are already offering the CA cert for download, which then lets everybody sign for this CA.
It is hard to display more fundamental incompetence with regards to certificate handling.

--
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Removal Instructions by Thumper_SVX · 2015-11-24 03:37 · Score: 1

1. Go to your Services... either run "services.msc", "compmgmt.msc" or "Open Services" from Task Manager.
2. Stop the Dell Foundation Service
3. Browse to c:\Program Files\Dell\Dell Foundation Services directory and delete the Dell.Foundation.Agent.Plugins.eDell.dll file
4. Launch Certificate Manager by running "certmgr.msc"
5. Browse to "Trusted Root Certificates \ Certificates"
6. Locate the eDellRoot certificate and delete it.
7. Restart your Dell Foundation Services. Voila... doesn't come back after a reboot.