Slashdot Mirror

← Back to Stories (view on slashdot.org)

Dell Accused of Installing 'Superfish-Like' Rogue Certificates On Laptops (theregister.co.uk)

Posted by samzenpus on from the was-that-wrong? dept.

Mickeycaskill writes: Dell has been accused of pre-installing rogue self-signing root certificate authentications on its laptops. A number of users discovered the 'eDellRoot' certificate on their machines and say it leaves their machines, and any others with the certificate, open to attack. "Anyone possessing the private key which is on my computer is capable of minting certificates for any site, for any purpose and the computer will programmatically and falsely conclude the issued certificate to be valid," said Joe Nord, a Citrix product manager who found the certificate on his laptop. It is unclear whether it is Dell or a third party installing the certificate, but the episode is similar to the 'Superfish' incident in which Lenovo was found to have installed malware to inject ads onto users' computers.

25 of 92 comments (clear)

  1. Let me Guess by Anonymous Coward · · Score: 5, Insightful

    He is running a pre-installed Windows?

    First thing I do is wipe any new computer clean. The OEMs can't be trusted anymore.

    1. Re: Let me Guess by Anonymous Coward · · Score: 2, Interesting

      Apparently it reinstalls itself on updates and also is installed onto Ubuntu.

      This is lawsuit worthy IMO. Either maliciousness or gross negligence. One doesn't just accidentally do this.

    2. Re:Let me Guess by Lead+Butthead · · Score: 5, Informative

      He is running a pre-installed Windows?

      First thing I do is wipe any new computer clean. The OEMs can't be trusted anymore.

      Except if you bought a Lenovo, it'll helpfully replaces OS components through Lenovo Service Engine entirely on its own. So a clean install won't save you. Nice eh?

      --
      ELOI, ELOI, LAMA SABACHTHANI!?
    3. Re: Let me Guess by ilsaloving · · Score: 2

      The FA doesn't mention anything about Ubuntu. Do you have a link?

      Is it just the pre-loaded versions of Ubuntu, like the preloaded versions of Windows?

    4. Re: Let me Guess by LinuxIsGarbage · · Score: 4, Informative

      The FA doesn't mention anything about Ubuntu. Do you have a link?

      Is it just the pre-loaded versions of Ubuntu, like the preloaded versions of Windows?

      I can't speak to Ubuntu, but on Windows for Lenovo, Lenovo can install bloatware even on a clean install using Microsoft's Windows Platform Binary Table. Primarily intended for Drivers, or security software like LoJack.

    5. Re: Let me Guess by afidel · · Score: 2

      Or copy it into the untrusted store.

      --
      There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
  2. Test your system. by khasim · · Score: 5, Informative

    https://edell.tlsfun.de/

    I don't think it is "accused" any more. It's pretty much proven.

  3. Re:Coming soon in Windows 11 by Dr_Barnowl · · Score: 5, Interesting

    No chance.

    This "install your own root CA" trick is being used widely in corporate environments to allow proxies to snoop your HTTPS connections ; caused no end of trouble with clients using independent Firefox installs (Chrome uses the system certificate store, Firefox has it's own) navigating to our pages (with properly signed certificates) and being told they were a security risk.

    We also had something that directed traffic while we were out of the corporate network through a third-party proxy that used the same trick (Websense).

  4. Re:Coming soon in Windows 11 by swb · · Score: 2

    That's easy to solve. MS will sell you an Enterprise Root CA Server system which _can_ install into client root CA stores. It's only $10,000 plus $100 per CAL for every client system the root CA is installed on.

  5. Re:Its only SuperFish-like by Chmarr · · Score: 4, Informative

    Reading the FA: yes, the private key is on the machine.

  6. Re:Coming soon in Windows 11 by Joe_Dragon · · Score: 2

    and then the people who use Linux based systems will just do it the free way and it's antitrust to block that.

  7. Re:Its only SuperFish-like by thoromyr · · Score: 5, Informative

    Not only is the private key supplied with the certificate, unlike with SuperFish the certificate can also be used to sign executables. Which means that the bad guys can now sign their malware with eDellRoot and gain unwarranted trust. It figures that slashdot doesn't provide a good link. Try http://arstechnica.com/securit...

  8. Re:Coming soon in Windows 11 by sexconker · · Score: 5, Interesting

    No chance.

    This "install your own root CA" trick is being used widely in corporate environments to allow proxies to snoop your HTTPS connections ; caused no end of trouble with clients using independent Firefox installs (Chrome uses the system certificate store, Firefox has it's own) navigating to our pages (with properly signed certificates) and being told they were a security risk.

    Firefox told them it's an untrusted cert and a security risk because it's an untrusted cert and a security risk.
    What you are doing is bad, evil, and wrong. And it's technically illegal under the DMCA as well, because you're breaking encryption. No, an employee agreement that says you can monitor their computer use doesn't get you past the DMCA.

    Fuck you and all the places that do this. If I were asked to implement such a thing at my job I'd raise all hell and strike.

  9. Drucker said "Satisfy Your Customer" by BoRegardless · · Score: 2

    So Dell satisfies its corporate customers.

  10. thinkpenguin, librem and eoma68 laptops by lkcl · · Score: 4, Insightful

    ... y'know... it has to be said, this is precisely why thinkpenguin (and other FSF-Endorsed hardware) do wipe-it-down-to-the-bedrock products, even to the extent of replacing the standard BIOS with coreboot, and why the purism librem laptop exists (and was successfully funded last year). but even there, the problem is that for the past 15 years all intel processors have to have an RSA-signed bootloader that goes into EEPROM on-board the processor, where there's absolutely no chance of obtaining the source code for that proprietary firmware blob. you have absolutely no idea what goes into that bootloader, but it's already been demonstrated that your laptop - and your desktop - can be woken up by external network signals - without your consent or knowledge - *even when you powered them down*.

    the only possible solution here is... to not use intel (or AMD) processors. and that opens up a whole can of worms, which is why i've been sponsored to make an upgradeable laptop. if any one CPU is ever found to have problems, the whole CPU Card can be popped out and replaced... *without* having to throw away the entire laptop.

    designing a laptop from the ground up so that its main CPU module can be replaced... only two years ago that could have been said to be "total paranoia". now we have the kinds of stunts being pulled by Dell, Lenovo and the NSA which were only previously believed to *potentially* be carried out...

    1. Re:thinkpenguin, librem and eoma68 laptops by mlts · · Score: 2

      For home/SOHO usage, what also might help is adding a router and virtualization. The router ideally should be a small PFSense appliance with snort on it.

      Virtualization helps because it keeps things isolated. Nothing is perfect (as in theory, the hypervisor can be compromised), but with a layer separating the desktop OS from the bare metal, and an active gatekeeper that can easily block stuff phoning home, this will help with mitigation.

      For example, web browsing. Running the day to day browser in a VM [1] will go far in ensuring that a compromise via the browser won't go far. Since most browsers will sync bookmarks, a complete rollback to a known good snapshot every so often (Patch Tuesday, for example) will not waste much time.

      Later companies/enterprises are a different story. However, they have a lot more tools, such as VDI, better IDS/IPS monitors, and so on.

      On a side note, the parent poster has presented a good argument about why a desktop should be AMD. Definite food for thought.

      [1]: Running the VM on a SSD will help performance out, otherwise the main OS and the VM will always be fighting for control of the drive heads.

  11. Re:Its only SuperFish-like by theskipper · · Score: 3, Interesting

    Heh, as pointed out at the bottom of that article someone in Dell marketing needs to eat some serious humble pie:

    http://www.dell.com/us/p/xps-1...
    "Dell is serious about your privacy
    Worried about Superfish? Dell limits its pre-loaded software to a small number of high-value applications on all of our computers. Each application we pre-load undergoes security, privacy and usability testing to ensure that our customers experience the best possible computing performance, faster set-up and reduced privacy and security concerns."

    Youch.

  12. Not just laptops by INTPTT · · Score: 4, Informative

    It's not just laptops. We confirmed it was on a Dell Precision 5810 desktop workstation, purchased early May 2015.

  13. Two down... by MrKrillls · · Score: 2

    Guess I shouldn't trust Lenovo or Dell for new machines.

    --
    Don't step on the baby.
    1. Re:Two down... by Intron · · Score: 3, Funny

      Yeah. Good thing we can still trust Huawei.

      --
      Intron: the portion of DNA which expresses nothing useful.
  14. Re:Its only SuperFish-like by exomondo · · Score: 2

    At least they're honest, apparently you get faster set-up, you get reduced privacy and you get security concerns.

  15. Re:Self-signing root certificates on laptops .. by Anonymous Coward · · Score: 2, Informative

    The problem isn't that it's self-signed - it's that they gave it the maximum possible authority and shipped it *with the private key included*, rather than just the public key.

    So, now *anyone* on the internet can sign their malicious web traffic, application, or driver with Dell's key and it will be trusted by all affected Dell computers. This would allow, for example, impersonating financial or e-commerce websites to steal people's credit card numbers or other personal data.

    When Lenovo did the same thing a while back, they were using it to spy on and inject ads into people's web traffic - even supposedly private encrypted sessions.

  16. Re:Self-signing root certificates on laptops .. by nickweller · · Score: 2

    Brilliant reply, I take back anything negative I've ever said about Slashdot and the commentators.

  17. Re:Coming soon in Windows 11 by mlts · · Score: 2

    In companies, using a device like BlueCoat, or another, and dropping the root cert into AD for it to be auto-trusted isn't unheard of.

    However, I'm seeing this being done more and more with adware. In fact, when helping to clean some infections, when I was doing a quick forensic check before saving documents and wiping the box, almost all the machines with adware/scumware had a root cert added, and all traffic going through some local VPN or proxy. This is of course fixable, but if this is done, who knows what other stuff is installed, so it is best to just save critical stuff and start all over.

    There is one way around the WPBT install (which has been around for almost a decade, mainly used to reinstall LoJack for Laptops), and that is to install an OS which acts as a hypervisor (ideally a non-Windows OS which doesn't give a hoot about WPBT), then do the rest of your work in a VM. Of course, this makes gaming almost impossible, but it is a way to mitigate the damage that WPBT installed software is able to do.

    I personally don't mind software that an OEM wants to have installed with Windows, especially drivers for NICs and core items which are difficult to just fetch and download. However, the ideal would be to have an install/recovery image of Windows on a read-only flash partition, ideally with the ability to boot more than one Windows edition (so a machine that initially came with Windows 7, got upgraded to Windows 10 has the option to boot and install from either.) At the minimum, the user should be prompted and given the option to install each signed package, or just decline everything.

  18. The CA secret cert is also present by gweihir · · Score: 2

    According to heise.de, just marked "non-exportable" (sorry, no English link):

            http://www.heise.de/newsticker...

    Person that reported this initially:

        https://www.reddit.com/r/techn...

    Apparently being non-exportable is no protection whatsoever, and people are already offering the CA cert for download, which then lets everybody sign for this CA.

    It is hard to display more fundamental incompetence with regards to certificate handling.

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.