Second Root Cert-Private Key Pair Found On Dell Computer

msm1267 writes: A second root certificate and private key, similar to eDellRoot [mentioned here yesterday], along with an expired Atheros Authenticode cert and private key used to sign Bluetooth drivers has been found on a Dell Inspiron laptop. The impact of these two certs is limited compared to the original eDellRoot cert. The related eDellRoot cert is also self-signed but has a different fingerprint than the first one. It has been found only on two dozen machines according to the results of a scan conducted by researchers at Duo Security. Dell, meanwhile, late on Monday said that it was going to remove the eDellroot certificate from all Dell systems moving forward, and for existing affected customers, it has provided permanent removal instructions (.DOCX download), and starting today will push a software update that checks for the eDellroot cert and removes it. The second certificate / key pair was found by researchers at Duo Security.

Unavoidable

[edtice1559]

I feel bad for those who switched from Lenovo to Dell after the SuperFish fiasco.

Re:Unavoidable

[ndtechnologies]

I feel bad for those who switched from Lenovo to Dell after the SuperFish fiasco.

I read this as "SuperFish Taco"...anyone else?

Re:Unavoidable

[gcnaddict]

Um, they have legal possession or authorization over them? Could be computers owned by clients, by themselves, by consenting families of employees...

The CFAA allows for this.

Re:Unavoidable

[fuzzyfuzzyfungus]

The only consolation is that 'superfish' was clear evil, executed with some degree of effectiveness; while the current Dell thing appears to be unbelievable failure at even the concepts behind safe certificate handling; but without an overt evil objective.

It is, at least, possible, that stupid will be cured by enough 3rd party testing; but evil is harder to expunge.

That said, the level of stupid on display here(especially for a company that is supposed to know how to, say, sign and deploy device drivers; and run a website with a secure order form) is pretty terrifying. Bugs are bad; but at least some of them are subtle. Adding a trusted root cert with an easily extractable private key to a huge number of customer systems isn't a 'bug', it's insanity.

Re:Unavoidable

[fuzzyfuzzyfungus]

I'm sure that some don't end up in handcuffs simply because the backlog of unpunished actual-bad-guys is so long that nobody even thinks about going after the white and grey hats, unless they embarrass the wrong person or company.

It's also possible, though, that they managed it by perfectly licit means: millions of people pay to have AV companies grovel over their files and send some amount of data back to the mothership; and since certificate problems will affect the behavior of any program that uses the OS-provided certificate store(which is most of them, Firefox being the major exception); anyone with access to a decent slice of web traffic can probably infer the presence or absence of a given certificate on every IE and Chrome user who passes through.

Re:Unavoidable

yummm, fish taco. I hope it's not made with blinky.

Re:Unavoidable

It's completely avoidable. Do your homework on a new laptop (manufacturer doesn't matter.) Make sure it has good Linux compatibility. Buy it and install your favorite distro. I've been doing this for the past 10 years. It's great because you benefit from the lower price (thanks to all the shovelware) without having to actually live with the shovelware.

Re:Unavoidable

[ColdWetDog]

Hanlon's Razor strikes again....

Wait, they shipped the private key?

[mi]

private key used to sign Bluetooth drivers has been found on a Dell Inspiron laptop

So, the happy owners of the affected laptops can now issue certificates and/or sign drivers, which will be accepted as genuine by other owners of Dell hardware?

Seriously? If so, that's just too dumb to be malicious...

Re:Wait, they shipped the private key?

Heh, isn't that always the question. I found the eDellRoot certificate on my machine (Which I promptly disabled) and it definitely shows that the private key also exists on my system (it is the only certificate with that distinction!). I guess I'm lucky not to have found the other one as well, but I suppose it's just due to the model.

CAPTCHA: weasel

Re:Wait, they shipped the private key?

[gstoddart]

Seriously? If so, that's just too dumb to be malicious...

Companies are so bad about security these days that I refuse to differentiate between stupidity and malice.

If they do it to sell ads, or they do it to make support easy but don't have proper security people review it ... I don't see much difference.

Re:Wait, they shipped the private key?

The term you're looking for is "criminally negligent".

Re: Wait, they shipped the private key?

Yeah well buying dell (or lenovo) to save money is like shopping at walmart, costco, etc. You get what you pay for which is ALWAYS below average.

Re: Wait, they shipped the private key?

I buy all my computers at Walmart. What are you getting in exchange for the extra money?

Re: Wait, they shipped the private key?

A computer that isn't using crippled hardware between like models at different stores.

Re:Wait, they shipped the private key?

[hey!]

So, the happy owners of the affected laptops can now issue certificates and/or sign drivers, which will be accepted as genuine by other owners of Dell hardware?

Seriously? If so, that's just too dumb to be malicious...

It's not too dumb to be willful negligence -- defined in legal dictionaries as "Intentional performance of an unreasonable act in disregard of a known risk..."

Having the know-how to do such a thing necessarily entails knowledge of why its a bad idea. So either an engineer acted in breech of professional ethics, or managers rode roughshod over the engineers' objections.

Re:Wait, they shipped the private key?

[mi]

So either an engineer acted in breech of professional ethics, or managers rode roughshod over the engineers' objections.

This suspicion would've made sense, if there was some profit opportunity there. But I can not see one...

Making their own CA recognizable as valid by users of their computers would've been understandable — and even acceptable. But what possible use is publishing your private key?

Perhaps, it is to be able to deny responsibility for bad software later, but that's a little too far-fetched...

Re:Wait, they shipped the private key?

[hey!]

But what possible use is publishing your private key?

Perhaps, it is to be able to deny responsibility for bad software later, but that's a little too far-fetched...

Well, we're not talking about publishing THE private key to anything Dell cares about. We're talking about publishing A private key that Dell can use to do things on the client's machine that undermine the security model. Why? Well there's lots of potential ways to create revenue or cut costs that way. For example Lenovo did it so they could inject ads into web pages that were supposedly cryptographically protected from tampering.

Re:Wait, they shipped the private key?

[Solandri]

I've actually seen this before with OpenVPN setups. The standard setup procedure has you generate the keys and certificates on the server, but doesn't make clear which files are the private keys and which are public. One of the guides now carefully points out which files you're supposed to keep secret. But I've seen several OpenVPN setups where someone didn't know better and just installed the client, then copied all the config files (all the certificates and keys) from the server to the client.

Explaining it in the documentation isn't enough. The code which generates the keys should explicitly put the private and public keys in different directories whose names say whether they need to be kept on the server, put on the client, or copied to a USB flash drive and locked in a safe. Right now everything is just dumped into the current directory under the assumption that the person generating the keys knows which key is for what. You shouldn't assume everyone who will use the software will know how the software works.

Re:Wait, they shipped the private key?

[mi]

For example Lenovo did it so they could inject ads into web pages that were supposedly cryptographically protected from tampering

This makes no sense. Why do you need your private key to be located on the users' computer for that?

Re:Wait, they shipped the private key?

[Skuld-Chan]

This part is actually FUD I think. This particular Dell private key does not chain up to a trusted root CA.

Also - Windows will only install drivers silently that are Microsoft WHQL signed - they are the only ones who sign these drivers, and this key does not chain up to that either.

At most you could sign a driver with this key, and install said driver onto a machine that had the public key already installed - assuming you had local admin as well - and for a user mode driver (like a printer) it will give you a soft warning "are you should you really want to do this", for a kernel mode driver it will give you a red "this will potentially harm/wreck this computer" warning.

Yes this is a terrible security problem, but the attack surface is relatively small (none of the Dell PC's I had - have this cert - I believe it only gets installed when using the support portal's check my serial/warranty feature).

Re:Wait, they shipped the private key?

[hey!]

It's not *your* private key. It's a private key that the browser is configured to trust.

Re:Wait, they shipped the private key?

[arglebargle_xiv]

I found the eDellRoot certificate on my machine (Which I promptly disabled)

And then Dell's software re-enables it, or reinstalls it if you delete it. And if you remove the software that does the reinstall and ever factory-reset your PC, it in turn gets reinstalled. It's like malware, except that it's from a commercial vendor.

Re:Wait, they shipped the private key?

[mi]

It's not *your* private key.

I know, it is not mine, darn it. It is Dell's.

It's a private key that the browser is configured to trust.

Yes, but the browser does not need to have access to the private key to establish that trust — that's the whole point of public/private key cryptography.

The question was — and remains — why does this private key need to be present on the user's computer, if the sole goal is to show the user ads as "trusted"?

Re:Wait, they shipped the private key?

[Thumper_SVX]

And then Dell's software re-enables it, or reinstalls it if you delete it. And if you remove the software that does the reinstall and ever factory-reset your PC, it in turn gets reinstalled. It's like malware, except that it's from a commercial vendor.

Unless you... you know... follow the instructions Dell provided to remove it properly or get the update that fixes this bug.

Definitely a real dumbass move on Dell's part, but this happens in all big companies; someone thinks they're doing a really great thing by simplifying some process without giving any thought to the security ramifications.

Re:Wait, they shipped the private key?

[DarkOx]

for example Lenovo did it so they could inject ads into web pages that were supposedly cryptographically protected from tampering

This makes no sense. Why do you need your private key to be located on the users' computer for that?

Why because you can't defeat the certificate checking logic of the local SSL stack. You need 'a' private key there for a trusted root CA so you can generate certificates on the fly other parts of the system will see as valid.

Browser tries goolge.com -> You intercept it -> You go fetch the cert from the original destination ip -> you validate it or don't -> you generate a new cert based on the content of the one you got and sign it with the private key -> send the response to the browser ( which then validates the cert checking it against the local trusted root you installed).

That is it in a nutshell. There are some other details but basically that is how its done and that is why you need the local private key because without you could not generate signed certs.

Re:Wait, they shipped the private key?

[mi]

you generate a new cert based on the content of the one you got and sign it with the private key

If that's, what it is, why would you permanently store the private key on the machine? You can generate a new one at will — because the browser is configured to trust your CA...

Neah, I tend to go with the Hanlon's Razor: Never attribute to malice that which is adequately explained by stupidity.

Using Firefox Meantime

[retroworks]

My new XPS 15 9050 had just arrived and I tested it and found it vulnerable, now looking forward to implementing the fix over the holiday. In the meantime, the fact that Firefox protected the machine on the test websites (and Chrome and Explorer did not) caused me to swap to Firefox on all my other machines, just cause I appreciate they had my back.

Re:Using Firefox Meantime

[DarkOx]

You need to wait for the holiday to delete a certificate out of your trusted roots on your personal machine? Wow.

Secondly Firefox did not protect you from anything, the fact they don't share the system cert store did. Yeah it worked out this time to your favor but I honestly don't think Mozilla's failure to integrate with system certificate stores is a win in general. Its actually one of the biggest reasons I think about leaving my beloved SeaMonkey for something else.

For one thing you now have not one but 2 certificate stores you need to audit. That sucks! If a CA says they have been compromised I have to remember to fix it in 2 place instead of one. That isn't a security win. Many users don't probably even realize they don't use the system trusts, so if they get instructions to fix an issue by removing a CA they will likely fail to fix the Mozilla based browser.

Second in managed environments revoking a trust in Mozilla isn't easy to script out, that means Firefox and SeaMonkey installs likely just don't get fixed, again not a security win.

Frankly I think its rather a shame Mozilla does not provide at least the option to use the system trusteded roots.

Re:Using Firefox Meantime

looking forward to implementing the fix over the holiday.

The Guardian says they're pushing an update to fix it, or you can do it manually (link to Dell instructions in the bottom paragraph of the article).

Re:Using Firefox Meantime

[quetwo]

It's not that they have your back -- it's that they use their own certificate chain of trust that doesn't rely on the OS. It's baked into the source code, and can't be updated unless you upgrade versions (also, if one gets blacklisted, you don't notice it either).

Re:Using Firefox Meantime

[fuzzyfuzzyfungus]

I agree that not using the system-provided certificate storage is a disadvantage; but I'd be curious to know if you've actively had lousy luck with certutil, or whether it works but is more of a pain than just using group policy to manipulate the Windows-native store?

Re:Using Firefox Meantime

You need to wait for the holiday to delete a certificate out of your trusted roots on your personal machine? Wow.

Do not delete the certificate from any store. Leave it in place and marked as untrusted. In fact, add it to Firefox's store, also marked as untrusted.

Re:Using Firefox Meantime

[DarkOx]

The latter, certutil works fine, but you have to build some custom fix packages to use it. Which can get complex if you have cases where those installations are not in the default locations.

ie. non local admin users can't install FF to its usual places so they install it to a directory inside their profile. Now you are playing find the Firefox / SeaMonkey install.

Re:Using Firefox Meantime

You need to wait for the holiday to delete a certificate out of your trusted roots on your personal machine? Wow.

Slashdot has been attracting a steadily-decreasing caliber of nerd over the past decade or so.

Re:Using Firefox Meantime

Repair instructions came out today, Tuesday. The Thanksgiving holiday is Thursday. Not wow-worthy.

Re:Using Firefox Meantime

Computer giant Dell on Monday apologized for a tech support feature on its PCs that accidentally left those machines open to hackers.

Dell PCs shipped since August 2015 are equipped with a root certificate known as eDellRoot. According to Dell, it's "part of a support tool and intended to make it faster and easier for our customers to service their system."

Unfortunately, Dell acknowledged, eDellRoot "unintentionally introduced a security vulnerability."

As security expert Brian Krebs explained, "a malicious hacker could exploit this flaw on open, public networks (think Wi-Fi hotspots, coffee shops, airports) to impersonate any Web site to a Dell user, and to quietly intercept, read and modify all of a vulnerable Dell system's Web traffic."

Dell posted instructions [Word download] about how to permanently remove the certificate from your system, and said "we deeply regret that this has happened."

Dell's customers, including Joe Nord and Kevin Hicks (a.k.a. rotorcowboy), brought the issue to Dell's attention last week.

Nord, a programmer, blogged about the root certificate found in his new Dell Inspiron 5000 series notebook.

"I'm having a tough time coming up with a good reason that Dell Computer Corporation needs to be a trusted root CA [Certificate Authority] on my computer," he wrote on Sunday. "It has me thinking things similar to the Lenovo mistakes earlier this year with Superfish."

Lenovo's Worst Superfish Sin? Getting Caught
Hicks posted similar complaints about his "shiny new XPS 15 laptop from Dell" (pictured), which came pre-loaded with a self-signed root CA.

As Nord noted, the incident brings to mind Lenovo's Superfish fiasco. Superfish adware was surreptitiously installed on Lenovo PCs shipped during the fourth quarter of 2014, and resulted in annoying pop-ups and unwanted ads across the Web. It also made people's PCs susceptible to hackers. Lenovo stopped shipping its PCs with Superfish in December, and issued an automatic removal tool for those who have the adware on their PC. It later promised to strip its consumer PCs of bloatware going forward. http://www.pcmag.com/article2/0,2817,2495593,00.asp

Re:Using Firefox Meantime

[DarkOx]

You deserve and up mod AC, you are quite correctly my choice of the word delete was poor, the correct course of action is to mark it as untrusted.

Re:Using Firefox Meantime

[Billly+Gates]

Or better yet download the drivers to a USB and wipe it with a fresh image from the media creation tool or iso from Microsofts website.

I have not seen anyone use the malware and Spyware bloated image since last decade. You always do a clean install

Steps

Step 0: Don't buy any equipment from a manufacturer that supports Microsoft Windows Platform Binary Table (WPBT).

Step 1: Wipe any pre-existing OS on your equipment.

Step 2: Stop buying anything from vendors (Lenovo, now Dell) who are proven to do this shit.

Appropriate

The second certificate / key pair was found by researchers at Duo Security./quote.
I see where they get their name from.

Re:Dell is for cows.

Gateway is for cows, cretin.

theirs and their customers, in all likelihood

[raymorris]

Why do you assume they are messing with peoples' machines without permission? Most likely they checked whichever machines they had in their offices, then did their job and checked their customers' machines. That's how we'd do it, anyway.

Open Source Computer

[MagickalMyst]

These companies are just plain sleazy.

My next computer won't be a Dell or IBM or OEM for that matter.

I think it's about time for an open source computer.

Re:Open Source Computer

Me too me thinks.

Bookmark these after reading the previous Dell certificate discussion earlier today.

https://www.thinkpenguin.com/

https://www.crowdsupply.com/search?q=librem

http://elinux.org/Embedded_Open_Modular_Architecture/EOMA-68

A word document?

[jlv]

Why were the removal instructions provided as a word document? They couldn't just have a simple web page with pictures?

Re:A word document?

The Word doc probably contains embedded executable code to restore the cert, or install a 3rd one.

Re:A word document?

[trawg]

Their official blog post actually has a PDF link - not sure if they've updated it since releasing the (weird) DOCX file, or if the DOCX came from another source.

Re:A word document?

[ThatsNotPudding]

Why were the removal instructions provided as a word document? They couldn't just have a simple web page with pictures?

They couldn't get the Flash exploits to work in time.

Re:A word document?

Of course they need to install the replacement backdoor, how else could they continue selling your data to anyone interested.

Sadly Microsoft encouraged this.

[Lumpy]

WE don't get clean reinstall DVD's, Microsoft allows the builder to put whatever crap they want on the computer. Honestly it's all microsoft's fault.

Go back to shipping a MICROSOFT PRESSED installation DVD with the machine as a requirement and the install must be done from a clean image no extra crap is allowed to be installed on the machine. yes that means they have to use decent chipsets instead of the crap-tastic stuff like Marvell and other really low end china dog food devices.

Re:Sadly Microsoft encouraged this.

But... They removed the dvd drives from laptops.

Re: Sadly Microsoft encouraged this.

[bill_mcgonigle]

Buy your gear from a quality vendor (e.g. Taiwanese OEM) and that's what you'll get. Require the cheap-crap vendors to not provide cheap crap? That's why we have options.

Re:Sadly Microsoft encouraged this.

But... They removed the dvd drives from laptops.

Ah, if only it was possible to get a DVD drive that attached to the laptop somehow.

Re:Sadly Microsoft encouraged this.

[John+Bokma]

Nowadays? Easy. In 5 years? 10? No idea. I wanted to burn a blu-ray on Linux and it turned out that Ubuntu doesn't support it out-of-the box... (14.10). Probably has also to do that the relationship between the cdrtools (former cdrecord) is not good to put it nice. But maybe more with optical media being on a steep decline? Anyway, Burn on OS X saved the day.

Re: Sadly Microsoft encouraged this.

I do... Lenovo does not give you installation media Nor a clean install.

Re: Sadly Microsoft encouraged this.

[Cro+Magnon]

Yes, we do.

www.apple.com

SuperFish Taco

[NotQuiteReal]

New and improved! Now with AquAdvantage!

Lay terms

Can someone please put this in lay terms?

Re:Lay terms

Can someone please put this in lay terms?

You’re looking for USA Today or Huffington Post; they’re down the hall.

Moral of the story...

[bytesex]

Asymmetric crypto always looks like the cat's meow at first, and then over time you find out that it sucks hairy donkey balls.

DUDE, you're getting ROOTED !!!

You know this had to be said.

Here's your solution:

Wipe the disk, and load some release of Linux or BSD on the system. Problem solved.