Learning From Lenovo's Compounded Failures, Dell Apologizes For Its Own HTTPS Certificate Screw Up

from the yeah,-whoops dept

Dell this week found itself under fire for embedding a certificate in some PCs that makes it relatively easy for attackers to cryptographically impersonate HTTPS-protected websites. First discovered by a programmer named Joe Nord, Dell's eDellRoot certificate appears to have been preinstalled as a root certificate on several Dell laptop and desktop models. As Nord notes, it's relatively simple to extract the locally-stored key, sign fraudulent TLS certificates for any HTTPS-protected website on the Internet, and trick user browsers to accept these encrypted Web sessions with no security warnings whatsoever.
This is, of course, reminiscent of the Superfish fiasco that plagued Lenovo earlier this year. But in that case the culprit was third-party adware, while Dell's eDellRoot is the company's own abomination. Duo Labs Security says it discovered the same problem, noting that it had even found evidence of the root certificate on some SCADA systems, typically used in places like factories, dams and power stations. Like Nord, Duo's researchers note that it's rather incredible that Dell wouldn't have discovered and fixed this problem after what happened to Lenovo:
"This highlights a disturbing trend among original equipment manufacturer (OEM) hardware vendors. Tampering with certificate stores exposes users to unnecessary, increased risk. Tampering with the certificate store is a questionable practice, and OEM’s need to be careful when adding new trusted certificates, especially root certificates. Sadly, OEM manufacturers seem to not be learning from historical mistakes and keep making them over and over."
However Dell did appear to learn something in terms of their PR response to the vulnerability. Unlike Lenovo, which originally tried to deny any security problem whatsoever, Dell has issued a relatively straight forward blog post addressing the issue. In it, Dell does something downright kooky: it admits that the vulnerability is a vulnerability, and publicly thanks the security researchers that discovered it. According to Dell, the certificate was implemented as part of a support tool "intended to make it faster and easier" for users to service their system.

Dell's quick to remind readers that at least it wasn't adware, and unlike Lenovo's snoopvertising, it won't stealthily hide in the BiOS to reinstall itself at a later date:
"The certificate is not malware or adware. Rather, it was intended to provide the system service tag to Dell online support allowing us to quickly identify the computer model, making it easier and faster to service our customers. This certificate is not being used to collect personal customer information. It’s also important to note that the certificate will not reinstall itself once it is properly removed using the recommended Dell process."
Dell's also posted a word document outlining how to spot and remove the certificate here for those interested. It remains unclear just how many computers are at risk, but given that Dell is expected to ship 10 million computers worldwide in the third quarter of 2015, the footprint likely isn't modest. And while Dell managed the problem better on the PR front than their predecessors, the fact that this keeps happening is no less disturbing.
Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: certificates, https, self-signed certificate, superfish
Companies: dell, lenovo


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    Anonymous Coward, 24 Nov 2015 @ 10:45am

    "It’s also important to note that the certificate will not reinstall itself once it is properly removed using the recommended Dell process."

    Shots fired.

    link to this | view in chronology ]

    • icon
      orbitalinsertion (profile), 24 Nov 2015 @ 7:32pm

      Re:

      Sort of, possibly. The charitable (and one accurate) interpretation is due to the fact that simple removal of the cert itself does not get rid of it. Most will not know how to figure this out. (Even those who successfully delete the cert and don't know why theirs doesn't regenerate because they are in the habit of killing pointless services to begin with.)

      Still, could be a bit of attitude from Dell in there too.

      link to this | view in chronology ]

  • identicon
    Anonymous Coward, 24 Nov 2015 @ 11:27am

    Not found on OEM installed OS

    If you wipe the disk and install from media do not get the cert.

    link to this | view in chronology ]

  • identicon
    PRMan, 24 Nov 2015 @ 11:43am

    Good for Dell

    Still a mistake, but they handled it 10× better than Lenovo.

    * Admitting it was wrong
    * Thanked the researchers (instead of attacking them)
    * Apologized
    * Offered clear instructions to fix the problem

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 24 Nov 2015 @ 12:37pm

    That's a better response than what they originally said on twitter:

    https://twitter.com/DellCares/status/668284772817477632

    "It doesn't cause any threat to the system..."

    They tried to get away with it - until they couldn't.

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 24 Nov 2015 @ 1:06pm

      Re:

      And they're still making a statement that's very likely to be false: "This certificate is not being used to collect personal customer information." Maybe not by Dell, but I'm sure other people are doing so now or will be soon.

      link to this | view in chronology ]

  • identicon
    Anonymous Coward, 24 Nov 2015 @ 1:49pm

    TAO thwarted -- at least this time...

    Put on your tinfoil hat & check out Dell's biggest customers.

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 24 Nov 2015 @ 2:43pm

      Re: TAO thwarted -- at least this time...

      I remember a time when a tinfoil hat was considered mandatory to even consider such a possibility.

      But at this point, my first thought when hearing about Dell's "whoops" was that it was likely less a bug - and more a feature. If no one notices, they give some of their favorite customers an easy https mitm vector (I mean, why bother crackin' when you have the keys). And if someone does notice, they have all the plausible deniability they need.

      link to this | view in chronology ]

  • identicon
    techlawfirm, 24 Nov 2015 @ 2:12pm

    Bye Dell

    I'm going to move my company account anyway to another vendor. I can't have security issues on my computer systems like this. Who knows what else is going on that hasn't been caught on all my Dell equipment? I expect third parties to try to gain access. I don't expect my supplier to screw me.

    link to this | view in chronology ]

  • icon
    techflaws (profile), 24 Nov 2015 @ 10:23pm

    I'd only considered it learning had they stopped their shenanigans the moment Lenovo's antics became public knowledge. So it's only the usual slow backtracking.

    link to this | view in chronology ]

  • icon
    afn29129 (profile), 25 Nov 2015 @ 4:54am

    a second time for Dell.

    Once the news-cycle catches up.... Headline #2: Dell did it again.
    https://www.kb.cert.org/vuls/id/925497

    Another root key, DSDTestProvider

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 25 Nov 2015 @ 8:05am

    3rd time's a charm?

    http://arstechnica.com/security/2015/11/pcs-running-dell-support-app-can-be-uniquely-idd-by-sn oops-and-scammers/
    .. exploit works even when Dell customers have uninstalled the eDellRoot certificate using the removal tool or instructions Dell released Monday night ..

    link to this | view in chronology ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.