Learning From Lenovo's Compounded Failures, Dell Apologizes For Its Own HTTPS Certificate Screw Up

from the yeah,-whoops dept

Tue, Nov 24th 2015 10:38am — Karl Bode

Dell this week found itself under fire for embedding a certificate in some PCs that makes it relatively easy for attackers to cryptographically impersonate HTTPS-protected websites. First discovered by a programmer named Joe Nord, Dell's eDellRoot certificate appears to have been preinstalled as a root certificate on several Dell laptop and desktop models. As Nord notes, it's relatively simple to extract the locally-stored key, sign fraudulent TLS certificates for any HTTPS-protected website on the Internet, and trick user browsers to accept these encrypted Web sessions with no security warnings whatsoever.

This is, of course, reminiscent of the Superfish fiasco that plagued Lenovo earlier this year. But in that case the culprit was third-party adware, while Dell's eDellRoot is the company's own abomination. Duo Labs Security says it discovered the same problem, noting that it had even found evidence of the root certificate on some SCADA systems, typically used in places like factories, dams and power stations. Like Nord, Duo's researchers note that it's rather incredible that Dell wouldn't have discovered and fixed this problem after what happened to Lenovo:

"This highlights a disturbing trend among original equipment manufacturer (OEM) hardware vendors. Tampering with certificate stores exposes users to unnecessary, increased risk. Tampering with the certificate store is a questionable practice, and OEM’s need to be careful when adding new trusted certificates, especially root certificates. Sadly, OEM manufacturers seem to not be learning from historical mistakes and keep making them over and over."

However Dell did appear to learn something in terms of their PR response to the vulnerability. Unlike Lenovo, which originally tried to deny any security problem whatsoever, Dell has issued a relatively straight forward blog post addressing the issue. In it, Dell does something downright kooky: it admits that the vulnerability is a vulnerability, and publicly thanks the security researchers that discovered it. According to Dell, the certificate was implemented as part of a support tool "intended to make it faster and easier" for users to service their system.

Dell's quick to remind readers that at least it wasn't adware, and unlike Lenovo's snoopvertising, it won't stealthily hide in the BiOS to reinstall itself at a later date:

"The certificate is not malware or adware. Rather, it was intended to provide the system service tag to Dell online support allowing us to quickly identify the computer model, making it easier and faster to service our customers. This certificate is not being used to collect personal customer information. It’s also important to note that the certificate will not reinstall itself once it is properly removed using the recommended Dell process."

Dell's also posted a word document outlining how to spot and remove the certificate here for those interested. It remains unclear just how many computers are at risk, but given that Dell is expected to ship 10 million computers worldwide in the third quarter of 2015, the footprint likely isn't modest. And while Dell managed the problem better on the PR front than their predecessors, the fact that this keeps happening is no less disturbing.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: certificates, https, self-signed certificate, superfish
Companies: dell, lenovo

15 Comments

If you liked this post, you may also be interested in...

Reader Comments

The First Word

“

Re: TAO thwarted -- at least this time...

I remember a time when a tinfoil hat was considered mandatory to even consider such a possibility.

But at this point, my first thought when hearing about Dell's "whoops" was that it was likely less a bug - and more a feature. If no one notices, they give some of their favorite customers an easy https mitm vector (I mean, why bother crackin' when you have the keys). And if someone does notice, they have all the plausible deniability they need.

—Anonymous Coward

”

Subscribe: RSS

View by: Time | Thread

Anonymous Coward, 24 Nov 2015 @ 10:45am

"It’s also important to note that the certificate will not reinstall itself once it is properly removed using the recommended Dell process."

Shots fired.
[ link to this | view in chronology ]
- orbitalinsertion (profile), 24 Nov 2015 @ 7:32pm
  
  Re:
  Sort of, possibly. The charitable (and one accurate) interpretation is due to the fact that simple removal of the cert itself does not get rid of it. Most will not know how to figure this out. (Even those who successfully delete the cert and don't know why theirs doesn't regenerate because they are in the habit of killing pointless services to begin with.)
  
  Still, could be a bit of attitude from Dell in there too.
  [ link to this | view in chronology ]
Anonymous Coward, 24 Nov 2015 @ 11:27am

Not found on OEM installed OS
If you wipe the disk and install from media do not get the cert.
[ link to this | view in chronology ]
PRMan, 24 Nov 2015 @ 11:43am

Good for Dell
Still a mistake, but they handled it 10× better than Lenovo.

* Admitting it was wrong
* Thanked the researchers (instead of attacking them)
* Apologized
* Offered clear instructions to fix the problem
[ link to this | view in chronology ]
Anonymous Coward, 24 Nov 2015 @ 12:37pm

That's a better response than what they originally said on twitter:

https://twitter.com/DellCares/status/668284772817477632

"It doesn't cause any threat to the system..."

They tried to get away with it - until they couldn't.
[ link to this | view in chronology ]
- Anonymous Coward, 24 Nov 2015 @ 1:06pm
  
  Re:
  And they're still making a statement that's very likely to be false: "This certificate is not being used to collect personal customer information." Maybe not by Dell, but I'm sure other people are doing so now or will be soon.
  [ link to this | view in chronology ]
Anonymous Coward, 24 Nov 2015 @ 1:49pm

TAO thwarted -- at least this time...
Put on your tinfoil hat & check out Dell's biggest customers.
[ link to this | view in chronology ]
- Anonymous Coward, 24 Nov 2015 @ 2:43pm
  
  Re: TAO thwarted -- at least this time...
  I remember a time when a tinfoil hat was considered mandatory to even consider such a possibility.
  
  But at this point, my first thought when hearing about Dell's "whoops" was that it was likely less a bug - and more a feature. If no one notices, they give some of their favorite customers an easy https mitm vector (I mean, why bother crackin' when you have the keys). And if someone does notice, they have all the plausible deniability they need.
  [ link to this | view in chronology ]
techlawfirm, 24 Nov 2015 @ 2:12pm

Bye Dell
I'm going to move my company account anyway to another vendor. I can't have security issues on my computer systems like this. Who knows what else is going on that hasn't been caught on all my Dell equipment? I expect third parties to try to gain access. I don't expect my supplier to screw me.
[ link to this | view in chronology ]
- Anonymous Coward, 24 Nov 2015 @ 2:26pm
  
  Re: Bye Dell
  "Who knows what else is going on that hasn't been caught on all my Dell equipment?"
  
  Definitely move to HP:
  
  Carly "I heart NSA/CIA" Fiorina: I Supplied HP Servers for NSA Snooping
  
  http://motherboard.vice.com/read/carly-fiorina-i-supplied-hp-servers-for-nsa-snooping
  
  https:/ /en.wikipedia.org/wiki/Carly_Fiorina
  [ link to this | view in chronology ]
- nasch (profile), 25 Nov 2015 @ 2:57pm
  
  Re: Bye Dell
  I'm going to move my company account anyway to another vendor.
  
  What vendor do you suppose never does any of these things and never will?
  [ link to this | view in chronology ]
- LduN (profile), 26 Nov 2015 @ 11:33am
  
  Re: Bye Dell
  Or.... you know, you could create a clean install image with only the software your company needs to function, and no other bloatware installed on it from factory. I'm still amazed that business don't do this as a standard practice. I mean sure the first machine will take a bit to get setup as needed, but all other machines should take less than an hour, especially if they are all the same model of system (drivers and whatnow are identical).
  [ link to this | view in chronology ]
techflaws (profile), 24 Nov 2015 @ 10:23pm

I'd only considered it learning had they stopped their shenanigans the moment Lenovo's antics became public knowledge. So it's only the usual slow backtracking.
[ link to this | view in chronology ]
afn29129 (profile), 25 Nov 2015 @ 4:54am

a second time for Dell.
Once the news-cycle catches up.... Headline #2: Dell did it again.
https://www.kb.cert.org/vuls/id/925497

Another root key, DSDTestProvider
[ link to this | view in chronology ]
Anonymous Coward, 25 Nov 2015 @ 8:05am

3rd time's a charm?

http://arstechnica.com/security/2015/11/pcs-running-dell-support-app-can-be-uniquely-idd-by-sn oops-and-scammers/
.. exploit works even when Dell customers have uninstalled the eDellRoot certificate using the removal tool or instructions Dell released Monday night ..
[ link to this | view in chronology ]