Learning From Lenovo's Compounded Failures, Dell Apologizes For Its Own HTTPS Certificate Screw Up
from the yeah,-whoops dept
Dell this week found itself under fire for embedding a certificate in some PCs that makes it relatively easy for attackers to cryptographically impersonate HTTPS-protected websites. First discovered by a programmer named Joe Nord, Dell's eDellRoot certificate appears to have been preinstalled as a root certificate on several Dell laptop and desktop models. As Nord notes, it's relatively simple to extract the locally-stored key, sign fraudulent TLS certificates for any HTTPS-protected website on the Internet, and trick user browsers to accept these encrypted Web sessions with no security warnings whatsoever."This highlights a disturbing trend among original equipment manufacturer (OEM) hardware vendors. Tampering with certificate stores exposes users to unnecessary, increased risk. Tampering with the certificate store is a questionable practice, and OEM’s need to be careful when adding new trusted certificates, especially root certificates. Sadly, OEM manufacturers seem to not be learning from historical mistakes and keep making them over and over."However Dell did appear to learn something in terms of their PR response to the vulnerability. Unlike Lenovo, which originally tried to deny any security problem whatsoever, Dell has issued a relatively straight forward blog post addressing the issue. In it, Dell does something downright kooky: it admits that the vulnerability is a vulnerability, and publicly thanks the security researchers that discovered it. According to Dell, the certificate was implemented as part of a support tool "intended to make it faster and easier" for users to service their system.
Dell's quick to remind readers that at least it wasn't adware, and unlike Lenovo's snoopvertising, it won't stealthily hide in the BiOS to reinstall itself at a later date:
"The certificate is not malware or adware. Rather, it was intended to provide the system service tag to Dell online support allowing us to quickly identify the computer model, making it easier and faster to service our customers. This certificate is not being used to collect personal customer information. It’s also important to note that the certificate will not reinstall itself once it is properly removed using the recommended Dell process."Dell's also posted a word document outlining how to spot and remove the certificate here for those interested. It remains unclear just how many computers are at risk, but given that Dell is expected to ship 10 million computers worldwide in the third quarter of 2015, the footprint likely isn't modest. And while Dell managed the problem better on the PR front than their predecessors, the fact that this keeps happening is no less disturbing.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: certificates, https, self-signed certificate, superfish
Companies: dell, lenovo
Reader Comments
The First Word
“Re: TAO thwarted -- at least this time...
I remember a time when a tinfoil hat was considered mandatory to even consider such a possibility.But at this point, my first thought when hearing about Dell's "whoops" was that it was likely less a bug - and more a feature. If no one notices, they give some of their favorite customers an easy https mitm vector (I mean, why bother crackin' when you have the keys). And if someone does notice, they have all the plausible deniability they need.
Subscribe: RSS
View by: Time | Thread
Shots fired.
[ link to this | view in thread ]
Not found on OEM installed OS
[ link to this | view in thread ]
Good for Dell
* Admitting it was wrong
* Thanked the researchers (instead of attacking them)
* Apologized
* Offered clear instructions to fix the problem
[ link to this | view in thread ]
https://twitter.com/DellCares/status/668284772817477632
"It doesn't cause any threat to the system..."
They tried to get away with it - until they couldn't.
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
TAO thwarted -- at least this time...
[ link to this | view in thread ]
Bye Dell
[ link to this | view in thread ]
Re: Bye Dell
Definitely move to HP:
Carly "I heart NSA/CIA" Fiorina: I Supplied HP Servers for NSA Snooping
http://motherboard.vice.com/read/carly-fiorina-i-supplied-hp-servers-for-nsa-snooping
https:/ /en.wikipedia.org/wiki/Carly_Fiorina
[ link to this | view in thread ]
Re: TAO thwarted -- at least this time...
But at this point, my first thought when hearing about Dell's "whoops" was that it was likely less a bug - and more a feature. If no one notices, they give some of their favorite customers an easy https mitm vector (I mean, why bother crackin' when you have the keys). And if someone does notice, they have all the plausible deniability they need.
[ link to this | view in thread ]
Re:
Still, could be a bit of attitude from Dell in there too.
[ link to this | view in thread ]
[ link to this | view in thread ]
a second time for Dell.
https://www.kb.cert.org/vuls/id/925497
Another root key, DSDTestProvider
[ link to this | view in thread ]
http://arstechnica.com/security/2015/11/pcs-running-dell-support-app-can-be-uniquely-idd-by-sn oops-and-scammers/
[ link to this | view in thread ]
Re: Bye Dell
What vendor do you suppose never does any of these things and never will?
[ link to this | view in thread ]
Re: Bye Dell
[ link to this | view in thread ]