Learning From Lenovo's Compounded Failures, Dell Apologizes For Its Own HTTPS Certificate Screw Up

from the yeah,-whoops dept

Dell this week found itself under fire for embedding a certificate in some PCs that makes it relatively easy for attackers to cryptographically impersonate HTTPS-protected websites. First discovered by a programmer named Joe Nord, Dell’s eDellRoot certificate appears to have been preinstalled as a root certificate on several Dell laptop and desktop models. As Nord notes, it’s relatively simple to extract the locally-stored key, sign fraudulent TLS certificates for any HTTPS-protected website on the Internet, and trick user browsers to accept these encrypted Web sessions with no security warnings whatsoever.

This is, of course, reminiscent of the Superfish fiasco that plagued Lenovo earlier this year. But in that case the culprit was third-party adware, while Dell’s eDellRoot is the company’s own abomination. Duo Labs Security says it discovered the same problem, noting that it had even found evidence of the root certificate on some SCADA systems, typically used in places like factories, dams and power stations. Like Nord, Duo’s researchers note that it’s rather incredible that Dell wouldn’t have discovered and fixed this problem after what happened to Lenovo:

“This highlights a disturbing trend among original equipment manufacturer (OEM) hardware vendors. Tampering with certificate stores exposes users to unnecessary, increased risk. Tampering with the certificate store is a questionable practice, and OEM?s need to be careful when adding new trusted certificates, especially root certificates. Sadly, OEM manufacturers seem to not be learning from historical mistakes and keep making them over and over.”

However Dell did appear to learn something in terms of their PR response to the vulnerability. Unlike Lenovo, which originally tried to deny any security problem whatsoever, Dell has issued a relatively straight forward blog post addressing the issue. In it, Dell does something downright kooky: it admits that the vulnerability is a vulnerability, and publicly thanks the security researchers that discovered it. According to Dell, the certificate was implemented as part of a support tool “intended to make it faster and easier” for users to service their system.

Dell’s quick to remind readers that at least it wasn’t adware, and unlike Lenovo’s snoopvertising, it won’t stealthily hide in the BiOS to reinstall itself at a later date:

“The certificate is not malware or adware. Rather, it was intended to provide the system service tag to Dell online support allowing us to quickly identify the computer model, making it easier and faster to service our customers. This certificate is not being used to collect personal customer information. It?s also important to note that the certificate will not reinstall itself once it is properly removed using the recommended Dell process.”

Dell’s also posted a word document outlining how to spot and remove the certificate here for those interested. It remains unclear just how many computers are at risk, but given that Dell is expected to ship 10 million computers worldwide in the third quarter of 2015, the footprint likely isn’t modest. And while Dell managed the problem better on the PR front than their predecessors, the fact that this keeps happening is no less disturbing.

Filed Under: , , ,
Companies: dell, lenovo

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Learning From Lenovo's Compounded Failures, Dell Apologizes For Its Own HTTPS Certificate Screw Up”

Subscribe: RSS Leave a comment
15 Comments
orbitalinsertion (profile) says:

Re: Re:

Sort of, possibly. The charitable (and one accurate) interpretation is due to the fact that simple removal of the cert itself does not get rid of it. Most will not know how to figure this out. (Even those who successfully delete the cert and don’t know why theirs doesn’t regenerate because they are in the habit of killing pointless services to begin with.)

Still, could be a bit of attitude from Dell in there too.

Anonymous Coward says:

Re: TAO thwarted -- at least this time...

I remember a time when a tinfoil hat was considered mandatory to even consider such a possibility.

But at this point, my first thought when hearing about Dell’s “whoops” was that it was likely less a bug – and more a feature. If no one notices, they give some of their favorite customers an easy https mitm vector (I mean, why bother crackin’ when you have the keys). And if someone does notice, they have all the plausible deniability they need.

LduN (profile) says:

Re: Bye Dell

Or…. you know, you could create a clean install image with only the software your company needs to function, and no other bloatware installed on it from factory. I’m still amazed that business don’t do this as a standard practice. I mean sure the first machine will take a bit to get setup as needed, but all other machines should take less than an hour, especially if they are all the same model of system (drivers and whatnow are identical).

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...