Learning From Lenovo's Compounded Failures, Dell Apologizes For Its Own HTTPS Certificate Screw Up

from the yeah,-whoops dept

Dell this week found itself under fire for embedding a certificate in some PCs that makes it relatively easy for attackers to cryptographically impersonate HTTPS-protected websites. First discovered by a programmer named Joe Nord, Dell's eDellRoot certificate appears to have been preinstalled as a root certificate on several Dell laptop and desktop models. As Nord notes, it's relatively simple to extract the locally-stored key, sign fraudulent TLS certificates for any HTTPS-protected website on the Internet, and trick user browsers to accept these encrypted Web sessions with no security warnings whatsoever.
This is, of course, reminiscent of the Superfish fiasco that plagued Lenovo earlier this year. But in that case the culprit was third-party adware, while Dell's eDellRoot is the company's own abomination. Duo Labs Security says it discovered the same problem, noting that it had even found evidence of the root certificate on some SCADA systems, typically used in places like factories, dams and power stations. Like Nord, Duo's researchers note that it's rather incredible that Dell wouldn't have discovered and fixed this problem after what happened to Lenovo:
"This highlights a disturbing trend among original equipment manufacturer (OEM) hardware vendors. Tampering with certificate stores exposes users to unnecessary, increased risk. Tampering with the certificate store is a questionable practice, and OEM’s need to be careful when adding new trusted certificates, especially root certificates. Sadly, OEM manufacturers seem to not be learning from historical mistakes and keep making them over and over."
However Dell did appear to learn something in terms of their PR response to the vulnerability. Unlike Lenovo, which originally tried to deny any security problem whatsoever, Dell has issued a relatively straight forward blog post addressing the issue. In it, Dell does something downright kooky: it admits that the vulnerability is a vulnerability, and publicly thanks the security researchers that discovered it. According to Dell, the certificate was implemented as part of a support tool "intended to make it faster and easier" for users to service their system.

Dell's quick to remind readers that at least it wasn't adware, and unlike Lenovo's snoopvertising, it won't stealthily hide in the BiOS to reinstall itself at a later date:
"The certificate is not malware or adware. Rather, it was intended to provide the system service tag to Dell online support allowing us to quickly identify the computer model, making it easier and faster to service our customers. This certificate is not being used to collect personal customer information. It’s also important to note that the certificate will not reinstall itself once it is properly removed using the recommended Dell process."
Dell's also posted a word document outlining how to spot and remove the certificate here for those interested. It remains unclear just how many computers are at risk, but given that Dell is expected to ship 10 million computers worldwide in the third quarter of 2015, the footprint likely isn't modest. And while Dell managed the problem better on the PR front than their predecessors, the fact that this keeps happening is no less disturbing.

Reader Comments

The First Word

Subscribe: RSS

View by: Time | Thread


  • identicon
    Anonymous Coward, 24 Nov 2015 @ 10:45am

    "It’s also important to note that the certificate will not reinstall itself once it is properly removed using the recommended Dell process."

    Shots fired.

    reply to this | link to this | view in chronology ]

    • icon
      orbitalinsertion (profile), 24 Nov 2015 @ 7:32pm

      Re:

      Sort of, possibly. The charitable (and one accurate) interpretation is due to the fact that simple removal of the cert itself does not get rid of it. Most will not know how to figure this out. (Even those who successfully delete the cert and don't know why theirs doesn't regenerate because they are in the habit of killing pointless services to begin with.)

      Still, could be a bit of attitude from Dell in there too.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 24 Nov 2015 @ 11:27am

    Not found on OEM installed OS

    If you wipe the disk and install from media do not get the cert.

    reply to this | link to this | view in chronology ]

  • identicon
    PRMan, 24 Nov 2015 @ 11:43am

    Good for Dell

    Still a mistake, but they handled it 10× better than Lenovo.

    * Admitting it was wrong
    * Thanked the researchers (instead of attacking them)
    * Apologized
    * Offered clear instructions to fix the problem

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 24 Nov 2015 @ 12:37pm

    That's a better response than what they originally said on twitter:

    https://twitter.com/DellCares/status/668284772817477632

    "It doesn't cause any threat to the system..."

    They tried to get away with it - until they couldn't.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 24 Nov 2015 @ 1:06pm

      Re:

      And they're still making a statement that's very likely to be false: "This certificate is not being used to collect personal customer information." Maybe not by Dell, but I'm sure other people are doing so now or will be soon.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 24 Nov 2015 @ 1:49pm

    TAO thwarted -- at least this time...

    Put on your tinfoil hat & check out Dell's biggest customers.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 24 Nov 2015 @ 2:43pm

      Re: TAO thwarted -- at least this time...

      I remember a time when a tinfoil hat was considered mandatory to even consider such a possibility.

      But at this point, my first thought when hearing about Dell's "whoops" was that it was likely less a bug - and more a feature. If no one notices, they give some of their favorite customers an easy https mitm vector (I mean, why bother crackin' when you have the keys). And if someone does notice, they have all the plausible deniability they need.

      reply to this | link to this | view in chronology ]

  • identicon
    techlawfirm, 24 Nov 2015 @ 2:12pm

    Bye Dell

    I'm going to move my company account anyway to another vendor. I can't have security issues on my computer systems like this. Who knows what else is going on that hasn't been caught on all my Dell equipment? I expect third parties to try to gain access. I don't expect my supplier to screw me.

    reply to this | link to this | view in chronology ]

  • icon
    techflaws (profile), 24 Nov 2015 @ 10:23pm

    I'd only considered it learning had they stopped their shenanigans the moment Lenovo's antics became public knowledge. So it's only the usual slow backtracking.

    reply to this | link to this | view in chronology ]

  • icon
    afn29129 (profile), 25 Nov 2015 @ 4:54am

    a second time for Dell.

    Once the news-cycle catches up.... Headline #2: Dell did it again.
    https://www.kb.cert.org/vuls/id/925497

    Another root key, DSDTestProvider

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 25 Nov 2015 @ 8:05am

    3rd time's a charm?

    http://arstechnica.com/security/2015/11/pcs-running-dell-support-app-can-be-uniquely-idd-by-sn oops-and-scammers/
    .. exploit works even when Dell customers have uninstalled the eDellRoot certificate using the removal tool or instructions Dell released Monday night ..

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Techdirt Gear
Show Now: Takedown
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.