Batu69 Posted November 24, 2015 Share Posted November 24, 2015 Root CA certificate opens up folks to banking, shopping snooping, etc Dell ships computers with all the tools necessary for crooks to spy on the owners' online banking, shopping, webmail, and more.The US IT titan installs a powerful root CA certificate, including its private key, on its Windows notebooks and desktops. These can be abused by eavesdropping miscreants to silently decrypt encrypted web browser traffic without victims noticing.If you try to remove the dodgy certificate, the file is automatically reinstalled during or after the next boot up. The root CA cert appears to have been created in early April this year, and expires in the year 2039.How can this certificate be abused? Well, an attacker could, for example, set up a malicious Wi-Fi hotspot in a cafe or hospital, intercept connections from Dell machines, and then automatically strip away the encryption – a classic man-in-the-middle attack, all enabled by Dell's security blunder.The decrypted traffic will include usernames, passwords, session cookies, and other sensitive information. The root CA certificate – eDellRoot – can even be used to sign programs, allowing scumbags to dress up malware as legit apps.Web browsers, and other software, running on the affected Dell hardware will trust any certificates issued by eDellRoot. When the browser tries to connect to, say, your bank's HTTPS-protected website, it could in fact be connecting to a malicious system on your network, such as the aforementioned evil wireless hotspot. This system can pretend to be your bank's website, using an eDellRoot-signed SSL certificate, and you would be none the wiser as you type in your username and password. The intercepting system can even log into the bank on your behalf and pass the webpages back to your browser so you're none the wiser of what's going on.Dell customers reported over the weekend finding the root CA certificate on newer Dell XPS, Precision and Inspiron desktops and notebooks.So far, we've seen reports on Twitter and Reddit of the following affected gear: the XPS 15, Latitude E7450, Inspirion 5548, Inspirion 5000, Inspiron 3647, and the Precision M4800.Our San Francisco office's Inspirion 15 series laptop is also affected.Caught red-handed ... the eDellRoot CA cert on a Dell machine – (Source) Information security expert Kenn White has created a webpage that demonstrates how vulnerable Dell computers will happily accept HTTPS connections signed with the eDellRoot key.Crucially, White also said Firefox is not affected by the rogue certificate because it uses its own set of trusted certs. If you have a recent XPS 15 running Windows and can load my page: https://t.co/qExUHLQwH0 then you're vulnerable to Dell's bogus root cert.— Kenn White (@kennwhite) November 23, 2015Another site to test whether your Dell is vulnerable to man-in-the-middle attacks can be found here.Dell computer owner Joe Nord, who blogged details of the certificate installed in his Inspirion machine, noted the obvious security flaw with eDellRoot."Root certificates are always self-signed, so all I really know is that eDellRoot says eDellRoot is legit," he explained. "Where it breaks down is that the private key IS PRESENT on my computer and that means ... bad."Dell has yet to respond to a request for comment on the matter, although the Dell Cares support account on Twitter is downplaying the risk of attack for users: @rotorcowboy It's a Dell trusted certificate that is mentioned in the OS. It doesn't cause any threat to the system, so we don't recommend-1— DellCares (@DellCares) November 22, 2015The issue is just like Lenovo's February Superfish scandal in which the PC-slinger was caught loading its machines with a tool capable of intercepting SSL traffic and injecting adverts into pages. In fact, the Dell certificate was created months after the Superfish blowup – was no one at the Texas goliath paying attention?News sourceAnd now here's how you can really destroy itAccording to an analysis [PDF] by Duo Security, a bundled plugin reinstalls the root CA file if it is removed. First, you must delete Dell.Foundation.Agent.Plugins.eDell.dll from your system (search for it) and then remove the eDellRoot root CA certificate.The cert, we're told, is used with the plugin for receiving cryptographically signed telemetry requests; said telemetry includes things like the machine's service tag, a seven-character serial number that identifies the computer model, if not the individual machine."This highlights a disturbing trend among original equipment manufacturer (OEM) hardware vendors. Tampering with certificate stores exposes users to unnecessary, increased risk," the Duo team – Darren Kemp, Mikhail Davidov, and Kyle Lady – wrote in their report."Tampering with the certificate store is a questionable practice, and OEM’s need to be careful when adding new trusted certificates, especially root certificates. Sadly, OEM manufacturers seem to not be learning from historical mistakes and keep making them over and over."Updated to add at 1610 PT / 0010 GMT Link to comment Share on other sites More sharing options...
oliverjia Posted November 24, 2015 Share Posted November 24, 2015 LOL. Glad the first thing I have always been doing is to format the whole HDD and wipe out any OEM crap that's bundled with the OS. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.