Dell puts users at risk with dangerous eDellRoot root certificate

Dell is in the headlines for shipping PCs with a pre-installed trusted root certificate dubbed eDellRoot that opens users to a number of cyber attacks.

Dell is in the headlines for shipping PCs with a pre-installed trusted root certificate that opens users to a number of cyber attacks. Hackers could exploit it to compromise the security of encrypted HTTPS connections. The case has several similarities to the Lenovo one, do you remember Superfish?

Early 2015, experts discovered that Lenovo was shipping laptops with Superfish malware , a malware that allows to steal web traffic using man-in-the-middle attacks. SuperFish is considered by many antivirus companies as a potentially unwanted program, adware, or a trojan.

The “Superfish” malware installed on laptops was able to steal web traffic using fake, self-signed, root certificates to inject advertisements into sessions.  Lenovo has removed Superfish the malicious software after numerous users reported the embarrassing discovery on its forums by claiming to be victims of attacks.

A few months after the Lenovo case, Dell started deploying a trusted root certificate called eDellRoot.

The certificate is bundled with its private key, which open users to man-in-the-middle attacks, for example, if an affected Dell PC connects to a bogus Wi-Fi hotspot, attackers running the hotspot can exploit the eDellRoot certificate and the key to decrypt the victims’ web traffic and steal sensitive data.

The certificate as delivered on August 18 as part of an update to the Dell Foundation Services (DFS) application.

The eDellRoot certificate was discovered by researchers at Duo Labs who examined a Dell laptop, then the experts consulted the Censys project and discovered the certificate’s fingerprint in several locations.

What does this mean?

Simply that Dell has intentionally shipped the same keys in many other computers worldwide. In one case, the eDellRoot certificate was used to provide web services over HTTPS to a SCADA system.

“Given that this certificate can be used to sign SSL certificates for secure web communications, we talked to the good people at the Censys project. The Censys project uses zmap] to scan the whole IPv4 Internet and archive data, such as the SSL certificate that server sends when the scanner opens a connection. There do not appear to be any servers online that are using the initial eDellRoot certificate we discovered (98:A0:43:[…]).” states the report published by Duo Labs. “However, searching Censys for “eDellRoot” turned up another certificate, which was similar to the first one: same name and also self-signed. Normally, a given certificate would only be associated with one IP address, as it’s considered poor practice to share the private component of the certificate across multiple machines. Otherwise, it’s impossible to tell which computer actually sent a given message, a property that is often demanded in cryptosystems. “

The list of impacted systems includes XPS, OptiPlex, Inspiron, Vostoro, and Precision models.

“How this particular misconfiguration happened is unclear, but what is clear, is that this certificate is showing up in some extremely unusual and frankly concerning places,” continues the report.

Initially, Dell doesn’t explain the presence of eDellRoot, the company only declared that it “provides a core set of foundational services facilitating customer serviceability, messaging and support functions.”

Meantime, Dell updated the DFS application on Monday, after the news was circulating over the Internet. The company declared that it would be offering a tool to remove the certificate.

Unfortunately, the certificate cannot be simply removed due to a .DLL (–Dell.Foundation.Agent.Plugins.eDell.dll) included with the root certificate that reinstalls the file if it is deleted. Users have to delete both the .DLL and the certificate.

Dell plans to provide detailed information to remove the certificate and future machines will not include it.

“The recent situation raised is related to an on-the-box support certificate intended to provide a better, faster and easier customer support experience. Unfortunately, the certificate introduced an unintended security vulnerability.” is the official statement released by Dell.

Pierluigi Paganini

(Security Affairs – eDellRoot, Dell)