Dell does a Superfish, ships PCs with easily cloneable root certificates
-
From Ars Technica:
"In a move eerily similar to the Superfish debacle that visited Lenovo in February, Dell is shipping computers that come preinstalled with a digital certificate that makes it easy for attackers to cryptographically impersonate Google, Bank of America, and any other HTTPS-protected website.The self-signed transport layer security credential, which was issued by an entity calling itself eDellRoot, was preinstalled as a root certificate on at least two Dell laptops, one an Inspiron 5000 series notebook and the other an XPS 15 model. Both are signed with the same private cryptographic key. That means anyone with moderate technical skills can extract the key and use it to sign fraudulent TLS certificates for any HTTPS-protected website on the Internet. Depending on the browser used, any Dell computer that ships with the root certificate described above will then accept the encrypted Web sessions with no warnings whatsoever. At least some Dell Inspiron desktops and Precision M4800 models are also reported to be affected."
Very disappointing news as I have been a fan of Dell's hardware for a while and stopped buying Lenovo in part due to the Superfish debacle... All the more reason to make sure a fresh OS install is a part of setting up new computers!
-
@WingCreative said:
Very disappointing news as I have been a fan of Dell's hardware for a while and stopped buying Lenovo in part due to the Superfish debacle... All the more reason to make sure a fresh OS install is a part of setting up new computers!
Thankfully with this one you can do a fresh install and get around it.
-
Any address available for hate mail to dell? I'd like to send them a thermal nuclear hot one.
-
@MattSpeller said:
Any address available for hate mail to dell? I'd like to send them a thermal nuclear hot one.
Send them ALL the glitter..... All of it...
-
-
Dan Goodin's closing paragraphs in Ars' follow-up article about this pretty much hit the nail on the head for me:
"Dell's response is a good start insofar as it offers customers an immediate remedy, apologizes, and thanks the people who brought the major security blunder to light. Now, it's time for Dell to do much more. For months now, Dell marketers have assured the public that each pre-installed app "undergoes security, privacy and usability testing." The presence of a root certificate that included the same easily extracted private key on multiple computers is proof that the process in this case failed in spectacular fashion. If Dell is serious about regaining customers' trust, company officials should explain how this failure happened and what steps are being taken to ensure similar lapses don't happen again.
Any breached company can gush about how seriously it takes security. The ones that really mean it are willing to be transparent about their failures, even if it means taking a brief hit to the company's public image. It will be worth watching Dell carefully in the coming days to see which path company officials choose."
It's nice to see that Dell has quickly taken some steps in regaining people's trust. Releasing a tool to automatically remove the certificate less than 24 hours since the original story broke is a good move! I'd still like to know what part of their sanity check review process failed to get it out in the first place though...
-
This really just highlights that bloatware is a bad idea. If they weren't including unnecessary garbage this could not have happened. They are setting themselves up for failure by intentionally having a process by which they need to scrutinize all this stuff that they are installing for no reason. Simple don't install it and you don't even need to verify it!
-
@StrongBad said:
This really just highlights that bloatware is a bad idea. If they weren't including unnecessary garbage this could not have happened. They are setting themselves up for failure by intentionally having a process by which they need to scrutinize all this stuff that they are installing for no reason. Simple don't install it and you don't even need to verify it!
nailed it.
OEM's need to cease with the garbage software
-
@MattSpeller said:
@StrongBad said:
This really just highlights that bloatware is a bad idea. If they weren't including unnecessary garbage this could not have happened. They are setting themselves up for failure by intentionally having a process by which they need to scrutinize all this stuff that they are installing for no reason. Simple don't install it and you don't even need to verify it!
nailed it.
OEM's need to cease with the garbage software
That's were the money's at espcially in consumer PCs. Many times the bloatware pays for the computer, and selling it is all profit.
-
Sadly they can't if they want to compete. The average consumer only cares about one thing.. price. they will sell they sole for price - this has been proven time and time again.
-
There is a fix available:
https://dellupdater.dell.com/Downloads/APP009/eDellRootCertFix.exe(Same topic also here: http://mangolassi.it/topic/7017/dell-root-ca-shenanigans/4 ... didn't see this one before posting the other one)
-
Well, they aren't out of the woods yet...
Second Dell backdoor root cert found
A second root certificate has been found in new Dell laptops days after the first backdoor was revealed.The DSDTestProvider certificate was first discovered by Laptopmag. It is installed through Dell System Detect into the Trusted Root Certificate Store on new Windows laptops along with the private key.
http://www.theregister.co.uk/2015/11/25/dsdtestprovider/ -
@nadnerB This is starting to piss me off.
-
Today we became aware that a certificate (eDellRoot), installed by our Dell Foundation Services application on our PCs, unintentionally introduced a security vulnerability. The certificate was implemented as part of a support tool and intended to make it faster and easier for our customers to service their system. Customer security and privacy is a top concern and priority for Dell; we deeply regret that this has happened and are taking steps to address it.
The certificate is not malware or adware. Rather, it was intended to provide the system service tag to Dell online support allowing us to quickly identify the computer model, making it easier and faster to service our customers. This certificate is not being used to collect personal customer information. It’s also important to note that the certificate will not reinstall itself once it is properly removed using the recommended Dell process.
We have posted instructions to permanently remove the certificate from your system here. We will also push a software update starting on November 24 that will check for the certificate, and if detected remove it. Commercial customers who reimaged their systems without Dell Foundation Services are not affected by this issue. Additionally, the certificate will be removed from all Dell systems moving forward.
-
Geez... can we trust anyone these days?
I'm guessing that dev created the selfsigned cert in the lab, then rushed it out to production without removing it. Why they would need a self signed when Dell can easily afford a wildcard cert for any domain they want.
But now there's another cert in their software? WTF?
Does this mean we have to put Dell on the ban list?
Probably not, because it does not appear that either a) they did it on purpose to weaken our security b ) because they didn't care about customers and were just installing third party junk to get paid. -
@Dashrender We emailed several nasty-grams to our rep. They seem suitably ashamed. We'll continue using them. What's important to note here is that there's no reports of the latitudes being part of it.
-
@MattSpeller Hmmm.. wonder if that's true?
trax.x10.mx/apps.htmlThis tool will scan your local certificate repository and tell if you there is anything odd or unexpected in the repository.
Also, do the Latitudes come with this Dell support software like the consumer models?
But then we could ask the same issue of Lenovo. Scott declares that you can't buy anything with Lenovo's name on it since they have been shown to be untrust worthy, even though the ThinkPad versions have never been shown to have any of the SuperFish crap or driver shim problems that the consumer versions did. Sure there was that auto reinstall Lenovo manager software, but at least Lenovo's manager software wasn't installing a self signed cert with the private key installed so anyone could spoof them, etc.
Basically, I'm asking, why would Dell get a pass assuming their business line wasn't effected, if Leveno doesn't get one for the same reason?
-
@Dashrender said:
@MattSpeller Hmmm.. wonder if that's true?
trax.x10.mx/apps.htmlThis tool will scan your local certificate repository and tell if you there is anything odd or unexpected in the repository.
Also, do the Latitudes come with this Dell support software like the consumer models?
I think it's available through "Dell digital software delivery" as an option. We just got in 3 new 6440s so I'll check.
Basically, I'm asking, why would Dell get a pass assuming their business line wasn't effected, if Leveno doesn't get one for the same reason?
FWIW I would begin to look at HP (and have, but not seriously), except for the fact that we're tied to Dell for the next 3 years no matter what.
