Dell’s turn: Sells computers with backdoor

Topic

New Reply

First Lenovo, now Dell. And some journalistic mileage out of one story.

Dell: Yes, we shipped laptops, PCs with a nasty web security hole

The Register
by Chris Williams
24 Nov 2015

http://www.theregister.co.uk/2015/11/24/dell_superfish_2/

Dell says it will publish a guide to remove the web security backdoor it installed in its Windows laptops and desktop PCs.

This confirms what we all know by now – that Dell was selling computers with a rather embarrassing hole it in their defenses.

New models from the XPS, Precision and Inspiron families include a powerful root CA certificate called eDellRoot, which puts the machines’ owners at risk of identity theft and banking fraud.

The certificate is bundled with its private key, which is a boon for man-in-the-middle attackers…. [continue reading at above link]

Superfish 2.0: Dell ships laptops, PCs with gaping internet security hole

The Register
by Shaun Nichols
23 Nov 2015

http://www.theregister.co.uk/2015/11/23/dude_youre_getting_pwned/

Dell ships computers with all the tools necessary for crooks to spy on the owners’ online banking, shopping, webmail, and more.

The US IT titan installs a powerful root CA certificate, including its private key, on its Windows notebooks and desktops. These can be abused by eavesdropping miscreants to silently decrypt encrypted web browser traffic without victims noticing.

If you try to remove the dodgy certificate, the file is automatically reinstalled during or after the next boot up. The root CA cert appears to have been created in early April this year, and expires in the year 2039…. [continue reading at above link]

Superfish 2.0 worsens: Dell’s dodgy security certificate is an unkillable zombie
And now here’s how you can really destroy it

The Register
by Shaun Nichols
23 Nov 2015

http://www.theregister.co.uk/2015/11/23/dell_security_nightmare_gets_worse/

…. You can find the dangerous certificate by opening up the Start menu, select “Run”, type in “certmgr.msc” into the box and hit Enter. Then open up the “Trusted Root Certification Authority” folder on the left, then “Certificates”, and in the window should appear “eDellRoot”. That’s the SOB you’re looking for. Right-click over it, hit “Remove”, click through the warning box. And it’s gone…. [continue reading at above link]

Reply | Quote

Replies

I think the next question is to ask, “Why ?”

Reply | Quote

From my meager understanding the private key being available anywhere is the biggy. I could see a dev keeping key and Cert in a folder for ease of access while testing and then forgetting to dump the key when making the build image for distribution. Using a live key at all in an unsecure environment is an indication of a lackadaisical attitude towards security.
Not good at all. :flee::flee:

:cheers:

Just because you don't know where you are going doesn't mean any road will get you there.

Reply | Quote

If you have the private key you can install the certificate on your own system and pretend to be Dell.

cheers, Paul

Reply | Quote

If you have the private key you can install the certificate on your own system and pretend to be Dell. cheers, Paul

That might answer my question. Yes, I tested and I have it and will remove it. Dumb Q: how would an outsider use this? I’m obsessive about security but don’t quite understand how it could be used.

Reply | Quote

I agree wavy, I just figured it was a (serious) mistake on Dell’s part. There is no reason I can see why Dell would deliberately do it.

Reply | Quote

Many thanks. Makes more sense, but this is with WiFi? Does it matter this laptop never leaves the house and uses CAT5, no wireless?

Reply | Quote

Your laptop may not be attacked, but the hole should not be there at all, especially as it appears to be deliberate.

cheers, Paul

Reply | Quote

I manually removed the eDellRoot certificate and then checked next day for the DSDTestProvider certificate (as well as using their removal tool) – found neither certificate present, BUT when I did a test using a test website, my Dell Service Tag was STILL pulled up by the javascript. Dell have not yet come up with an explanation for me on that. So my conclusion so far – removing DSDTestProvider certificate does NOT remove the Service Tag javascript exposure – not for my Dell Inspiron laptop anyway.

Reply | Quote

I manually removed the eDellRoot certificate and then checked next day for the DSDTestProvider certificate (as well as using their removal tool) – found neither certificate present, BUT when I did a test using a test website, my Dell Service Tag was STILL pulled up by the javascript. Dell have not yet come up with an explanation for me on that. So my conclusion so far – removing DSDTestProvider certificate does NOT remove the Service Tag javascript exposure – not for my Dell Inspiron laptop anyway.

Found this advice here
http://lizardhq.rum.supply/2015/11/25/dell-foundation-services.html

One of the JSONP API endpoints to obtain the service tag does not need a valid signature to be provided; thus, any website can call it.

This endpoint is a part of eDell however, and this part of Tribbles gets removed with the tool and instructions to remove the eDellRoot certificate.

However, another JSONP API endpoint exists to obtain the service tag. This endpoint requires a valid signature, but this signature is provided in the JavaScript on several pages of dell.com, and thus can be scraped.

explaining how vulnerability persists even after DSDTestProvider cert is removed, and – so far – saying uninstalling Dell Foundation Services is only solution. Not an option if the laptop is owned by an employer of course…

Reply | Quote

Finally solved this by getting latest “urgent” update to Dell Foundation Services from their site (search for “dell foundation services” in search engine) – and installing over old version. The test at tribble track site now fails to locate my service tag.

The frustrating bit is that despite using @DellCares posts and DMs, and also the installed utilities using my service tag (irony) I found out all this info from third parties and search engines, NOT from Dell – searching Dell still just suggests removing both the eDellRoot and DSDTestProvider certificates – which is NOT a solution.

The Dell Foundation Services update has been available for 3 days on their site – yet they are not pointing us to it.

Reply | Quote

Could be another way of removing it and simpler ? http://www.theregister.co.uk/2015/11/26/dell_cert_windows_defender/

Reply | Quote

Could be another way of removing it and simpler ? http://www.theregister.co.uk/2015/11/26/dell_cert_windows_defender/

They are now pointing me to this link on official site – which is their latest Foundation Services update dated 28th November,
[h=3]Version[/h] Version 3.0.700.0, A00

https://twitter.com/DellCares/status/670874842082754560

Reply | Quote

I think I’d prefer to stay with WD to remove it as you don’t know what that file will do.

Reply | Quote

Good for Windows Defender! But if it only removes the certificate, it still leaves the service tag issue unsolved. Maybe next, they could list Dell Foundation Services as malware too?!

Reply | Quote

Who are “they” and what link ?

Reply | Quote

That’s a good point – although I would still want to check that not only had the certificates gone, but that the Service Tag was no longer vulnerable to exposure. My DELL service tag was still accessible via a javascript, on a test website, even though both the eDellRoot and DSDTestProvider certificates had been removed. I would recommend that as well as checking that the certificates have gone, that you check the javascript/service tag problem using the TribbleTrack test site. There have been THREE Dell security problems in the news – it’s easy to get them confused.

If Windows Defender isn’t uninstalling Dell Foundation Services, and if you choose not to update it at the DELL site, then it is possible your DELL service tag is still vulnerable to being exposed by website javacript.

The testsite for the problem is linked to from this page
http://lizardhq.rum.supply/2015/11/25/dell-foundation-services.html
( beware the test site has some loud music on it – turn your speakers off before using it)

Reply | Quote

What Dell computers are affected? Haven’t seen an answer to this anywhere?
I have a Dell I14R (Inspiron 4010) laptop purchased in early 2011

Reply | Quote

What Dell computers are affected? Haven’t seen an answer to this anywhere?
I have a Dell I14R (Inspiron 4010) laptop purchased in early 2011

I’m sorry – I can’t help you with that but there are three things you can look for to check if the issue exists on your machine:

the certificates, in certificate manager, are called eDellRoot and DSDTestProvider

(instructions for finding are at the end of the first post in this thread
http://windowssecrets.com/forums/showthread//173046-Dell-s-turn-Sells-computers-with-backdoor?p=1032950&viewfull=1#post1032950 )

and the test sites for checking the exposure of your DELL service tag are

https://edell.tlsfun.de/

and

http://rol.im/dell/ (turn your speakers down first).

Reply | Quote

What Dell computers are affected? Haven’t seen an answer to this anywhere?
I have a Dell I14R (Inspiron 4010) laptop purchased in early 2011

From the articles, it appears to just be recently shipped machines, but jwoods has posted a link in Post #6 that you can use to test if your machine has it.

Reply | Quote

2011 vintage is probably OK, but you can check by looking for the Dell certificate in your certificate store. Start > Run > certmgr.msc

cheers, Paul

Reply | Quote

My Dell Precision Tower 5810 was manufactured by Dell on 9-15-15.

Shouldn’t Dell be sending out updates directly to each & every System affected to remove those?

Reply | Quote

I set up a new Dell just this AM and when checking for drivers for a Dell printer there was an important note on the page at support.dell.com about their problem and a link to an applet to check, his was clean. The computer was ordered last week.

Before you wonder "Am I doing things right," ask "Am I doing the right things?"

Reply | Quote

Shouldn’t Dell be sending out updates directly to each & every System affected to remove those?

How do Dell know who / where you are and whether you are affected?

cheers, Paul

Reply | Quote

How do Dell know who / where you are and whether you are affected?

cheers, Paul

With all of the other #%$# Dell knows about me, why would they not know this – especially with a System built on 9-15-15?

Reply | Quote

I have a Toshiba laptop and that has something called Toshiba Tempro and when it is enabled, it will notify you of any alerts with a pop up in the system tray.

If Dell had something similar then that could notify users wherever they are.

Reply | Quote