So you're telling me, an American owned tech company is spying or allowing spying on its customers?!
/shocked!
Dell ships computers with all the tools necessary for crooks to spy on the owners' online banking, shopping, webmail, and more. The US IT titan installs a powerful root CA certificate, including its private key, on its Windows notebooks and desktops. These can be abused by eavesdropping miscreants to silently decrypt encrypted …
"It's a Dell trusted certificate that is mentioned in the OS. It doesn't cause any threat to the system"
Totally true.
Just like posting my bank details, home address, name and security answers all over the internet doesn't do any harm.
Or jumping off a building.
It's the bit afterwards that we're worried about. Cheers for the advice though, business as usual yea?
Perhaps someone more intelligent than me could explain the technical connection between a piece of spy software and a dodgy security certificate, apart from both being ungood.
It seems that here the author is comparing aardvarks* and anchovies*.
* apologies if either of these has been chosen for the name of a forthcoming release of Ubuntu...
While I have no data to compare our knowledge-bases or indeed intelligence; I'll offer the following hastily written summary - I apologise if it is not 100% accurate:
Software signed with a trusted certificate will run on your machine. A leaked root certificate means that anyone with it can sign any piece of software and your machine will trust it (if you have that root certificate installed).
A leaked root certificate means anyone with that private key can generate new public SSL certs so your browser, for example will trust the site. This exposes you to man in the middle attacks in places where an attacker hijacks your connection and presents http://haha_suckers_this_is_a_drive_by_site.com as https://facebook.com.
Combine those things, and you have an easy way to install malware on any machine using an open wireless connection - for example. But in reality there are many ways that this could cause trouble
So I think you are saying that the PC becomes in effect a certificate issue factory that will then accept any certificate it is persuaded to generate using the details held on its system.
The net effect is that the certificates are not certificates of anything at all.
Is that a correct reading?
Pretty much.
If you buy a Dell and I buy a Dell.
I can use the private key on my dell to generate the aforementioned nasties. I can then install them on your Dell, and it will trust them, as I am using a certificate which is included in your list of trusted certificates. (ish)
So anyone with one of these Dell's can screw everyone else who has one, so long as they keep trusting that cert.
It's a bit like if a bank gave everyone who rented a safety deposit box the same key. Except the box is your laptop.
Sort of correct. It sounds like all of these Dell PC's have the same root CA installed, so anyone obtaining it can generate certificates that these Dell PC's will accept as genuine.
That opens them up to being exploited by fake websites (banking, etc), nefarious apps, and so on.
"[...] so anyone obtaining it can generate certificates that these Dell PC's will accept as genuine."
Yeah, and if someone here thinks that the private key is not already in the hands of any miscreant that caught wind of the outrage, I've got them a nice bridge to sell.
Icon simply because this is an outrage.
Minor correction here - a leaked private key for a root certificate means that anyone can sign a piece of software. Without the private key you cannot sign anything. The certificate is in effect the public key, the part that is freely shared.
The fact that the private key is installed on all these pc's means that anyone with the right skillset enact the attacks as mentioned in the article. The certificate and key need to be revoked - not sure on the mechanism for this outside the PC - but Dell need to supply a patch that will remove the affected certificate and private key and install only a replacement certificate based on a different private key and keep that key, well, private!
"The certificate and key need to be revoked"
This the the issue; as this is a self signed root certificate it CANNOT be revoked as there is no issuing authority to revoke it. As long as this root certificate is trusted by a computer then it will be trusted for EVERYTHING that it is issued from it. And as the private key is in the wild, then that could be ANYTHING! Using the private key and OpenSSL in 2 minutes I could issue certificates for Google, EBay, Amazon, Facebook, YourBank.com, etc, etc, etc. Then, if you have one of these Dells, you would be none the wiser if I was intercepting all of the traffic from your computer to these websites.
I cannot believe the scale of this absolute balls up!
Believe my comment on local revocation (remove the cert / key) still stands tho
...Except for those reports of people whe removed it and then it came back.
And looks like Dell are helping rectify this cock-up.
Far too little, far too late.
Someone that's stabbed you in the arm doesn't get sympathy because they're tried to keep some of the blood off your shirt...
Vic.
Of course, major corporation says there is nothing to worry about so we shouldn't worry. It's not like major corporations have ever lied to us before, now is it ? Nor has any major corporation ever been proven wrong about something as sensitive and critical as security, right ?
Riiight.
It was an accident. Honest. It's just another of those "internal" cert faking kits you've been reading about surprisingly frequently lately. For "testing" only, honest. Must have just fallen in at the depot. We have now implemented robust safeguards to guarantee we'll never be caught doing exactly this ever again, and eNthusiastically eNcourage you to continue eNjoying the Dell eXperience.
Thankyou.
--Dell PR
Look, Corporations have lied in the past but it's a logical fallacy to say they will lie in future. In fact having been caught lying we can safely say they won't do it again, that's all in the past.
(Did you see how I used 'critical thinking' to slam you? Did you see how I tried to say that because they have been caught lying that they no longer do so?)
Doing this kind of thing is bad.
Doing it *after* another major vendor and competitor was rightly nailed to the wall for doing pretty much the exact same thing is... well... I think Dell owes me a new BadSecurit-O-Meter.
This is why one should *always* do a complete wipe and reinstall of any new system. I don't care what anything: always wipe. Trust no one. If you can manage it, don't even trust yourself.
This post has been deleted by its author
It never ceased to amaze me that the maladies associated with Windows systems continue to grow to astronomical proportions. First we have the major breaches at Target, Home Depot, TJX and other behemoth commercialUSA companies atributable to wWndows terminls or some innocuous Microsoft device. Now Superfish 2.0 is upon us, and combined with gross "ransomware" that threatens medical devices if patients don't pay up, and the predictions of dire consequences by Richard Clark, Federal Government Cyber Cazr under both Bush and Obama administrations, of relying on Microsoft weak software technologies has come home to roost.
Adding insult to innorance, a recent report indicates many USA corporations plan to move to Windows 10 by early 2017. If Microsoft is suddenly and unexpectedly pulling updates and fixes for Windows 10 just this past week, how bad will it become in 2017 and beyond?
"Yes bring back clay tablets, papyrus and reed pens."
Modern Android and iOS tablets are hardly "clay"*, there are more font choices on Linux and OS-X than that one, and the styluses, are "red", with a single "e", as in "seeing the price tag of the Apple Pencil will make your face flush red".
* although the latter's former propensity to stick glass everywhere makes them quite as brittle
This has nothing to do with Windows, Dell could as well ship machines with Linux with the same certificate installed, or install it into a pre-installed Firefox as well. CAs *can* be added in any OS because there are several situations where users need to add their own (think about company-wide CAs for a LAN...).
Of course, the private key should not be there...
At least, if you wish to bash Windows, try to do it looking smart... not clueless... it's not that difficult, after all.
This post has been deleted by its author
"It never ceased to amaze me that the maladies associated with Windows systems continue to grow to astronomical proportions."
Yeah, because no other operating system uses certificates and trusted root certificate authority. Everyone else is on Commodore 64's.
I wouldn't be holding up android. Too many OEMs "customise" the experience and then have no way to patch for things like stagefright. There are literally phones sitting on store shelves that will never see a stagefright fix.
Microsoft have plenty to criticise. Too many windows updates address being pwned by fonts for goodness sake and half of those patches end up breaking outlook. The blame here sits squarely on dell. They are appropriately being shamed.
Okay, interesting find.
I located the second XPS 8700 workstation. No certificate present.
Both machines have a manufactured date of 13th October.
Both machines were received on the 23rd, and I had both side-by-side doing Windows Updates, installing our standard SOE software. I was pretty much sitting there with both machines, two keyboards, typing the same things into both.
One machine was deployed to a user, and has been in constant use. The second was put back in its box to keep as a spare for when it was needed. The one we put away has not got the certificate installed at present.
I'll do a quick update and see if it appears.
Stuart, presumably it was the stored system which was free of the malware?... suggesting that the machines arrive clean to be infected later?
Interesting indeed. Looking forward to your update update.
I wonder how long it'll be before Dell notices they've been rumbled and suspends this particular operation.
At least in the fine old USofA we've heard tales of shipments of equipment being detoured into warehouses where some minor alterations where performed. I'm guessing our common delivery systems (USPS, UPS, Fedex, etc.) are all part and parcel (sic) of this scheme.
When the BIOS (or other components) can be changed, good luck finding the nimble fingers.
Well, there are two possibilities:
- they are randomly loading PCs with A/B images, some which have the dodgy certificate, and some without.
OR
- they shipped the bad certificate in an update after we deployed the machine.
I'm just rebooting the machine now. I'll do a few more checks for updates and see if it pops up.
I never checked to see if the certificate was present at the time of deployment: it is entirely possible it has been there the whole time.
When Lenovo decided to include firmware to auto-install malware on Windows they made it onto my No Buy Ever list. This isn't the case with Dell, as they've already been on the list for over a decade.
- Proprietary PSUs that, when replaced with normal PSUs, cause the machine to power on and off, on and off when in the "powered off" state.
- Power bricks with "data" lines that allow the BIOS to determine if the power brick is "genuine Dell" and downclock the CPU by 50% if it isn't. The "genuine" bricks sell for 2x the price of the others.
- Failure to address major capacitor quality issues, replacing boards with exploded caps with boards with soon-to-explode caps.
- Dell branded Windows COAs, "too bad you spent all this time trying to reinstall an OS, this COA only works with 'Dell Windows'".
- Batshit insane case design.
Dell: nope.
Loss of brain connection. It's funny how little time passed between Lenovo issuing such a statement and the first POC's started flowing to show how little a grasp on security the company had.
Dell's on my s-list for messing up a couple servers a few years ago. and s- doesn't stand for short.
When your server sounds like it's a couple bricks slamming around which turns out to be the hard drive subassembly, well... and now a trusted malware signing tool freely available... banishment to the ninth circle is in order.
First part of a multi-part tweet? *Looks...
Yup:
@rotorcowboy It's a Dell trusted certificate that is mentioned in the OS. It doesn't cause any threat to the system, so we don't recommend-1
@rotorcowboy (2) you to edit the registry. Let me know if there is anything else I can help you with. ^NB
" In fact, the Dell certificate was created months after the Superfish blowup – was no one at the Texas goliath paying attention?"
Yes. Yes, they were.
"Hey, Bob - look what Lenovo has done. Good idea?"
"Well, no, Tim - it's clearly backfired now that people have spotted it. But it's given me an idea..."
For those that are affected, there are some instructions here:
You get rid of the certificate by performing following actions:1) Stop and Disable Dell Foundations Service 2) Delete eDellRoot CA registry key here
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\98A04E4163357790C4A79E6D713FF0AF51FE6927
Then reboot and test.
I haven't tried this yet, as the affected machine (see above) has another user logged in (and might have work open), when she gets in we'll do those steps and report back.
Didn't check "tomorrow" like I said I would, yesterday was hectic. Had a look this morning, and so far, so good.
You can trust Dell's .exe "patch" if you like, but the instructions that worked for me:
- Bring up the certificate manager (Logo+R, type certmgr.msc, press ENTER) and under the Trusted Root Certificates, look for and delete eDellRoot.
- Bring up the Services control panel (Start, right-click Computer, select Manage, under Services and Applications, select Services), look for "Dell Foundations Service", right-click and select Properties.
- Click the Stop button, then change the Startup type to "Disabled", click OK.
Reboot to be sure, your machine should remain clean from now on.
I think it is time we stopped trusting OEM installs.
Our trust has been abused by Dell and Lenovo now. Who next? Asus? MSI? Samsung? Toshiba?
Clearly, manufacturers do not have our interests at heart when they ship a device with Windows pre-loaded.
Time to go back to the old days when the machine was shipped to the end user blank and they then had someone technically knowledgeable (that they trust) to do the OS installation and set-up.
If you are really worried about spies intercepting your traffic then take a look at the looooonnngggg list of trusted roots. How many of them do you recognise? How many of the recognised providers have also been ‘required’ to provide valid certificates to TLAs? How many of those roots are actually owned by TLAs?
This isn't about TLAs spying. Of course they can use any of myriad certs from the ridiculously distended list of "trust" - that is precisely why the clusterfuck "system" was so carefully designed just as it is.
To subvert the "trust" in the CA sham, you need the private keys or knowledge of and opportunity to deploy an exploitable vulnerability. The TLAs are generally quite careful to keep those things quiet and even help patch up the vulnerabilities once sufficient evidence of external exploitation develops.
This is a case of a corporation buggering up its own mechanism to permanently pwn all its victims "valuable valued customers" - it has given the entire world the tools to pwn all those victims "valuable valued customers".
Dell has, quite literally, published the keys to its own backdoor.
Oopsie.
This post has been deleted by its author
I have the same Dell as in the image at the top of the story. Thankfully it is running Win 10 from an iso from MS and totally wiped down. I'll still check though - who knows what may have sneaked in with a driver install, etc. All that time to ensure I check all the setup so that it is secure as I can make it and stuff like this happens - sigh.