
Another Dell root certificate discovered - jacquesm
http://www.pcworld.com/article/3008478/security/and-then-there-were-two-another-dangerous-dell-root-certificate-discovered.html
======
orf
Once upon a time I spent a couple of hours looking at the Dell update utility
and found that it pretty much allowed remote code execution to any web page
your browser visits[1][2]. The quality of their code, the clear lack of anyone
with any security knowledge looking at it and the 'fix' they deployed[3] made
me never ever trust Dell again.

Seriously, their entire security relied on 'if url.endswith('dell.com')', plus
a bunch of home grown 'encryption' that was utterly ridiculous. I'm sure if
anyone spent a good hour or so looking at some of the oodles of software they
pre-install on laptops you can dig up some other juicy exploits.

1\.
[http://webcache.googleusercontent.com/search?q=cache:http://...](http://webcache.googleusercontent.com/search?q=cache:http://tomforb.es/dell-
system-detect-rce-vulnerability) (sites down at the moment :/)

2\.
[http://www.theregister.co.uk/2015/04/08/dell_update_security...](http://www.theregister.co.uk/2015/04/08/dell_update_security_concerns/)

3\. They literally just updated their home grown encryption/authentication
code and made it clear that they didn't understand the issue _at all_.

~~~
meritt
Is this a hardware or a software boycott? Because I have trouble finding
anything remotely decent when it comes to macbookpro alternatives. Then again,
I just sorta assumed most people always did clean installs and wiped the pre-
installed shit that every PC vendor bundles.

~~~
potatolicious
Honest question: could you even do that without buying an extra copy of
Windows? Back in the old days you got a CD key with your PC, so you can
install a fresh copy of Windows easily from your own media.

But nowadays it seems like not all keys are equal, and I'm under the
impression that short of buying your own copy you can only reinstall the OEM,
hacked-up version.

~~~
Already__Taken
The key is in the bios now so you should be able to load any OS that's the
same version i.e. pro or home.

I've never tried though. I don't know if there is still a different version
for OEM or VL windows like XP had different key types.

~~~
lashkari
I just went through this with a new Dell XPS for my dad.

I performed a wipe/reinstall (with media created directly from a Microsoft
download) and Windows 10 never asked me for a key after reinstalling it, and
it reports as being activated.

Seems like they've moved away from requiring an OEM key in addition to the
SLIC BIOS signature.

~~~
sfilipov
They went a step further. Once a Windows 10 machine is activated, a "hash" of
its hardware is taken and associated with the product key. When you reinstall
Windows 10, the activation service matches your hardware information with the
product key. You need to enter a product key only the first time you install
Windows 10 on a particular machine.

~~~
Already__Taken
When I was building machines and asked about the OEM licence, this hardware
hash is related to the motherboard. MS consider a new motherboard a new PC,
everything else you should get away with changing.

------
jacquesm
What really bugs me about this whole certificate saga is this: Ok, so you
messed up. But then we get this - to my ears - absolutely bogus spiel about
this being for 'improved customer service'. I find it very hard to make that
link. And then, to add insult to injury, after messing up like that there is
no 'all hands' inside Dell to see if that 'mistake' (let's assume it really is
a mistake, to be kind to them) had been made in more than one place, which in
fact it is.

Once is normal, twice may be coincidence, thrice is enemy action. Let's hope
for Dell that there won't be a third, and if there is that they spot it
themselves before someone else does. And I'm not buying the line about
'improved customer service' even for a moment, you can't improve customer
service by allowing anybody aware of this certificate to MITM any and all
connections from these machines and even if that were the case it is just a
little bit too convenient that such a mistake would _also_ include the private
key, which allows Dell to conveniently deny that they ever leaked the private
key to anybody in particular (instead, they leaked it to the world at large).

Superfish was bad, this is in some ways just as bad or worse.

Now, Dell, can we please have a detailed technical explanation about why these
_two_ root certificates _and_ their private keys were stashed on customers
machines without their knowledge centering on specific functionality (as in
what is that you could not do without these certificates and keys distributed)
rather than some weasel worded techno babble about 'improved support'?

~~~
api
Crapware and foistware is always "valuable customer blahblahblah."

~~~
jfb
Sounds better to the board than "desperate measures to somehow find pennies in
this awful commodity business we find ourselves in."

------
hannob
I updated my online check tool and it detects both certs:
[https://edell.tlsfun.de/](https://edell.tlsfun.de/)

Also updated my corresponding blog post (links to cert and key there in case
you're interested):
[https://blog.hboeck.de/archives/876-Superfish-2.0-Dangerous-...](https://blog.hboeck.de/archives/876-Superfish-2.0-Dangerous-
Certificate-on-Dell-Laptops-breaks-encrypted-HTTPS-Connections.html)

------
electic
Does anyone know of a tool for Windows and OSX that will audit all the
certificates installed on a machine and tell you which ones are removed,
compromised, or generally unrecognized? It would be great if there was one so
I can run audits because even if you install a fresh copy of the OS, the NSA
and their friends can eventually sneak a cert on there. It would be great if
there were an audit tool.

------
mtgx
There's a problem with their Dell Foundation Services software, too:

[http://www.theregister.co.uk/2015/11/25/dell_backdoor_part_t...](http://www.theregister.co.uk/2015/11/25/dell_backdoor_part_two/)

~~~
jacquesm
Oh great, a javascript accessible supercookie based on the Dell service ID
thrown into the mix as well. What could possibly go wrong with that?

------
krylon
A part of me wants to go "Un-freaking-believable!"

The other part is like, "You really did not see this coming?"

The worst part is that this was probably done for ridiculous reasons. If they
had put the certificate on their systems to allow the NSA to spy on their
customers (just as hypothetical example), planting such a certificate would
probably be a reasonable approach. But in the case of Lenovo and Superfish,
this was done to show f___ing advertisements to users, and I am certain in
Dell's case their reason is not much better. And for _that_ , they put their
customers security at risk. For freaking advertisements and (Dell's claim, I
think) making life slightly easier for their support staff.

Seriously, what were these guy thinking?

~~~
ultramancool
I'm still unclear on why they need a root certificate with code signing privs
to "make life easier for their support staff".

~~~
krylon
Me too. Either, this as was one of the worst ideas ever, or one of the lamest
excuses ever. (At least in the world of software deployment.)

------
AndyMcConachie
Am I reading it correctly that they also included the private keys? Why are
the private keys for the cert installed with the cert? That doesn't make any
sense.

Is this just incompetence, or is there some other reason that I'm failing to
understand?

~~~
bognition
If the article is correct then this is a major mistake on dell's part.

~~~
mfisher87
I would use a stronger word than "mistake," you have to have 0 understanding
of what you're doing and 0 code reviews to do this.

------
ctangent
Maybe it's a good time to share this - I just bought a brand-new Dell XPS 15
and it runs Ubuntu like a dream. The only problem I've had is that
suspend/resume (i.e. closing the lid) causes a kernel panic, but I've heard
that's fixed in the next kernel release.

And the best part - no bogus certs!

~~~
karlgrz
Regarding the suspend/resume stuff, which version of Ubuntu are you running? I
don't have a problem, but I had to do a couple of things to get it working
more like a Macbook: [http://karlgrz.com/dell-xps-15-ubuntu-
tweaks/](http://karlgrz.com/dell-xps-15-ubuntu-tweaks/)

~~~
ctangent
I'm running Ubuntu 15.04 and I haven't tried any of those things. My
suspend/resume experience isn't like that blog, though - what happens to me is
that I shut the lid, the os "suspends", I open the lid again and get an
unresponsive black screen and I have to reboot.

This is almost exactly what I've done to set up my machine:
[http://ubuntuforums.org/showthread.php?t=2301071&p=13382949#...](http://ubuntuforums.org/showthread.php?t=2301071&p=13382949#post13382949)
. This thread claimed that the kernel v4.3 fixed this issue, but it still
happens for me - I was going to wait until the next 4.4 RC to give it another
whirl.

~~~
jacquesm
I've had this problem too, in my case it was caused by some clever (way too
clever imo) stuff going on that tries to write a bunch of io ports to a safe
place on suspend and writes that data back to the various chips on resume.
This caused all kinds of trouble.

If your BIOS supports it choose 'sleep' rather than 'hibernate' for
suspend/resume. It will be a bit slower but there is far less OS dependent
magic going on under the hood.

------
a3n
I am convinced that the only thing that approaches the designed security level
of an operating system is to buy a machine, completely wipe it and install
your own paid for copy.

It appears that hardware vendors cannot make enough money merely selling
hardware, and so they sell access, data and advertising to third parties (at
least Superfish was in that area).

Being able to mod the software on your car is (I think) recently allowed (by
the Librarian of Congress?). But it can be taken away at any revisiting event.
I can see the day coming when it will be illegal to wipe a machine, because
circumventing.

~~~
robszumski
For what it's worth, Apple machines come secure out of the box, without any of
this BS. They even prompt you to set up full disk encryption, and because it's
well designed, almost anyone can figure it out.

~~~
tomschlick
This is one of the best things about the Apple eco system. Apple exists to
sell you the hardware. All the software is designed to get you to love the
experience so much that you will buy more hardware. They don't let anyone fuck
with that.

------
zby
OK when do we restart the software liability discussion?

[http://geer.tinho.net/geer.blackhat.6viii14.txt](http://geer.tinho.net/geer.blackhat.6viii14.txt)

[https://www.google.com/webhp?sourceid=chrome-
instant&ion=1&e...](https://www.google.com/webhp?sourceid=chrome-
instant&ion=1&espv=2&ie=UTF-8#q=bruce%20schneier%20software%20liabilityhttps://www.google.com/webhp?sourceid=chrome-
instant&ion=1&espv=2&ie=UTF-8#q=bruce%20schneier%20software%20liability)

------
ballpark
After not owning a dell for years, I just bought one for the kids to use
shortly before the news of the security issue came last weekend. Frustrating!

~~~
reustle
Depending on how old your kids are, are they really going to be using it for
anything that is at risk?

Edit: I'm not defending Dell in any way, but if they're watching youtube and
browsing facebook, they'll probably be just fine.

~~~
Xylakant
anything at risk such as "browsing on the internet" and "install software"?

~~~
lmm
I think the point is that an adult mostly risks losing money from their bank
account (assuming they do their banking online), credit card (if they buy
anything online) or the like.

~~~
Xylakant
Having a compromised machine on your network serves as entrypoint. The machine
may also be part of a botnet which could expose you to questioning or worse by
the authorities if the botnet is used in an attack.

neither is something you'd want, even if the machine itself is not used for
anything critical.

------
alkonaut
Always, always wipe and clean install oem Windows installs with versions
directly from Microsoft.

------
nickpsecurity
"Dude, you're getting a dangerous, root certificate!"

~~~
adekok
Read the article again.

> Nevertheless, because both eDellRoot and DSDTestProvider are installed in
> the Windows root store for certificate authorities together with their
> private keys, they can be used by attackers to generate rogue certificates
> for any website that would be accepted on the affected Dell systems.

It's not the certificate that's the problem. It's the installation of the
_private keys_ along with the certificate.

~~~
nickpsecurity
Revised: "Dude, you're getting some MITM action!"

~~~
mSparks
better than that. let's you sign software as written by Microsoft

