Page 1 of 2 12 LastLast
Results 1 to 15 of 28
  1. #1
    5 Star Lounger
    Join Date
    Oct 2013
    Location
    Phoenix, AZ
    Posts
    926
    Thanks
    554
    Thanked 137 Times in 128 Posts

    Dell's turn: Sells computers with backdoor

    First Lenovo, now Dell. And some journalistic mileage out of one story.

    Dell: Yes, we shipped laptops, PCs with a nasty web security hole

    The Register

    by Chris Williams
    24 Nov 2015

    http://www.theregister.co.uk/2015/11...l_superfish_2/

    Dell says it will publish a guide to remove the web security backdoor it installed in its Windows laptops and desktop PCs.

    This confirms what we all know by now that Dell was selling computers with a rather embarrassing hole it in their defenses.

    New models from the XPS, Precision and Inspiron families include a powerful root CA certificate called eDellRoot, which puts the machines' owners at risk of identity theft and banking fraud.

    The certificate is bundled with its private key, which is a boon for man-in-the-middle attackers.... [continue reading at above link]


    Superfish 2.0: Dell ships laptops, PCs with gaping internet security hole

    The Register

    by Shaun Nichols
    23 Nov 2015

    http://www.theregister.co.uk/2015/11...getting_pwned/

    Dell ships computers with all the tools necessary for crooks to spy on the owners' online banking, shopping, webmail, and more.

    The US IT titan installs a powerful root CA certificate, including its private key, on its Windows notebooks and desktops. These can be abused by eavesdropping miscreants to silently decrypt encrypted web browser traffic without victims noticing.

    If you try to remove the dodgy certificate, the file is automatically reinstalled during or after the next boot up. The root CA cert appears to have been created in early April this year, and expires in the year 2039.... [continue reading at above link]


    Superfish 2.0 worsens: Dell's dodgy security certificate is an unkillable zombie
    And now here's how you can really destroy it


    The Register

    by Shaun Nichols
    23 Nov 2015

    http://www.theregister.co.uk/2015/11...re_gets_worse/

    .... You can find the dangerous certificate by opening up the Start menu, select "Run", type in "certmgr.msc" into the box and hit Enter. Then open up the "Trusted Root Certification Authority" folder on the left, then "Certificates", and in the window should appear "eDellRoot". That's the SOB you're looking for. Right-click over it, hit "Remove", click through the warning box. And it's gone.... [continue reading at above link]

  2. The Following User Says Thank You to Fascist Nation For This Useful Post:

    Sudo15 (2015-11-24)

  3. #2
    Super Moderator
    Join Date
    Aug 2012
    Location
    Durham UK
    Posts
    6,604
    Thanks
    147
    Thanked 847 Times in 809 Posts
    I think the next question is to ask, "Why ?"

  4. #3
    Silver Lounger wavy's Avatar
    Join Date
    Dec 2009
    Location
    ny
    Posts
    2,365
    Thanks
    232
    Thanked 147 Times in 136 Posts
    From my meager understanding the private key being available anywhere is the biggy. I could see a dev keeping key and Cert in a folder for ease of access while testing and then forgetting to dump the key when making the build image for distribution. Using a live key at all in an unsecure environment is an indication of a lackadaisical attitude towards security.
    Not good at all.

    David

    Just because you don't know where you are going doesn't mean any road will get you there.

  5. #4
    WS Lounge VIP
    Join Date
    Dec 2009
    Location
    Earth
    Posts
    8,162
    Thanks
    47
    Thanked 976 Times in 906 Posts
    If you have the private key you can install the certificate on your own system and pretend to be Dell.

    cheers, Paul

  6. #5
    5 Star Lounger
    Join Date
    Oct 2013
    Location
    Phoenix, AZ
    Posts
    926
    Thanks
    554
    Thanked 137 Times in 128 Posts
    I agree wavy, I just figured it was a (serious) mistake on Dell's part. There is no reason I can see why Dell would deliberately do it.

  7. #6
    jwoods
    Guest
    Apparently, it was intentional...

    http://www.engadget.com/2015/11/23/d...rity-key-flaw/

    From the article...

    Update: Dell now says that it's going to yank the certificate (which helps identify your PC to support techs) on all systems from here on out, and it's providing instructions to remove the code on your existing computer. The company adds that it doesn't scoop up personal information, although the concern is more that others could collect that data.

    Impacts users of IE, Edge, and Chrome...

    http://www.csoonline.com/article/300...rtificate.html

    There is a site that has been set up to test whether a Dell computer has the vulnerability...

    https://edell.tlsfun.de/
    Last edited by jwoods; 2015-11-24 at 16:30.

  8. #7
    Star Lounger
    Join Date
    May 2011
    Posts
    83
    Thanks
    2
    Thanked 2 Times in 2 Posts
    Quote Originally Posted by Paul T View Post
    If you have the private key you can install the certificate on your own system and pretend to be Dell. cheers, Paul
    That might answer my question. Yes, I tested and I have it and will remove it. Dumb Q: how would an outsider use this? I'm obsessive about security but don't quite understand how it could be used.

  9. #8
    jwoods
    Guest
    Quote Originally Posted by robertpri View Post
    That might answer my question. Yes, I tested and I have it and will remove it. Dumb Q: how would an outsider use this? I'm obsessive about security but don't quite understand how it could be used.
    It allows a man in the middle to impersonate both sides of a transaction.

    mitm-steps.gif

  10. #9
    Star Lounger
    Join Date
    May 2011
    Posts
    83
    Thanks
    2
    Thanked 2 Times in 2 Posts
    Many thanks. Makes more sense, but this is with WiFi? Does it matter this laptop never leaves the house and uses CAT5, no wireless? [I will still remove it]

  11. #10
    WS Lounge VIP
    Join Date
    Dec 2009
    Location
    Earth
    Posts
    8,162
    Thanks
    47
    Thanked 976 Times in 906 Posts
    Your laptop may not be attacked, but the hole should not be there at all, especially as it appears to be deliberate.

    cheers, Paul

  12. #11
    jwoods
    Guest
    Apparently, there is now more than one to remove.

    Dell's instructions on how to remove eDellRoot and DSDTestProvider (which has similar characteristics to eDellRoot)...

    http://www.dell.com/support/article/...en&s=bsd&cs=04

  13. #12
    New Lounger
    Join Date
    Nov 2015
    Posts
    7
    Thanks
    0
    Thanked 1 Time in 1 Post
    I manually removed the eDellRoot certificate and then checked next day for the DSDTestProvider certificate (as well as using their removal tool) - found neither certificate present, BUT when I did a test using a test website, my Dell Service Tag was STILL pulled up by the javascript. Dell have not yet come up with an explanation for me on that. So my conclusion so far - removing DSDTestProvider certificate does NOT remove the Service Tag javascript exposure - not for my Dell Inspiron laptop anyway.

  14. #13
    New Lounger
    Join Date
    Nov 2015
    Posts
    7
    Thanks
    0
    Thanked 1 Time in 1 Post
    Quote Originally Posted by revrob View Post
    I manually removed the eDellRoot certificate and then checked next day for the DSDTestProvider certificate (as well as using their removal tool) - found neither certificate present, BUT when I did a test using a test website, my Dell Service Tag was STILL pulled up by the javascript. Dell have not yet come up with an explanation for me on that. So my conclusion so far - removing DSDTestProvider certificate does NOT remove the Service Tag javascript exposure - not for my Dell Inspiron laptop anyway.
    Found this advice here
    http://lizardhq.rum.supply/2015/11/2...-services.html

    One of the JSONP API endpoints to obtain the service tag does not need a valid signature to be provided; thus, any website can call it.

    This endpoint is a part of eDell however, and this part of Tribbles gets removed with the tool and instructions to remove the eDellRoot certificate.

    However, another JSONP API endpoint exists to obtain the service tag. This endpoint requires a valid signature, but this signature is provided in the JavaScript on several pages of dell.com, and thus can be scraped.
    explaining how vulnerability persists even after DSDTestProvider cert is removed, and - so far - saying uninstalling Dell Foundation Services is only solution. Not an option if the laptop is owned by an employer of course...

  15. #14
    New Lounger
    Join Date
    Nov 2015
    Posts
    7
    Thanks
    0
    Thanked 1 Time in 1 Post
    Finally solved this by getting latest "urgent" update to Dell Foundation Services from their site (search for "dell foundation services" in search engine) - and installing over old version. The test at tribble track site now fails to locate my service tag.

    The frustrating bit is that despite using @DellCares posts and DMs, and also the installed utilities using my service tag (irony) I found out all this info from third parties and search engines, NOT from Dell - searching Dell still just suggests removing both the eDellRoot and DSDTestProvider certificates - which is NOT a solution.

    The Dell Foundation Services update has been available for 3 days on their site - yet they are not pointing us to it.

  16. The Following User Says Thank You to revrob For This Useful Post:

    Fascist Nation (2015-11-27)

  17. #15
    Super Moderator
    Join Date
    Aug 2012
    Location
    Durham UK
    Posts
    6,604
    Thanks
    147
    Thanked 847 Times in 809 Posts
    Could be another way of removing it and simpler ? http://www.theregister.co.uk/2015/11...dows_defender/

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •