As Scott mentioned yesterday, Dell refused to learn from Lenovo's lesson and repeated the exact same mistake with eDellRoot, a self-signed root CA cert with an unknown purpose. Unlike SuperFish which was to allow targeted ads to be displayed eDellRoot serves an unclear purpose apart from a mention of Microsoft-like "easier customer support" but it exposes you to the exact same security risks as SuperFish does. You could remove the cert manually, however as it resides in Dell.Foundation.Agent.Plugins.eDell.dll it will return on next boot and can return on fresh Windows installs via Dell driver updates, something which will be of great concern to their business customers.
Dell has finally responded to the issue, "The recent situation raised is related to an on-the-box support certificate intended to provide a better, faster and easier customer support experience. Unfortunately, the certificate introduced an unintended security vulnerability." and provided a process to remove the certificate from the machine permanently in this Word Document. You can check for the presence of the cert on your machine in those two links.
However the best was yet to come as researchers have found a second cert as well as an expired Atheros Authenticode cert for BlueTooth and private key on a limited amount of new Dell computers as well. As Dell made no mention of these additional certificates in their statement to the press it is hard to give them the benefit of the doubt. The Bluetooth cert will not make you vulnerable to a man in the middle attack however the second cert is as dangerous as eDellRoot and can be used to snoop on encrypted communications. The second cert was found on a SCADA machine which is, as they say, a bad thing.
We await Dell's response to the second discovery as well as further research to determine how widespread the new certs actually are. So far Dell XPS 15 laptops, M4800 workstations, and Inspiron desktops and laptops have been found to contain these security issues. The chances of you falling victim to a man in the middle attack thanks to these security vulnerabilities are slim but not zero so be aware of them and keep your eyes out for them on your systems. With Lenovo and Dell both being caught, it will be interesting to see if HP and other large vendors will learn this lesson or if it will take a third company being caught exposing their customers to unnecessary risks.
"A second root certificate and private key, similar to eDellRoot along with an expired Atheros Authenticode cert and private key used to sign Bluetooth drivers has been found on a Dell Inspiron laptop. The impact of these two certs is limited compared to the original eDellRoot cert."
Here is some more Tech News from around the web:
- Amazon is suffering a subtle data breach, lest it turn into another TalkTalk @ The Inquirer
- Windows 10: Microsoft flip flops 'as a service' as November update is pulled @ The Inquirer
- Hybrid carbon foams serve as good heat conductors @ Nanotechweb
- Pip Boys As A Service @ Hack a Day
- Intel hires Qualcomm's compute leader to lead new mobile push @ The Register
- Heterogeneous system architecture helps AMD and ARM deal with mammoth compute demands @ The Inquirer
- Windows 8.1 exams kept alive six more months, Win 7 tests immortal @ The Register
As I replied to Scott’s post,
As I replied to Scott’s post, and to this one, including some extra wording:
M$ and OEMs need to be restricted on what they can bake into the UEFI/BIOS. Hardware owners need to be able to expect a level of security and assurance that their hardware is not going to be in compromised state. There is no workaround for users if the baked into the hardware/firmware privacy violations are allowed to continue. After 2 high profile violations by Lenovo and now Dell, should there be regulations governing just what functionality is allowed to be baked into the devices hardware/firmware that could cause the end users loss of privacy, or even worse. If any abuse calls out for litigation and regulation it is this total disregard for the end users of the compromised hardware with the loss of privacy and possible other harmful fraudulent dangers.
And great in a Word document, how open of Dell, why not an HTML page! It’s Dell and Lenovo, and probably more OEMs, add to that the spying baked into Windows 10, and its just a matter of time before the mass pawning begins!
OEM now stands for Our Embedded Malware!
No, we don’t need more
No, we don’t need more regulation. We just need to point this crap out and not buy it.
What about everyone who
What about everyone who already bought it because “We” were too slow to find it and point it out?
That Too, but the EU gets
That Too, but the EU gets Full OS choice with none of the crap, like here in ScamMerica! Now go worship your Merchant Princes!
ScamMerica, ScamMerica, they like to Rip you off!
The land where all the Politicians are all promptly paid off!
You can never trust the
You can never trust the Americans with their NSA-inspired hacking and spying around the world these days. To hell with Dell computer corporation. Money before security is their mission statement!
90% of DELL Executives are
90% of DELL Executives are Indian or some other minority. There are actually very few “Americans” in the upper echelon of DELL, Inc. except for Michael Dell himself.
Another reason not to buy
Another reason not to buy Dell.
An yeah, it will probably be illegal to point stuff like this out after the TPP/TTIP deals goes through. You’ll end up in jail for reporting security holes generally, not only in DRM software as is the case now.
Looking through my trusted
Looking through my trusted root certificates, I seem to be okay, but there is something disturbing about that “No Liability Accepted” cert from verisign…
Dell and all the rest
Dell and all the rest suck…build your own !!!