Dell Releases Fix for Root Certificate Fail"Superfish 2.0" Follows Similar Lenovo Blunder, Experts Say
Dell is moving to patch a homegrown application installed on many of its devices after information security researchers discovered that it installed a root certificate that could be abused by attackers to intercept encrypted, private data.
See Also: The State of the Software Supply Chain
"Dell laptops ship with a preinstalled root certificate and a private key," says security researcher Hanno BÃ¶ck, who says he helped report the problem to Dell two weeks ago, but received no response. He adds that since the private key installed by default on Dell systems has also now been published, "attackers can use man-in-the-middle attacks against Dell users to show them manipulated HTTPS webpages or read their encrypted data."
"All [Dell] systems apparently use the same key and certificate," says Johannes Ullrich, dean of research for the SANS Technology Institute. "Using the 'secret' key, anybody could create certificates for any domain, and Dell systems with this eDellRoot certificate would trust it."
Dell has confirmed the vulnerability, which it says stems from a customer-support application called Dell Foundation Services that it preinstalls on systems, and which then installs the offending "eDellRoot" root certificate. The company has released instructions and software that can be used to automatically or manually expunge eDellRoot from affected systems.
A Dell spokeswoman was not able to provide a list of all machines and versions of its software that are at risk from the root certificate flaw, or note how many users might be affected. On a related Reddit thread, however, some users are reporting that recently-purchased machines did not ship with the offending software application, but that after installing software called "Dell Updates," the certificate did then get installed.
Note that simply deleting the offending root certificate - which is valid until 2039 - won't mitigate the flaw, Ullrich warns, since Dell Foundation Services will simply reinstall it. Instead, users must first stop and disable Dell Foundation Services, and then delete the eDellRoot certificate. To do so, he says to "start certmgr.msc, select 'Trusted Root Certification Authorities' and 'Certificates' [and] look for eDellRoot."
Dell Downplays Misstep
Dell's security misstep parallels PC manufacturer Lenovo earlier this year acknowledging that it had been preinstalling Superfish adware on many of its PCs, and that the bloatware was installing a root certificate that could likewise be used to intercept communications and launch man-in-the-middle attacks against users (see Time to Ban the "Bloatware").
But Dell appears to be trying to distance itself from what some information security experts are now labeling as the "Superfish 2.0" debacle. "The certificate is not malware or adware," Dell spokeswoman Laura P. Thomas says in a Nov. 23 blog post. "Rather, it was intended to provide the system service tag to Dell online support allowing us to quickly identify the computer model, making it easier and faster to service our customers. This certificate is not being used to collect personal customer information."
She added that the certificate only gets installed if Dell Foundation Services is installed. "Commercial customers who reimaged their systems without Dell Foundation Services are not affected by this issue."
In response, many security experts have accused Dell of attempting to downplay the threat that eDellRoot poses to end users. "Dell's spinning of this issue has started, saying that they aren't like Lenovo, because they didn't install bloatware like Superfish," security expert Robert Graham, who heads research firm Errata Security, says in a blog post. "This doesn't matter. The problem with Superfish wasn't the software, but the private key. In this respect, Dell's error is exactly as bad as the Superfish error."
Security expert Troy Hunt, via Twitter, has likewise accused Dell of trying to split hairs. "Dell wasn't installing malware or adware, they were merely enabling others to intercept your encrypted [communications]," he says.
According to research published by researchers at cloud-based access security provider Duo Security, the Dell Foundation Services applidation was also designed to reinstall eDellRoot if users try to delete it, which is a no-no. "This highlights a disturbing trend among original equipment manufacturer hardware vendors. Tampering with certificate stores exposes users to unnecessary, increased risk," the researchers say. "Tampering with the certificate store is a questionable practice, and OEMs need to be careful when adding new trusted certificates - especially root certificates."
The Duo Security researchers say that these warnings are not new. "Sadly, OEM manufacturers seem to not be learning from historical mistakes and keep making them over and over."