back to article Superfish 2.0: Dell ships laptops, PCs with huge internet security hole

Dell ships computers with all the tools necessary for crooks to spy on the owners' online banking, shopping, webmail, and more. The US IT titan installs a powerful root CA certificate, including its private key, on its Windows notebooks and desktops. These can be abused by eavesdropping miscreants to silently decrypt encrypted …

  1. Bota

    So you're telling me, an American owned tech company is spying or allowing spying on its customers?!

    /shocked!

    1. maks303

      Is it even possible they somehow missed this in the design? This is real question I'm asking..

      1. Destroy All Monsters Silver badge

        No, they just bundled the private key stupidly in the package (thus essentially publishing it). Probably Asop the Intern being told to "quickly ship it".

  2. cbars Bronze badge

    The private key

    "It's a Dell trusted certificate that is mentioned in the OS. It doesn't cause any threat to the system"

    Totally true.

    Just like posting my bank details, home address, name and security answers all over the internet doesn't do any harm.

    Or jumping off a building.

    It's the bit afterwards that we're worried about. Cheers for the advice though, business as usual yea?

    1. Anonymous IV

      Connection?

      Perhaps someone more intelligent than me could explain the technical connection between a piece of spy software and a dodgy security certificate, apart from both being ungood.

      It seems that here the author is comparing aardvarks* and anchovies*.

      * apologies if either of these has been chosen for the name of a forthcoming release of Ubuntu...

      1. cbars Bronze badge

        Re: Connection?

        While I have no data to compare our knowledge-bases or indeed intelligence; I'll offer the following hastily written summary - I apologise if it is not 100% accurate:

        Software signed with a trusted certificate will run on your machine. A leaked root certificate means that anyone with it can sign any piece of software and your machine will trust it (if you have that root certificate installed).

        A leaked root certificate means anyone with that private key can generate new public SSL certs so your browser, for example will trust the site. This exposes you to man in the middle attacks in places where an attacker hijacks your connection and presents http://haha_suckers_this_is_a_drive_by_site.com as https://facebook.com.

        Combine those things, and you have an easy way to install malware on any machine using an open wireless connection - for example. But in reality there are many ways that this could cause trouble

        1. Richard Jones 1
          Flame

          Re: Connection?

          So I think you are saying that the PC becomes in effect a certificate issue factory that will then accept any certificate it is persuaded to generate using the details held on its system.

          The net effect is that the certificates are not certificates of anything at all.

          Is that a correct reading?

          1. cbars Bronze badge

            Re: Connection?

            Pretty much.

            If you buy a Dell and I buy a Dell.

            I can use the private key on my dell to generate the aforementioned nasties. I can then install them on your Dell, and it will trust them, as I am using a certificate which is included in your list of trusted certificates. (ish)

            So anyone with one of these Dell's can screw everyone else who has one, so long as they keep trusting that cert.

            It's a bit like if a bank gave everyone who rented a safety deposit box the same key. Except the box is your laptop.

          2. Anonymous Coward
            Anonymous Coward

            Re: Connection?

            Sort of correct. It sounds like all of these Dell PC's have the same root CA installed, so anyone obtaining it can generate certificates that these Dell PC's will accept as genuine.

            That opens them up to being exploited by fake websites (banking, etc), nefarious apps, and so on.

            1. BinkyTheHorse
              Flame

              Re: Connection?

              "[...] so anyone obtaining it can generate certificates that these Dell PC's will accept as genuine."

              Yeah, and if someone here thinks that the private key is not already in the hands of any miscreant that caught wind of the outrage, I've got them a nice bridge to sell.

              Icon simply because this is an outrage.

        2. Spikehead

          Re: Connection?

          Minor correction here - a leaked private key for a root certificate means that anyone can sign a piece of software. Without the private key you cannot sign anything. The certificate is in effect the public key, the part that is freely shared.

          The fact that the private key is installed on all these pc's means that anyone with the right skillset enact the attacks as mentioned in the article. The certificate and key need to be revoked - not sure on the mechanism for this outside the PC - but Dell need to supply a patch that will remove the affected certificate and private key and install only a replacement certificate based on a different private key and keep that key, well, private!

          1. Anonymous Coward
            Anonymous Coward

            Re: Connection?

            "The certificate and key need to be revoked"

            This the the issue; as this is a self signed root certificate it CANNOT be revoked as there is no issuing authority to revoke it. As long as this root certificate is trusted by a computer then it will be trusted for EVERYTHING that it is issued from it. And as the private key is in the wild, then that could be ANYTHING! Using the private key and OpenSSL in 2 minutes I could issue certificates for Google, EBay, Amazon, Facebook, YourBank.com, etc, etc, etc. Then, if you have one of these Dells, you would be none the wiser if I was intercepting all of the traffic from your computer to these websites.

            I cannot believe the scale of this absolute balls up!

            1. Spikehead

              Re: Connection?

              Thanks for the clarification on external revocation.

              Believe my comment on local revocation (remove the cert / key) still stands tho. And looks like Dell are helping rectify this cock-up.

              1. Vic

                Re: Connection?

                Believe my comment on local revocation (remove the cert / key) still stands tho

                ...Except for those reports of people whe removed it and then it came back.

                And looks like Dell are helping rectify this cock-up.

                Far too little, far too late.

                Someone that's stabbed you in the arm doesn't get sympathy because they're tried to keep some of the blood off your shirt...

                Vic.

                1. Spikehead

                  Re: Connection?

                  I had noticed that, hence in the original post I had stated that Dell would have to release a patch to remove the stoooopidly installed cert/priv key pair.

                  Undeniably a huge cock up, and seriously damaging to their reputation.

    2. cbars Bronze badge

      Re: Connection

      p.s. You really should post a new comment instead of hijacking an earlier post, unless you're replying.

  3. Pascal Monett Silver badge

    Well if Dell says so . . .

    Of course, major corporation says there is nothing to worry about so we shouldn't worry. It's not like major corporations have ever lied to us before, now is it ? Nor has any major corporation ever been proven wrong about something as sensitive and critical as security, right ?

    Riiight.

    1. Anonymous Coward
      Anonymous Coward

      Re: Well if Dell says so . . .

      It was an accident. Honest. It's just another of those "internal" cert faking kits you've been reading about surprisingly frequently lately. For "testing" only, honest. Must have just fallen in at the depot. We have now implemented robust safeguards to guarantee we'll never be caught doing exactly this ever again, and eNthusiastically eNcourage you to continue eNjoying the Dell eXperience.

      Thankyou.

      --Dell PR

      1. Mark 85

        Re: Well if Dell says so . . .

        You forgot the key buzz phrase... "We take your security and privacy very seriously".

        1. P. Lee

          Re: Well if Dell says so . . .

          >"We take your security and privacy, seriously."

          FTFY

    2. Wayland Sothcott 1

      Re: Well if Dell says so . . .

      Look, Corporations have lied in the past but it's a logical fallacy to say they will lie in future. In fact having been caught lying we can safely say they won't do it again, that's all in the past.

      (Did you see how I used 'critical thinking' to slam you? Did you see how I tried to say that because they have been caught lying that they no longer do so?)

      1. Vic

        Re: Well if Dell says so . . .

        Did you see how I used 'critical thinking' to slam you?

        Where?

        Vic.

  4. RIBrsiq
    Facepalm

    Doing this kind of thing is bad.

    Doing it *after* another major vendor and competitor was rightly nailed to the wall for doing pretty much the exact same thing is... well... I think Dell owes me a new BadSecurit-O-Meter.

    This is why one should *always* do a complete wipe and reinstall of any new system. I don't care what anything: always wipe. Trust no one. If you can manage it, don't even trust yourself.

    1. This post has been deleted by its author

    2. Anonymous Coward
      Anonymous Coward

      If Windows is newly installed on one of these (using say MSDN version, not Dell supplied version), will the Windows Platform Binary Table forcibly install this self signed root CA anyway?

    3. scrubber
      Thumb Up

      Funniest comment in months

      "This is why one should *always* do a complete wipe ... Trust no one. If you can manage it, don't even trust yourself."

      Next comment:

      "This post has been deleted by its author"

      Don't know if it was intentional or not, but it's genius.

  5. W. Anderson

    Continuing saga of Microsoft software collapse

    It never ceased to amaze me that the maladies associated with Windows systems continue to grow to astronomical proportions. First we have the major breaches at Target, Home Depot, TJX and other behemoth commercialUSA companies atributable to wWndows terminls or some innocuous Microsoft device. Now Superfish 2.0 is upon us, and combined with gross "ransomware" that threatens medical devices if patients don't pay up, and the predictions of dire consequences by Richard Clark, Federal Government Cyber Cazr under both Bush and Obama administrations, of relying on Microsoft weak software technologies has come home to roost.

    Adding insult to innorance, a recent report indicates many USA corporations plan to move to Windows 10 by early 2017. If Microsoft is suddenly and unexpectedly pulling updates and fixes for Windows 10 just this past week, how bad will it become in 2017 and beyond?

    1. Richard Jones 1
      WTF?

      Re: Continuing saga of Microsoft software collapse

      Yes bring back clay tablets, papyrus and reed pens.

      1. BinkyTheHorse
        Coat

        Re: Continuing saga of Microsoft software collapse

        "Yes bring back clay tablets, papyrus and reed pens."

        Modern Android and iOS tablets are hardly "clay"*, there are more font choices on Linux and OS-X than that one, and the styluses, are "red", with a single "e", as in "seeing the price tag of the Apple Pencil will make your face flush red".

        * although the latter's former propensity to stick glass everywhere makes them quite as brittle

    2. Anonymous Coward
      Anonymous Coward

      Re: Continuing saga of Microsoft software collapse

      This has nothing to do with Windows, Dell could as well ship machines with Linux with the same certificate installed, or install it into a pre-installed Firefox as well. CAs *can* be added in any OS because there are several situations where users need to add their own (think about company-wide CAs for a LAN...).

      Of course, the private key should not be there...

      At least, if you wish to bash Windows, try to do it looking smart... not clueless... it's not that difficult, after all.

      1. This post has been deleted by its author

    3. Wzrd1 Silver badge

      Re: Continuing saga of Microsoft software collapse

      "It never ceased to amaze me that the maladies associated with Windows systems continue to grow to astronomical proportions."

      Yeah, because no other operating system uses certificates and trusted root certificate authority. Everyone else is on Commodore 64's.

    4. Adam 1

      Re: Continuing saga of Microsoft software collapse

      I wouldn't be holding up android. Too many OEMs "customise" the experience and then have no way to patch for things like stagefright. There are literally phones sitting on store shelves that will never see a stagefright fix.

      Microsoft have plenty to criticise. Too many windows updates address being pwned by fonts for goodness sake and half of those patches end up breaking outlook. The blame here sits squarely on dell. They are appropriately being shamed.

  6. Anonymous Coward
    Anonymous Coward

    What's really special is if you delete it, it comes back... this on a brand new XPS 13...

    1. diodesign (Written by Reg staff) Silver badge

      Re: anonymous

      Does it come back on the next reboot – something installing it during boot a la Lenovo?

      C.

      1. Anonymous Coward
        Anonymous Coward

        Re: anonymous

        Yes, it came back after reboot, I have moved to the untrusted cert location and it has not appeared back in the trusted root yet... I even ran Dell update and so far so good...

      2. Anonymous Coward
        Anonymous Coward

        Re: anonymous

        Now after putting it in the untrusted cert store it STILL managed to come back to life in the Trusted Root store... Some Dell utility must be loading it on the system..

        1. diodesign (Written by Reg staff) Silver badge

          Re: Re: anonymous

          We outright deleted it from the office Inspiron 15 laptop, and it didn't come back... oh wait, it has. Fuck. Me.

          C.

        2. Anonymous Coward
          Anonymous Coward

          Re: anonymous

          Last update, after moving the cert to the untrusted store and it coming back in the trusted root, but it is now showing as "revoked" and the exploit(s) don't seem to affect it anymore.. Still waiting for some signed driver to blow up but so far so good..

          1. Anonymous Coward
            Anonymous Coward

            Re: anonymous

            I think they've been caught out and have decided to quickly "make good" the situation.

            Might explain why the certificate never appeared on the second box.

          2. Dan 55 Silver badge
            Holmes

            Re: anonymous

            Are you able to download and flash previous BIOS versions from Dell's site? The idea being you find an old one that doesn't have this in it.

            Edit: There are proper removal instructions below.

    2. Anonymous Coward
      Anonymous Coward

      I've just deleted it on a machine here, found it on a XPS 8700 desktop. We bought two of these computers just recently loaded with Windows 7 Pro.

      If it comes back, then I'll be recommending that'll be the last time we buy a Hell (rhymes with Dell) workstation of any kind in this company.

      1. Anonymous Coward
        Anonymous Coward

        Okay, interesting find.

        I located the second XPS 8700 workstation. No certificate present.

        Both machines have a manufactured date of 13th October.

        Both machines were received on the 23rd, and I had both side-by-side doing Windows Updates, installing our standard SOE software. I was pretty much sitting there with both machines, two keyboards, typing the same things into both.

        One machine was deployed to a user, and has been in constant use. The second was put back in its box to keep as a spare for when it was needed. The one we put away has not got the certificate installed at present.

        I'll do a quick update and see if it appears.

        1. Anonymous Coward
          Anonymous Coward

          Stuart, presumably it was the stored system which was free of the malware?... suggesting that the machines arrive clean to be infected later?

          Interesting indeed. Looking forward to your update update.

          I wonder how long it'll be before Dell notices they've been rumbled and suspends this particular operation.

          1. elDog

            Sounds like the shipments may have been diverted

            At least in the fine old USofA we've heard tales of shipments of equipment being detoured into warehouses where some minor alterations where performed. I'm guessing our common delivery systems (USPS, UPS, Fedex, etc.) are all part and parcel (sic) of this scheme.

            When the BIOS (or other components) can be changed, good luck finding the nimble fingers.

          2. Anonymous Coward
            Anonymous Coward

            Well, there are two possibilities:

            - they are randomly loading PCs with A/B images, some which have the dodgy certificate, and some without.

            OR

            - they shipped the bad certificate in an update after we deployed the machine.

            I'm just rebooting the machine now. I'll do a few more checks for updates and see if it pops up.

            I never checked to see if the certificate was present at the time of deployment: it is entirely possible it has been there the whole time.

            1. Anonymous Coward
              Anonymous Coward

              Okay, 3 update-reboot cycles later, still no certificate.

              This was both using Dell's update utility and Windows Update.

              So either they've been caught out and stopped it (and so this machine dodged a bullet), or they've been shipping select machines with this dodginess preloaded.

        2. Woodnag

          Not on my Inspiron E5550 built around 20 August 2015

          Running 8.1

          1. Woodnag

            Re: Not on my Inspiron E5550 built around 20 August 2015

            Per the removal instructions below, the fact I disabled the Dell Update and Dell Foundations services very soon in the setup procedure might mean it is coming in as an update through that route...?

  7. mrtom84

    Interesting

    I have recently been looking at getting a new laptop and I was looking at the Dell website a week or two ago and I am nearly certain that I saw a banner citing spearfish as a reason not to consider rivals products.

    Egg on face

  8. Anonymous Coward
    Anonymous Coward

    Nothing to see here

    This is an official government back door to be used only by the relevant authorities. It will never be found by bad people and anyway, you have nothing to hide.

    1. Anonymous Coward
      Paris Hilton

      Re: Nothing to see here

      That's the spirit Citizen Coward. We need this heroic goodness to fight the virtuous war against Terrorfirma and Paedophania. If we'd had it sooner Paris wouldn't have happened.

      If you've done nothing wrong, you have nothing to fear.

    2. Vic

      Re: Nothing to see here

      and anyway, you have nothing to hide.

      Well, not any more you don't.

      Vic.

  9. Nolveys
    Big Brother

    Doesn't Change Anything For Me

    When Lenovo decided to include firmware to auto-install malware on Windows they made it onto my No Buy Ever list. This isn't the case with Dell, as they've already been on the list for over a decade.

    - Proprietary PSUs that, when replaced with normal PSUs, cause the machine to power on and off, on and off when in the "powered off" state.

    - Power bricks with "data" lines that allow the BIOS to determine if the power brick is "genuine Dell" and downclock the CPU by 50% if it isn't. The "genuine" bricks sell for 2x the price of the others.

    - Failure to address major capacitor quality issues, replacing boards with exploded caps with boards with soon-to-explode caps.

    - Dell branded Windows COAs, "too bad you spent all this time trying to reinstall an OS, this COA only works with 'Dell Windows'".

    - Batshit insane case design.

    Dell: nope.

  10. Anonymous Coward
    Anonymous Coward

    Dell's hijinks with laptop power bricks falsely refusing to charge after the warranty period expired... that's why they're on my personal shit list.

  11. Anonymous Coward
    Anonymous Coward

    Rooted

    'nuff said

  12. gollux
    Mushroom

    Have you been Delled today? Hows it feel to be one of the little people.

    I've just been Delled and I don't like it!

    Gee, that's really Delled...

    Go Dell off, MoDo...

    Situation Normal, All Delled Up.

    Just remember, Dell's a four letter word that has new meaning. You've all been warned.

  13. Bob Dole (tm)
    Holmes

    legal?

    I wonder if it's actually legal for these manufacturers to essentially intercept peoples work/communications. Don't they have to be a federal agency for that?

    1. Destroy All Monsters Silver badge

      Re: legal?

      Well, they don't do it, they just publish the private key for world and dog to use.

  14. Destroy All Monsters Silver badge
    Paris Hilton

    "You fucked up - you trusted Dell"

    It's a Dell trusted certificate that is mentioned in the OS. It doesn't cause any threat to the system, so we don't recommend-1

    What happened here? Was the carrier lost?

    1. gollux

      Re: "You fucked up - you trusted Dell"

      Loss of brain connection. It's funny how little time passed between Lenovo issuing such a statement and the first POC's started flowing to show how little a grasp on security the company had.

      Dell's on my s-list for messing up a couple servers a few years ago. and s- doesn't stand for short.

      When your server sounds like it's a couple bricks slamming around which turns out to be the hard drive subassembly, well... and now a trusted malware signing tool freely available... banishment to the ninth circle is in order.

    2. VinceH

      Re: "You fucked up - you trusted Dell"

      First part of a multi-part tweet? *Looks...

      Yup:

      @rotorcowboy It's a Dell trusted certificate that is mentioned in the OS. It doesn't cause any threat to the system, so we don't recommend-1

      @rotorcowboy (2) you to edit the registry. Let me know if there is anything else I can help you with. ^NB

  15. Steve Crook

    Bugger

    There was me going to buy a new XPS 13. Perhaps not.

  16. VinceH

    " In fact, the Dell certificate was created months after the Superfish blowup – was no one at the Texas goliath paying attention?"

    Yes. Yes, they were.

    "Hey, Bob - look what Lenovo has done. Good idea?"

    "Well, no, Tim - it's clearly backfired now that people have spotted it. But it's given me an idea..."

  17. Anonymous Coward
    Anonymous Coward

    Possible removal instructions

    For those that are affected, there are some instructions here:

    You get rid of the certificate by performing following actions:

    1) Stop and Disable Dell Foundations Service 2) Delete eDellRoot CA registry key here

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\98A04E4163357790C4A79E6D713FF0AF51FE6927

    Then reboot and test.

    I haven't tried this yet, as the affected machine (see above) has another user logged in (and might have work open), when she gets in we'll do those steps and report back.

    1. Anonymous Coward
      Anonymous Coward

      Re: Possible removal instructions

      Well, I had deleted the certificate though certmgr.msc already, so we've disabled the service mentioned and rebooted.

      So far so good. I'll check tomorrow.

      1. Anonymous Coward
        Anonymous Coward

        Re: Possible removal instructions

        Didn't check "tomorrow" like I said I would, yesterday was hectic. Had a look this morning, and so far, so good.

        You can trust Dell's .exe "patch" if you like, but the instructions that worked for me:

        - Bring up the certificate manager (Logo+R, type certmgr.msc, press ENTER) and under the Trusted Root Certificates, look for and delete eDellRoot.

        - Bring up the Services control panel (Start, right-click Computer, select Manage, under Services and Applications, select Services), look for "Dell Foundations Service", right-click and select Properties.

        - Click the Stop button, then change the Startup type to "Disabled", click OK.

        Reboot to be sure, your machine should remain clean from now on.

  18. John 104

    Feeling SO fine

    SO glad I canceled the order I had for the XPS13 and went with an HP Envy 13T instead. Cheaper, better spec, and none of this root cert/private key BS.

    1. Marcel

      Re: Feeling SO fine

      Lenovo is doing it. Dell is doing it. What makes you think HP is not doing it?

      1. Anonymous Coward
        Anonymous Coward

        Re: Feeling SO fine

        I think it is time we stopped trusting OEM installs.

        Our trust has been abused by Dell and Lenovo now. Who next? Asus? MSI? Samsung? Toshiba?

        Clearly, manufacturers do not have our interests at heart when they ship a device with Windows pre-loaded.

        Time to go back to the old days when the machine was shipped to the end user blank and they then had someone technically knowledgeable (that they trust) to do the OS installation and set-up.

        1. Vic

          Re: Feeling SO fine

          I think it is time we stopped trusting OEM installs.

          Even that might not be enough.

          If this is being shipped in the WPBT - as the Lenovo crapware was - even a fresh install is going to get pwned on boot.

          Ooops. That was a good idea, wan't it?

          Vic.

          1. Anonymous Coward
            Anonymous Coward

            Re: Feeling SO fine

            Yep, it was a "good idea". A good idea for generating e-waste.

            I was of the understanding that WPBT was a Windows 8 and later feature, not Windows 7. Thankfully it is, nor never will be, a Linux feature.

            1. Vic

              Re: Feeling SO fine

              Thankfully it is, nor never will be, a Linux feature.

              Ten years ago, no-one would even think that possible.

              These days? I wouldn't bet my house on it. Miguel will find a way to incorporate it somehow...

              Vic.

              1. Anonymous Coward
                Linux

                Re: Feeling SO fine

                We need a *BSD icon! --->

  19. JimBob01

    Spying?

    If you are really worried about spies intercepting your traffic then take a look at the looooonnngggg list of trusted roots. How many of them do you recognise? How many of the recognised providers have also been ‘required’ to provide valid certificates to TLAs? How many of those roots are actually owned by TLAs?

    1. Anonymous Coward
      Anonymous Coward

      Re: Spying?

      This isn't about TLAs spying. Of course they can use any of myriad certs from the ridiculously distended list of "trust" - that is precisely why the clusterfuck "system" was so carefully designed just as it is.

      To subvert the "trust" in the CA sham, you need the private keys or knowledge of and opportunity to deploy an exploitable vulnerability. The TLAs are generally quite careful to keep those things quiet and even help patch up the vulnerabilities once sufficient evidence of external exploitation develops.

      This is a case of a corporation buggering up its own mechanism to permanently pwn all its victims "valuable valued customers" - it has given the entire world the tools to pwn all those victims "valuable valued customers".

      Dell has, quite literally, published the keys to its own backdoor.

      Oopsie.

  20. Fungus Bob

    This is why you should format the hard drive and install <your favorite OS> as soon as you get your shiny new PC home.

    1. This post has been deleted by its author

  21. Wzrd1 Silver badge

    Odd

    We have a Dell of a lot of Dell computers here, no Dell root certificate here.

    Oh, that's right! We build our own builds and install them, rather than trusting a vendor to not muck things up.

    1. Vic

      Re: Odd

      Oh, that's right! We build our own builds and install them, rather than trusting a vendor to not muck things up.

      That's still vulnerable to WPBT...

      Vic.

  22. Timmy B

    Mucking Dell....

    I have the same Dell as in the image at the top of the story. Thankfully it is running Win 10 from an iso from MS and totally wiped down. I'll still check though - who knows what may have sneaked in with a driver install, etc. All that time to ensure I check all the setup so that it is secure as I can make it and stuff like this happens - sigh.

  23. Anonymous Coward
    Anonymous Coward

    This is the

    VERY reason that the first thing i do, is wipe the HD and then install a clean OS. Stops all the crapware dead in its tracks...

    1. Anonymous Coward
      Anonymous Coward

      Re: This is the

      It does if the OS isn't designed to load a blob of crapware from the EFI firmware image on boot.

  24. s5PGmU
    WTF?

    Yet another reason to either do a clean reinstall of Windows, or better yet, install some open source OS when you buy a new computer.

    Also, what idiot at Dell thought this could possibly be a good idea?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like