So you're telling me, an American owned tech company is spying or allowing spying on its customers?!
Dell ships computers with all the tools necessary for crooks to spy on the owners' online banking, shopping, webmail, and more. The US IT titan installs a powerful root CA certificate, including its private key, on its Windows notebooks and desktops. These can be abused by eavesdropping miscreants to silently decrypt encrypted …
So you're telling me, an American owned tech company is spying or allowing spying on its customers?!
Is it even possible they somehow missed this in the design? This is real question I'm asking..
No, they just bundled the private key stupidly in the package (thus essentially publishing it). Probably Asop the Intern being told to "quickly ship it".
"It's a Dell trusted certificate that is mentioned in the OS. It doesn't cause any threat to the system"
Just like posting my bank details, home address, name and security answers all over the internet doesn't do any harm.
Or jumping off a building.
It's the bit afterwards that we're worried about. Cheers for the advice though, business as usual yea?
Perhaps someone more intelligent than me could explain the technical connection between a piece of spy software and a dodgy security certificate, apart from both being ungood.
It seems that here the author is comparing aardvarks* and anchovies*.
* apologies if either of these has been chosen for the name of a forthcoming release of Ubuntu...
While I have no data to compare our knowledge-bases or indeed intelligence; I'll offer the following hastily written summary - I apologise if it is not 100% accurate:
Software signed with a trusted certificate will run on your machine. A leaked root certificate means that anyone with it can sign any piece of software and your machine will trust it (if you have that root certificate installed).
A leaked root certificate means anyone with that private key can generate new public SSL certs so your browser, for example will trust the site. This exposes you to man in the middle attacks in places where an attacker hijacks your connection and presents http://haha_suckers_this_is_a_drive_by_site.com as https://facebook.com.
Combine those things, and you have an easy way to install malware on any machine using an open wireless connection - for example. But in reality there are many ways that this could cause trouble
So I think you are saying that the PC becomes in effect a certificate issue factory that will then accept any certificate it is persuaded to generate using the details held on its system.
The net effect is that the certificates are not certificates of anything at all.
Is that a correct reading?
p.s. You really should post a new comment instead of hijacking an earlier post, unless you're replying.
If you buy a Dell and I buy a Dell.
I can use the private key on my dell to generate the aforementioned nasties. I can then install them on your Dell, and it will trust them, as I am using a certificate which is included in your list of trusted certificates. (ish)
So anyone with one of these Dell's can screw everyone else who has one, so long as they keep trusting that cert.
It's a bit like if a bank gave everyone who rented a safety deposit box the same key. Except the box is your laptop.
Sort of correct. It sounds like all of these Dell PC's have the same root CA installed, so anyone obtaining it can generate certificates that these Dell PC's will accept as genuine.
That opens them up to being exploited by fake websites (banking, etc), nefarious apps, and so on.
"[...] so anyone obtaining it can generate certificates that these Dell PC's will accept as genuine."
Yeah, and if someone here thinks that the private key is not already in the hands of any miscreant that caught wind of the outrage, I've got them a nice bridge to sell.
Icon simply because this is an outrage.
Minor correction here - a leaked private key for a root certificate means that anyone can sign a piece of software. Without the private key you cannot sign anything. The certificate is in effect the public key, the part that is freely shared.
The fact that the private key is installed on all these pc's means that anyone with the right skillset enact the attacks as mentioned in the article. The certificate and key need to be revoked - not sure on the mechanism for this outside the PC - but Dell need to supply a patch that will remove the affected certificate and private key and install only a replacement certificate based on a different private key and keep that key, well, private!
"The certificate and key need to be revoked"
This the the issue; as this is a self signed root certificate it CANNOT be revoked as there is no issuing authority to revoke it. As long as this root certificate is trusted by a computer then it will be trusted for EVERYTHING that it is issued from it. And as the private key is in the wild, then that could be ANYTHING! Using the private key and OpenSSL in 2 minutes I could issue certificates for Google, EBay, Amazon, Facebook, YourBank.com, etc, etc, etc. Then, if you have one of these Dells, you would be none the wiser if I was intercepting all of the traffic from your computer to these websites.
I cannot believe the scale of this absolute balls up!
Thanks for the clarification on external revocation.
Believe my comment on local revocation (remove the cert / key) still stands tho. And looks like Dell are helping rectify this cock-up.
Believe my comment on local revocation (remove the cert / key) still stands tho
...Except for those reports of people whe removed it and then it came back.
And looks like Dell are helping rectify this cock-up.
Far too little, far too late.
Someone that's stabbed you in the arm doesn't get sympathy because they're tried to keep some of the blood off your shirt...
I had noticed that, hence in the original post I had stated that Dell would have to release a patch to remove the stoooopidly installed cert/priv key pair.
Undeniably a huge cock up, and seriously damaging to their reputation.
Of course, major corporation says there is nothing to worry about so we shouldn't worry. It's not like major corporations have ever lied to us before, now is it ? Nor has any major corporation ever been proven wrong about something as sensitive and critical as security, right ?
It was an accident. Honest. It's just another of those "internal" cert faking kits you've been reading about surprisingly frequently lately. For "testing" only, honest. Must have just fallen in at the depot. We have now implemented robust safeguards to guarantee we'll never be caught doing exactly this ever again, and eNthusiastically eNcourage you to continue eNjoying the Dell eXperience.
You forgot the key buzz phrase... "We take your security and privacy very seriously".
>"We take your security and privacy, seriously."
Look, Corporations have lied in the past but it's a logical fallacy to say they will lie in future. In fact having been caught lying we can safely say they won't do it again, that's all in the past.
(Did you see how I used 'critical thinking' to slam you? Did you see how I tried to say that because they have been caught lying that they no longer do so?)
Did you see how I used 'critical thinking' to slam you?
Doing this kind of thing is bad.
Doing it *after* another major vendor and competitor was rightly nailed to the wall for doing pretty much the exact same thing is... well... I think Dell owes me a new BadSecurit-O-Meter.
This is why one should *always* do a complete wipe and reinstall of any new system. I don't care what anything: always wipe. Trust no one. If you can manage it, don't even trust yourself.
If Windows is newly installed on one of these (using say MSDN version, not Dell supplied version), will the Windows Platform Binary Table forcibly install this self signed root CA anyway?
"This is why one should *always* do a complete wipe ... Trust no one. If you can manage it, don't even trust yourself."
"This post has been deleted by its author"
Don't know if it was intentional or not, but it's genius.
It never ceased to amaze me that the maladies associated with Windows systems continue to grow to astronomical proportions. First we have the major breaches at Target, Home Depot, TJX and other behemoth commercialUSA companies atributable to wWndows terminls or some innocuous Microsoft device. Now Superfish 2.0 is upon us, and combined with gross "ransomware" that threatens medical devices if patients don't pay up, and the predictions of dire consequences by Richard Clark, Federal Government Cyber Cazr under both Bush and Obama administrations, of relying on Microsoft weak software technologies has come home to roost.
Adding insult to innorance, a recent report indicates many USA corporations plan to move to Windows 10 by early 2017. If Microsoft is suddenly and unexpectedly pulling updates and fixes for Windows 10 just this past week, how bad will it become in 2017 and beyond?
Yes bring back clay tablets, papyrus and reed pens.
"Yes bring back clay tablets, papyrus and reed pens."
Modern Android and iOS tablets are hardly "clay"*, there are more font choices on Linux and OS-X than that one, and the styluses, are "red", with a single "e", as in "seeing the price tag of the Apple Pencil will make your face flush red".
* although the latter's former propensity to stick glass everywhere makes them quite as brittle
This has nothing to do with Windows, Dell could as well ship machines with Linux with the same certificate installed, or install it into a pre-installed Firefox as well. CAs *can* be added in any OS because there are several situations where users need to add their own (think about company-wide CAs for a LAN...).
Of course, the private key should not be there...
At least, if you wish to bash Windows, try to do it looking smart... not clueless... it's not that difficult, after all.
"It never ceased to amaze me that the maladies associated with Windows systems continue to grow to astronomical proportions."
Yeah, because no other operating system uses certificates and trusted root certificate authority. Everyone else is on Commodore 64's.
I wouldn't be holding up android. Too many OEMs "customise" the experience and then have no way to patch for things like stagefright. There are literally phones sitting on store shelves that will never see a stagefright fix.
Microsoft have plenty to criticise. Too many windows updates address being pwned by fonts for goodness sake and half of those patches end up breaking outlook. The blame here sits squarely on dell. They are appropriately being shamed.
What's really special is if you delete it, it comes back... this on a brand new XPS 13...
Does it come back on the next reboot – something installing it during boot a la Lenovo?
I've just deleted it on a machine here, found it on a XPS 8700 desktop. We bought two of these computers just recently loaded with Windows 7 Pro.
If it comes back, then I'll be recommending that'll be the last time we buy a Hell (rhymes with Dell) workstation of any kind in this company.
Yes, it came back after reboot, I have moved to the untrusted cert location and it has not appeared back in the trusted root yet... I even ran Dell update and so far so good...
Now after putting it in the untrusted cert store it STILL managed to come back to life in the Trusted Root store... Some Dell utility must be loading it on the system..
Okay, interesting find.
I located the second XPS 8700 workstation. No certificate present.
Both machines have a manufactured date of 13th October.
Both machines were received on the 23rd, and I had both side-by-side doing Windows Updates, installing our standard SOE software. I was pretty much sitting there with both machines, two keyboards, typing the same things into both.
One machine was deployed to a user, and has been in constant use. The second was put back in its box to keep as a spare for when it was needed. The one we put away has not got the certificate installed at present.
I'll do a quick update and see if it appears.
We outright deleted it from the office Inspiron 15 laptop, and it didn't come back... oh wait, it has. Fuck. Me.
Stuart, presumably it was the stored system which was free of the malware?... suggesting that the machines arrive clean to be infected later?
Interesting indeed. Looking forward to your update update.
I wonder how long it'll be before Dell notices they've been rumbled and suspends this particular operation.
At least in the fine old USofA we've heard tales of shipments of equipment being detoured into warehouses where some minor alterations where performed. I'm guessing our common delivery systems (USPS, UPS, Fedex, etc.) are all part and parcel (sic) of this scheme.
When the BIOS (or other components) can be changed, good luck finding the nimble fingers.
Well, there are two possibilities:
- they are randomly loading PCs with A/B images, some which have the dodgy certificate, and some without.
- they shipped the bad certificate in an update after we deployed the machine.
I'm just rebooting the machine now. I'll do a few more checks for updates and see if it pops up.
I never checked to see if the certificate was present at the time of deployment: it is entirely possible it has been there the whole time.
Okay, 3 update-reboot cycles later, still no certificate.
This was both using Dell's update utility and Windows Update.
So either they've been caught out and stopped it (and so this machine dodged a bullet), or they've been shipping select machines with this dodginess preloaded.
Last update, after moving the cert to the untrusted store and it coming back in the trusted root, but it is now showing as "revoked" and the exploit(s) don't seem to affect it anymore.. Still waiting for some signed driver to blow up but so far so good..
I think they've been caught out and have decided to quickly "make good" the situation.
Might explain why the certificate never appeared on the second box.
Are you able to download and flash previous BIOS versions from Dell's site? The idea being you find an old one that doesn't have this in it.
Edit: There are proper removal instructions below.
Per the removal instructions below, the fact I disabled the Dell Update and Dell Foundations services very soon in the setup procedure might mean it is coming in as an update through that route...?
I have recently been looking at getting a new laptop and I was looking at the Dell website a week or two ago and I am nearly certain that I saw a banner citing spearfish as a reason not to consider rivals products.
Egg on face
Biting the hand that feeds IT © 1998–2018