back to article Superfish 2.0: Dell ships laptops, PCs with huge internet security hole

Dell ships computers with all the tools necessary for crooks to spy on the owners' online banking, shopping, webmail, and more. The US IT titan installs a powerful root CA certificate, including its private key, on its Windows notebooks and desktops. These can be abused by eavesdropping miscreants to silently decrypt encrypted …

Page:

  1. Bota

    So you're telling me, an American owned tech company is spying or allowing spying on its customers?!

    /shocked!

    1. maks303

      Is it even possible they somehow missed this in the design? This is real question I'm asking..

      1. Destroy All Monsters Silver badge

        No, they just bundled the private key stupidly in the package (thus essentially publishing it). Probably Asop the Intern being told to "quickly ship it".

  2. cbars

    The private key

    "It's a Dell trusted certificate that is mentioned in the OS. It doesn't cause any threat to the system"

    Totally true.

    Just like posting my bank details, home address, name and security answers all over the internet doesn't do any harm.

    Or jumping off a building.

    It's the bit afterwards that we're worried about. Cheers for the advice though, business as usual yea?

    1. Anonymous IV

      Connection?

      Perhaps someone more intelligent than me could explain the technical connection between a piece of spy software and a dodgy security certificate, apart from both being ungood.

      It seems that here the author is comparing aardvarks* and anchovies*.

      * apologies if either of these has been chosen for the name of a forthcoming release of Ubuntu...

      1. cbars

        Re: Connection?

        While I have no data to compare our knowledge-bases or indeed intelligence; I'll offer the following hastily written summary - I apologise if it is not 100% accurate:

        Software signed with a trusted certificate will run on your machine. A leaked root certificate means that anyone with it can sign any piece of software and your machine will trust it (if you have that root certificate installed).

        A leaked root certificate means anyone with that private key can generate new public SSL certs so your browser, for example will trust the site. This exposes you to man in the middle attacks in places where an attacker hijacks your connection and presents http://haha_suckers_this_is_a_drive_by_site.com as https://facebook.com.

        Combine those things, and you have an easy way to install malware on any machine using an open wireless connection - for example. But in reality there are many ways that this could cause trouble

        1. Richard Jones 1
          Flame

          Re: Connection?

          So I think you are saying that the PC becomes in effect a certificate issue factory that will then accept any certificate it is persuaded to generate using the details held on its system.

          The net effect is that the certificates are not certificates of anything at all.

          Is that a correct reading?

          1. cbars

            Re: Connection?

            Pretty much.

            If you buy a Dell and I buy a Dell.

            I can use the private key on my dell to generate the aforementioned nasties. I can then install them on your Dell, and it will trust them, as I am using a certificate which is included in your list of trusted certificates. (ish)

            So anyone with one of these Dell's can screw everyone else who has one, so long as they keep trusting that cert.

            It's a bit like if a bank gave everyone who rented a safety deposit box the same key. Except the box is your laptop.

          2. Anonymous Coward
            Anonymous Coward

            Re: Connection?

            Sort of correct. It sounds like all of these Dell PC's have the same root CA installed, so anyone obtaining it can generate certificates that these Dell PC's will accept as genuine.

            That opens them up to being exploited by fake websites (banking, etc), nefarious apps, and so on.

            1. BinkyTheHorse
              Flame

              Re: Connection?

              "[...] so anyone obtaining it can generate certificates that these Dell PC's will accept as genuine."

              Yeah, and if someone here thinks that the private key is not already in the hands of any miscreant that caught wind of the outrage, I've got them a nice bridge to sell.

              Icon simply because this is an outrage.

        2. Spikehead

          Re: Connection?

          Minor correction here - a leaked private key for a root certificate means that anyone can sign a piece of software. Without the private key you cannot sign anything. The certificate is in effect the public key, the part that is freely shared.

          The fact that the private key is installed on all these pc's means that anyone with the right skillset enact the attacks as mentioned in the article. The certificate and key need to be revoked - not sure on the mechanism for this outside the PC - but Dell need to supply a patch that will remove the affected certificate and private key and install only a replacement certificate based on a different private key and keep that key, well, private!

          1. Anonymous Coward
            Anonymous Coward

            Re: Connection?

            "The certificate and key need to be revoked"

            This the the issue; as this is a self signed root certificate it CANNOT be revoked as there is no issuing authority to revoke it. As long as this root certificate is trusted by a computer then it will be trusted for EVERYTHING that it is issued from it. And as the private key is in the wild, then that could be ANYTHING! Using the private key and OpenSSL in 2 minutes I could issue certificates for Google, EBay, Amazon, Facebook, YourBank.com, etc, etc, etc. Then, if you have one of these Dells, you would be none the wiser if I was intercepting all of the traffic from your computer to these websites.

            I cannot believe the scale of this absolute balls up!

            1. Spikehead

              Re: Connection?

              Thanks for the clarification on external revocation.

              Believe my comment on local revocation (remove the cert / key) still stands tho. And looks like Dell are helping rectify this cock-up.

              1. Vic

                Re: Connection?

                Believe my comment on local revocation (remove the cert / key) still stands tho

                ...Except for those reports of people whe removed it and then it came back.

                And looks like Dell are helping rectify this cock-up.

                Far too little, far too late.

                Someone that's stabbed you in the arm doesn't get sympathy because they're tried to keep some of the blood off your shirt...

                Vic.

                1. Spikehead

                  Re: Connection?

                  I had noticed that, hence in the original post I had stated that Dell would have to release a patch to remove the stoooopidly installed cert/priv key pair.

                  Undeniably a huge cock up, and seriously damaging to their reputation.

    2. cbars

      Re: Connection

      p.s. You really should post a new comment instead of hijacking an earlier post, unless you're replying.

  3. Pascal Monett Silver badge

    Well if Dell says so . . .

    Of course, major corporation says there is nothing to worry about so we shouldn't worry. It's not like major corporations have ever lied to us before, now is it ? Nor has any major corporation ever been proven wrong about something as sensitive and critical as security, right ?

    Riiight.

    1. Anonymous Coward
      Anonymous Coward

      Re: Well if Dell says so . . .

      It was an accident. Honest. It's just another of those "internal" cert faking kits you've been reading about surprisingly frequently lately. For "testing" only, honest. Must have just fallen in at the depot. We have now implemented robust safeguards to guarantee we'll never be caught doing exactly this ever again, and eNthusiastically eNcourage you to continue eNjoying the Dell eXperience.

      Thankyou.

      --Dell PR

      1. Mark 85 Silver badge

        Re: Well if Dell says so . . .

        You forgot the key buzz phrase... "We take your security and privacy very seriously".

        1. P. Lee Silver badge

          Re: Well if Dell says so . . .

          >"We take your security and privacy, seriously."

          FTFY

    2. Wayland Sothcott 1 Bronze badge

      Re: Well if Dell says so . . .

      Look, Corporations have lied in the past but it's a logical fallacy to say they will lie in future. In fact having been caught lying we can safely say they won't do it again, that's all in the past.

      (Did you see how I used 'critical thinking' to slam you? Did you see how I tried to say that because they have been caught lying that they no longer do so?)

      1. Vic

        Re: Well if Dell says so . . .

        Did you see how I used 'critical thinking' to slam you?

        Where?

        Vic.

  4. RIBrsiq
    Facepalm

    Doing this kind of thing is bad.

    Doing it *after* another major vendor and competitor was rightly nailed to the wall for doing pretty much the exact same thing is... well... I think Dell owes me a new BadSecurit-O-Meter.

    This is why one should *always* do a complete wipe and reinstall of any new system. I don't care what anything: always wipe. Trust no one. If you can manage it, don't even trust yourself.

    1. This post has been deleted by its author

    2. Anonymous Coward
      Anonymous Coward

      If Windows is newly installed on one of these (using say MSDN version, not Dell supplied version), will the Windows Platform Binary Table forcibly install this self signed root CA anyway?

    3. scrubber
      Thumb Up

      Funniest comment in months

      "This is why one should *always* do a complete wipe ... Trust no one. If you can manage it, don't even trust yourself."

      Next comment:

      "This post has been deleted by its author"

      Don't know if it was intentional or not, but it's genius.

  5. W. Anderson

    Continuing saga of Microsoft software collapse

    It never ceased to amaze me that the maladies associated with Windows systems continue to grow to astronomical proportions. First we have the major breaches at Target, Home Depot, TJX and other behemoth commercialUSA companies atributable to wWndows terminls or some innocuous Microsoft device. Now Superfish 2.0 is upon us, and combined with gross "ransomware" that threatens medical devices if patients don't pay up, and the predictions of dire consequences by Richard Clark, Federal Government Cyber Cazr under both Bush and Obama administrations, of relying on Microsoft weak software technologies has come home to roost.

    Adding insult to innorance, a recent report indicates many USA corporations plan to move to Windows 10 by early 2017. If Microsoft is suddenly and unexpectedly pulling updates and fixes for Windows 10 just this past week, how bad will it become in 2017 and beyond?

    1. Richard Jones 1
      WTF?

      Re: Continuing saga of Microsoft software collapse

      Yes bring back clay tablets, papyrus and reed pens.

      1. BinkyTheHorse
        Coat

        Re: Continuing saga of Microsoft software collapse

        "Yes bring back clay tablets, papyrus and reed pens."

        Modern Android and iOS tablets are hardly "clay"*, there are more font choices on Linux and OS-X than that one, and the styluses, are "red", with a single "e", as in "seeing the price tag of the Apple Pencil will make your face flush red".

        * although the latter's former propensity to stick glass everywhere makes them quite as brittle

    2. LDS Silver badge

      Re: Continuing saga of Microsoft software collapse

      This has nothing to do with Windows, Dell could as well ship machines with Linux with the same certificate installed, or install it into a pre-installed Firefox as well. CAs *can* be added in any OS because there are several situations where users need to add their own (think about company-wide CAs for a LAN...).

      Of course, the private key should not be there...

      At least, if you wish to bash Windows, try to do it looking smart... not clueless... it's not that difficult, after all.

      1. This post has been deleted by its author

    3. Wzrd1

      Re: Continuing saga of Microsoft software collapse

      "It never ceased to amaze me that the maladies associated with Windows systems continue to grow to astronomical proportions."

      Yeah, because no other operating system uses certificates and trusted root certificate authority. Everyone else is on Commodore 64's.

    4. Adam 1 Silver badge

      Re: Continuing saga of Microsoft software collapse

      I wouldn't be holding up android. Too many OEMs "customise" the experience and then have no way to patch for things like stagefright. There are literally phones sitting on store shelves that will never see a stagefright fix.

      Microsoft have plenty to criticise. Too many windows updates address being pwned by fonts for goodness sake and half of those patches end up breaking outlook. The blame here sits squarely on dell. They are appropriately being shamed.

  6. Anonymous Coward
    Anonymous Coward

    What's really special is if you delete it, it comes back... this on a brand new XPS 13...

    1. diodesign (Written by Reg staff) Silver badge

      Re: anonymous

      Does it come back on the next reboot – something installing it during boot a la Lenovo?

      C.

      1. Anonymous Coward
        Anonymous Coward

        Re: anonymous

        Yes, it came back after reboot, I have moved to the untrusted cert location and it has not appeared back in the trusted root yet... I even ran Dell update and so far so good...

      2. Anonymous Coward
        Anonymous Coward

        Re: anonymous

        Now after putting it in the untrusted cert store it STILL managed to come back to life in the Trusted Root store... Some Dell utility must be loading it on the system..

        1. diodesign (Written by Reg staff) Silver badge

          Re: Re: anonymous

          We outright deleted it from the office Inspiron 15 laptop, and it didn't come back... oh wait, it has. Fuck. Me.

          C.

        2. Anonymous Coward
          Anonymous Coward

          Re: anonymous

          Last update, after moving the cert to the untrusted store and it coming back in the trusted root, but it is now showing as "revoked" and the exploit(s) don't seem to affect it anymore.. Still waiting for some signed driver to blow up but so far so good..

          1. Anonymous Coward
            Anonymous Coward

            Re: anonymous

            I think they've been caught out and have decided to quickly "make good" the situation.

            Might explain why the certificate never appeared on the second box.

          2. Dan 55 Silver badge
            Holmes

            Re: anonymous

            Are you able to download and flash previous BIOS versions from Dell's site? The idea being you find an old one that doesn't have this in it.

            Edit: There are proper removal instructions below.

    2. Anonymous Coward
      Anonymous Coward

      I've just deleted it on a machine here, found it on a XPS 8700 desktop. We bought two of these computers just recently loaded with Windows 7 Pro.

      If it comes back, then I'll be recommending that'll be the last time we buy a Hell (rhymes with Dell) workstation of any kind in this company.

      1. Anonymous Coward
        Anonymous Coward

        Okay, interesting find.

        I located the second XPS 8700 workstation. No certificate present.

        Both machines have a manufactured date of 13th October.

        Both machines were received on the 23rd, and I had both side-by-side doing Windows Updates, installing our standard SOE software. I was pretty much sitting there with both machines, two keyboards, typing the same things into both.

        One machine was deployed to a user, and has been in constant use. The second was put back in its box to keep as a spare for when it was needed. The one we put away has not got the certificate installed at present.

        I'll do a quick update and see if it appears.

        1. Anonymous Coward
          Anonymous Coward

          Stuart, presumably it was the stored system which was free of the malware?... suggesting that the machines arrive clean to be infected later?

          Interesting indeed. Looking forward to your update update.

          I wonder how long it'll be before Dell notices they've been rumbled and suspends this particular operation.

          1. elDog Silver badge

            Sounds like the shipments may have been diverted

            At least in the fine old USofA we've heard tales of shipments of equipment being detoured into warehouses where some minor alterations where performed. I'm guessing our common delivery systems (USPS, UPS, Fedex, etc.) are all part and parcel (sic) of this scheme.

            When the BIOS (or other components) can be changed, good luck finding the nimble fingers.

          2. Anonymous Coward
            Anonymous Coward

            Well, there are two possibilities:

            - they are randomly loading PCs with A/B images, some which have the dodgy certificate, and some without.

            OR

            - they shipped the bad certificate in an update after we deployed the machine.

            I'm just rebooting the machine now. I'll do a few more checks for updates and see if it pops up.

            I never checked to see if the certificate was present at the time of deployment: it is entirely possible it has been there the whole time.

            1. Anonymous Coward
              Anonymous Coward

              Okay, 3 update-reboot cycles later, still no certificate.

              This was both using Dell's update utility and Windows Update.

              So either they've been caught out and stopped it (and so this machine dodged a bullet), or they've been shipping select machines with this dodginess preloaded.

        2. Woodnag

          Not on my Inspiron E5550 built around 20 August 2015

          Running 8.1

          1. Woodnag

            Re: Not on my Inspiron E5550 built around 20 August 2015

            Per the removal instructions below, the fact I disabled the Dell Update and Dell Foundations services very soon in the setup procedure might mean it is coming in as an update through that route...?

  7. mrtom84

    Interesting

    I have recently been looking at getting a new laptop and I was looking at the Dell website a week or two ago and I am nearly certain that I saw a banner citing spearfish as a reason not to consider rivals products.

    Egg on face

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019