back to article Superfish 2.0 worsens: Dell's dodgy security certificate is an unkillable zombie

The rogue root certificate in new Dell computers – a certificate that allows people to be spied on when banking and shopping online – will magically reinstall itself even when deleted. El Reg can confirm that the eDellRoot root CA cert, discovered over the weekend, automatically reappears when removed from the Windows …

  1. John Stoffel

    re-installed from one of the other Dell services that starts up?

    I bet it's re-isntalled by one of the other Dell services that starts up on bootup. Happy I don't have a dell to go through and check. Oh wait... I've got my wife's Windows 7 Dell to go through. Damn....

    1. LDS Silver badge

      Re: re-installed from one of the other Dell services that starts up?

      Yes, there are documented ways for privileged software to add certificates to the store, for example it's what some hardware security tokens do, they could add the on-board CAs to the Windows certificate store. People may have to hunt and neuter all Dell crappy code running on their machines... or reinstall from a clean copy of Windows.

      1. Dan 55 Silver badge

        Re: re-installed from one of the other Dell services that starts up?

        If it was done like Lenovo, it's the BIOS which does it and no clean version of Windows will help. The BIOS changes autochk.exe on Windows 7 partitions which is executed when booting. It also makes an executable available via ACPI for Windows 8 and 10 to pull from the BIOS when booting.

        http://arstechnica.com/information-technology/2015/08/lenovo-used-windows-anti-theft-feature-to-install-persistent-crapware/

        1. LDS Silver badge

          Re: re-installed from one of the other Dell services that starts up?

          If OEMs start to go rogue, it's time Microsoft vets software installed that way, and allows only MS approved (and signed) one. Unluckily, give an hammer to an idiot, and it will try to put a nail into your head, or crash it with the hammer alone.

          Maybe Dell should have spent some money in better managers and developers, instead of greed and clueless ones, before buying Emc.

    2. diodesign (Written by Reg staff) Silver badge

      Re: re-installed from one of the other Dell services that starts up?

      See the update to the story – it's reinstalled by a telemetry .dll from Dell. Delete that .DLL and the root CA cert should stay away when you next remove it.

      C.

      1. Wzrd1

        Re: re-installed from one of the other Dell services that starts up?

        What is certificate revocation again?

    3. JEDIDIAH
      Linux

      Re: re-installed from one of the other Dell services that starts up?

      It sounds like re-installing from scratch using OEM media should be the best practice used by geeks everywhere...

    4. Anonymous Coward
      Anonymous Coward

      interestingly, just experimenting with hardened Windows on Dell servers here

      (not a joke) but these hardened Windows (Dell) servers have only 8 certificates in their trusted root, compared to the 30 plus in a standard windows. . .

      why should the world+dog bother with the humungous exposure from all these unnecessary 'trusted items' - shouldn't all OS'es go down this 'hardened' 'trusted' route?

  2. elDog Silver badge

    Anyone else guess that some agency has replaced the BIOS/firmware?

    I've heard that many units (now, maybe all) go through a special step along the manufacturing line.

    Used to be that the agencies actually had to open up the units and exchange chips.

    Now they probably have Political Comrades standing next to the technicians to make sure that all State Directives are being carried out.

    Hey, excuse me!!! It's only because I live in the Land Of The Free that I'm paranoid.

    1. Bob Dole (tm)

      Re: Anyone else guess that some agency has replaced the BIOS/firmware?

      >> the Land Of The Free

      That is so last century, but you go on believing it.

      1. Anonymous Coward
        Anonymous Coward

        Re: Anyone else guess that some agency has replaced the BIOS/firmware?

        It was never true, even last century.

        https://en.wikipedia.org/wiki/Unethical_human_experimentation_in_the_United_States

        https://en.wikipedia.org/wiki/List_of_whistleblowers

      2. Pascal Monett Silver badge

        Re: That is so last century

        I believe he was being ironic. Anyone with a brain knows that the USA is no longer the shining beacon of Liberty, Freedom and Justice for all that it used to be.

        1. Captain Badmouth
          Devil

          Re: That is so last century

          "I believe he was being ironic. Anyone with a brain knows that the USA is no longer the shining beacon of Liberty, Freedom and Justice for all that it never was in the first place."

          1. Nigel 11

            Re: That is so last century

            The land of the free?

            Not the USA any more, for sure. Switzerland? Iceland?

  3. Anonymous Coward
    Anonymous Coward

    Windows Platform Binary Table

    If you install Windows from (say) MSDN, instead of using a Dell supplied version, does the Windows Platform Binary Table install this dodgy root CA anyway?

    1. Anonymous Coward
      Anonymous Coward

      Re: Windows Platform Binary Table

      Because I wanted Win7 on my xps13, rather than win 10. I did a disk clean, formatted the disk as MBR and installed a virgin copy of Win7 from an original DVD. My machine does not have the edellroot certificate. Dell have citrixed into my machine since I did the install, to check out a problem. I still have no edellroot cert. All the drivers for the machine came from the Dell OEM Win7 drivers package.

    2. Electron Shepherd

      Re: Windows Platform Binary Table

      I think that the PE image that's supplied by WPBT isn't processed if booted in safe mode or booted to the WinRE.

      I don't have a Dell (of any age), so can't test this. Perhaps someone can oblige...

  4. AJ MacLeod

    I blame Microsoft.

    Did anyone really think that MS' "secure" boot was ever going to be either good for users or improve security in any meaningful way?

    1. asdf Silver badge

      Re: I blame Microsoft.

      Blame Intel even more for UEFI and its even more retarded cousin EFI32.

      1. Anonymous Coward
        Anonymous Coward

        Re: I blame Microsoft.

        The two faces of the same coin

      2. Mpeler
        Big Brother

        Re: I blame Microsoft.

        Not forgetting TPM, the various ring -2 shenanigans going on, Micro$oft "Device Guard", Intel AMT, and others. The various "remote management" tools can turn into manglement very quickly.

        And I don't think Intel and M$ are the only ones... just wait for the IoT wave to hit.

        Malware as a "service". Brought to you by M$, Intel, and their various three-lettered-friends...

  5. Nate Amsden Silver badge

    seems way overblown

    It's a CA, people seem to be worried if the CA gets compromised then their systems can be abused, how is it different from any other CA? Dell probably signs their software with this CA. Now if this cert doesn't come from Dell and is on Dell computers that may be more of an issue.

    It looks like the newer Firefoxes use the windows ssl keystore, at least on my firefox 38 ESR it seems to.

    On the list of things that may keep me up at night this dell thing(even if I had a dell system running windows) doesn't even register.

    Some random folks trying to get free press I suppose.

    1. Anonymous Coward
      Anonymous Coward

      Re: seems way overblown

      Nate, you're not really understanding the problem. Dell bundled the CA with it's private key. People can mint their own certs from that, which will be trusted by your PC (if you're using an affected Dell).

      1. Nate Amsden Silver badge

        Re: seems way overblown

        ok having the private key there is not good(didn't notice that bit).

        Still maintain it is overblown, this is a honest mistake I am sure and Dell also I'm sure be releasing an update to fix it. No malicious intent(again assuming this cert is from Dell and is not just forged to look like it is from them).

        Whether it is this or heartbleed or shellshock etc(more familiar with those since I don't deal in end user computing systems), so many alarmists out there behave like every little thing the world is going to come to an end because of it.

        (for another poster who captured my post - I don't delete my posts, with one exception I deleted one in a thread about el reg's new android app I wrote a long post on how it didn't work and then later realized I was not using the new app since you had to jump through hoops to get it, the post wasn't relevant because it was not about the software version in question).

        While I didn't notice that the private key was included my opinion still stands the situation is overblown. Dell will fix it.

        1. Anonymous Coward
          Anonymous Coward

          Re: seems way overblown

          Almost felt bad about calling you a dumbass until I saw your reply. You really need to quit digging at this point. Just because you don't care or understand computer security doesn't mean others who do are "alarmist".

        2. Steven Raith

          Re: seems way overblown

          "While I didn't notice that the private key was included my opinion still stands the situation is overblown."

          Duo Labs have already found a SCADA system using the eDell certificate on that thar interwebs.

          So yup. a total non-issue, as it's not like Dell is a global multinational that supplies a fuckton of compute hardware to industrial and government installations in everything from local government to the military, and who have already seen one of their competitors get utterly reamed fro doing the same thi....oh, wait.

          Steven R

          1. asdf Silver badge

            Re: seems way overblown

            Nate A is like the Ken M of computer security only Ken is actually hilarious when he trolls - https://www.reddit.com/r/KenM/

        3. This post has been deleted by its author

        4. Stevie Silver badge

          Re: seems way overblown

          Now you are on your own, Nate.

        5. Anonymous Coward
          Anonymous Coward

          Re: seems way overblown

          While I didn't notice that the private key was included my opinion still stands the situation is overblown. Dell will fix it.

          You're right, they'll fix it now that it's been discovered and reported. So, it won't become the problem for millions of PC's that it would have been, if it hadn't been discovered.

          For everyone affected by this presently (before it's fixed), there will need to be a good solution. Further down the comments, Jcsicard mentions how to disable the cert without removing it, so that it's non-functional and doesn't get reapplied. That sounds like a goer at the moment.

          1. Anonymous Coward
            Pint

            Re: seems way overblown

            Cheers davidp231

            Much obliged :D

            ------------------->

            @AC immediately above:

            Well it's a good job the big corporations have taken to using DMCA style menaces to suppress embarrassing public disclosures of discovered vulnerabilities then... :-(

    2. I Am Spartacus

      Re: seems way overblown

      Ah, I see you have the old head-in-the-sand approach to security.

      Everyone says that "this is a bad thing", but because you don;t understand how the M-I-T-M attack works and why a compromised root CA cert is not a good thing, then it can't be a problem.

      Tell me, out of interest, are you related to the e Ravenous Bugblatter Beast of Traal (such a mind-bogglingly stupid animal, it assumes that if you can't see it, it can't see you — daft as a brush, but very very ravenous)?

      1. davidp231

        Re: seems way overblown

        Maybe they should be forced to listen to some Vogon poetry as penance for their sins...

        1. Anonymous Coward
          Anonymous Coward

          Re: seems way overblown

          "Maybe they should be forced to listen to some Vogon poetry as penance for their sins... "

          Pretty certain that shit is part of the problem. Not a solution.

          >;)

          1. davidp231
            Pint

            Re: seems way overblown

            "Pretty certain that shit is part of the problem. Not a solution."

            Touche... have an upvote ;)

        2. Nigel 11

          Re: seems way overblown

          ... before being thrown out of the airlock anyway?

    3. Anonymous Coward
      Anonymous Coward

      Re: seems way overblown

      >It's a CA, people seem to be worried if the CA gets compromised then their systems can be abused, how is it different from any other CA? Dell probably signs their software with this CA. Now if this cert doesn't come from Dell and is on Dell computers that may be more of an issue.

      >It looks like the newer Firefoxes use the windows ssl keystore, at least on my firefox 38 ESR it seems to.

      >On the list of things that may keep me up at night this dell thing(even if I had a dell system running windows) doesn't even register.

      >Some random folks trying to get free press I suppose.

      Just capturing his original post so when the inevitable delete of the post comes future viewers can still revel in his ignorance. Yeah I'm kind of a dick like that and AC on top of it as well lol.

      1. Stevie Silver badge

        Just capturing his original post

        Well you could have done a better job marking it up.

        Personally I don't get why you are all being such dickheads. The first AC answered the post with an informative response. Job done, done nice and concisely.

        The rest of you added about as much value as this borked certificate adds to the Dell Security Profile. No wonder people don't come to the community to educate themselves on issues like this. Some community.

        1. Anonymous Coward
          Anonymous Coward

          Re: Just capturing his original post

          >No wonder people don't come to the community to educate themselves on issues like this. Some community.

          Who says they don't? You? Probably the vast majority of people read the article and don't even look at the snark underneath. Honestly the El Reg posting community is still much better than most posting systems out there. 4Chan and Kinja come immediately to mind as being far more salty and or down right disturbing.

          1. Anonymous Coward
            Anonymous Coward

            Re: Just capturing his original post

            The only reason to read the articles is the read the snark in the comments.

            1. A K Stiles
              Joke

              Re: Just capturing his original post (The only reason...)

              Sometimes I go back and read the articles to understand what all the snark is about!

              (yes, check the icon...)

              1. Ben Tasker Silver badge

                Re: Just capturing his original post (The only reason...)

                Whether it is this or heartbleed or shellshock etc(more familiar with those since I don't deal in end user computing systems), so many alarmists out there behave like every little thing the world is going to come to an end because of it.

                Both of which (particularly Shellshock) were a big deal if left unpatched. I don't think anyone has insinuated the world is going to end, but those were some pretty big holes, and Shellshock in particular was a trivially easy way to gain a remote shell on affected systems. In syadmin/security land that's a BFD if any of those affected systems fall under your stewardship.

        2. Anonymous Coward
          Anonymous Coward

          your point is more valid if the original poster wasn't a clueless dumbass

          Also I have found if you ask other posters polite questions and are genuinely trying to learn something as opposed to flat out completely assessing the situation incorrectly due to ignorance and then on top try to question others motives you can get much further on these forums.

  6. Probie

    Never trusted a Factory installed image in my lifetime...

    Seems I have good reason not to start now ....

  7. John H Woods Silver badge

    I am really desperate ...

    ... for some law student to demonstrate whether there is a potential for prosecution in cases like these. As far as I am concerned, a ready-trojanned machine is not 'fit for purpose' given the fairly well understood purposes of consumer computers.

    As for "privacy is a top concern" it should be criminal offence to make this statement when it is clearly false, certainly when that is through incompetence in failure to protect (Talk Talk etc) but most definitely when it is due to a deliberate weakening of security for purposes that are of no benefit whatsoever to the user.

  8. GregC

    That word again...

    Telemetry.

    If I never hear it again I'll die happy. Sadly that won't happen.

    Hint for the unaware: 'telemetry' = spying on you.

  9. Anonymous Coward
    Anonymous Coward

    Why TF are they doing this with a root CA certificate?

    Yes, sure, use X.509 certificates. But why a bloody CA certificate?

    The certificate should have been a client certificate. Generated on the local host, submitted to Dell as a CRL, then signed with a CA certificate hosted within Dell's datacentres.

    Better yet would be to give the user the choice of opting into this kind of telemetry, but that's a side issue. YOU ARE DOING IT WRONG, DELL!

  10. Jcsicard

    Don't delete: disable all certificate purposes!

    Don't delete the eDellRoot cert; instead disable all certificate purposes by editing the certificate and selecting the "disable all certificate purposes" radio button.

    After doing that, the test webpage fails the ssl validity checks (as it should) and the setting persists reboots (at least it did for me on win10 home)

  11. djack

    Service Tag

    If memory serves, the service tag does a lot more than identity the model of the machine. It is the serial number and is tied to the original order. You can see all of the spec customisation and Dell presumably can identify the person who ordered the system in the first place.

  12. Kraggy

    The degree of cluelessness here on Dell's part is staggering, especially from a company whose origins are as storied as this one.

  13. Fitz_

    Hang on a minute...

    Shouldn't the story angle here be how anyone who removes these CAs are borking the proper operation of a Dell computer over 'privacy concerns' (complete with sneer quotes)?

    Perhaps we could have a picture of Michael Dell looking crestfallen while behind him a photoshopped picture of users laughing and pointing at him with a suitably snippy quote along the lines of '...and then we said it was due to 'increased risk' *snigger*'.

    Link

  14. Rene Schickbauer

    Solution

    Added Dell to my blacklist for all current and future projects (no time limit, all product ranges).

    1. Little Mouse

      Re: Solution

      Dell were already on my naughty step for the shoddy lower-than-usual-spec "badged" components that they would install into new PCs. Do they still do that?

      1. This post has been deleted by its author

      2. Anonymous Coward
        Mushroom

        Re: Solution

        "Do they still do that?"

        Got that (reasonably) under control some years ago.

        My blacklist is getting rather long. It probably won't be much time before there are only real* Chinese firms left.

        *No, not you Lenovo. Sit back down.

        1. Bronek Kozicki Silver badge

          Re: Solution

          I put Dell on my shit-list when they refused to service 30" LCD monitor I bought from them, and soon after damaged in a small accident involving heavy object hitting LCD panel. I said I would pay for a new panel as long as the service cost was competitive compared to a new monitor, but they said they can only sell me a new monitor at RRP (which at the time was well over 20% more than same monitor bought in the shops)

    2. fajensen Silver badge

      Re: Solution

      Dell follows The Way of Amstrad: Great kit back in the 1980's, sucky crap forever after.

  15. Joe Harrison Silver badge

    Simple way to kill it

    It's been said before in the other thread but just move it to the "untrusted certificates" bit of certmgr.msc.

    Yes it will come back again into the list of root CAs but will also remain in the untrusted list therefore will not actually work.

    Then at your leisure you can do the DLL hacking if you still want it completely gone.

  16. TeeCee Gold badge

    And the real problem is.....

    The certificate........contains a private key that can be extracted....

    A bit more here would be useful as, from where I'm sitting, that would seem to be the actual problem rather than the existence of the damned thing.

    1. Anonymous Coward
      Anonymous Coward

      Re: And the real problem is.....

      What more do you need?

      1) Dell installed a backdoor (root cert) on the machines they were selling.

      2) Dell leaked* the keys to the backdoor they'd planted in their machines.

      * In spectular style, to *E-V-R-Y-O-N-E*

      Take your pick of "actual problem"

      1) Dell is backdooring the machines they sell.**

      2) Dell an utterly incompetent shambles incapable of operating a simple security cert management operation.**

      3) Dell has exposed its victims and the networks to which they connected to an actively exploited critical vulnerability.**

      4) Dell cannot revoke their backdoor cert and must rely on updates and informed victims to correct the problem. Some victims may remain exposed for years to come.

      5) Zombie armies are bad.

      etc..

      **"Trust"

  17. -v(o.o)v-

    HPKP would detect and block this MITM as long as the MITM does not strip the header. And again DANE would have completely mitigated this.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019