back to article Dell computers bundled with backdoor that blurts hardware fingerprint to websites

Dell ships Windows computers with software that lets websites slurp up the machine's exact specifications, warranty status, and other details without the user knowing. This information can be used to build a fingerprint that potentially identifies a person while she browses across the web. It can be abused by phishers and …

  1. oldtaku
    Facepalm

    Too dumb to know not to do this

    Once you turn over the rock it's rarely only one slimy multilegged monstrosity scurrying for cover.

    If they were dumb enough to do eDellRoot then there's nothing they're too dumb for, so we can expect a lot more of this. *popcorn*

    1. MacroRodent Silver badge

      Re: Too dumb to know not to do this

      I wonder how many other PC/Laptop manyfacturers are as "rude"? I know Lenovo got caught. I fear the answer is is "all of them", but some have just not been caught yet.

  2. This post has been deleted by its author

  3. Anonymous Coward
    Anonymous Coward

    Tor angle?

    All a website has to do is, in JavaScript, request this URL:

    http://localhost:7779/Dell%20Foundation%20Services/eDell/IeDellCapabilitiesApi/REST/ServiceTag

    TorBrowser defaults to JS on (for your pleasure) so I wonder if this splaff-my-identity-ruse is effective there. Anyone afflicted with an afflicted Dell willing to try?

    1. Anonymous Coward
      Anonymous Coward

      Re: Tor angle?

      Lets face if, using a corporate Windows image when trying to brows anonymously using Tor is dumb for oh so many reasons.

      Really, boot a Linux live CD, or better still a Tor-specific distro like Tails:

      http://www.linuxjournal.com/content/linux-distro-tales-you-can-never-be-too-paranoid

      Posting as AC because...well it just seems wrong not to...

  4. Anonymous Coward
    Anonymous Coward

    Thing is, the Dell Service Tag pretty much only nails you down to the model. For enterprises, this is generally made in bulk purchases, meaning knowing the service tag won't get you down to the individual machine.

    1. Voland's right hand Silver badge

      You missed the point

      It is exactly what Mbeki from the Dell Service Department in Lagos needs. He also needs your credit card number and the CVV code, but that is something he will get via a minimum amount of social engineering.

    2. Kobblestown

      "the Dell Service Tag pretty much only nails you down to the model"

      I'm not a Dell Support Specialist but AFAIK the service tag is unique to each machine. And any third party can obtain the details of said machine but entering it manually in a Web form - I've done that for a couple of my machines.

      1. Roland6 Silver badge

        >And any third party can obtain the details of said machine but entering it manually in a Web form

        I've done that several times over the years with Dell/HP/Lenovo kit in SMB's - it has caught out several third-party suppliers who have invoiced for an agreed configuration and actually ordered a cheaper configuration from Dell - typically on servers they've sold the Dell 3yr premium package but only purchased from Dell the standard 1yr "Collect & Return" hardware support - generating them an additional ~30% profit on the transaction...

        I've also done it to confirm when particular machines were purchased - recently this allowed me to argue the case that a group of machines shouldn't be given to the hardware supplier for scrapping, but be reused within the organisation; the machines had been purchased, by their previous IT manager from a different supplier, 28 months previously...

    3. Anonymous Coward
      Anonymous Coward

      > "Thing is, the Dell Service Tag pretty much only nails you down to the model."

      Nope, it ties against serial number and gives you all the information about that model. Where I work, we buy in bulk (10,000+/year), and tie the machine's domain name to the service tag on delivery - this is stored in our support DB, and our support system queries Dell's site, so when people log tickets, we can see the full spec, etc.

  5. busycoder99

    Doesn't affect Dells running Linux I presume? Get this on a M4800 running Mint:

    Request failed, probably not a Dell, or Tribbles (Dell Foundation Services) isn't installed

    1. Anonymous Coward
      Anonymous Coward

      I would assume so, but then again, it is not beyond the bounds of stupidity corporate assistance to have something in the BIOS to respond to packets irrespective of the OS running.

      https://en.wikipedia.org/wiki/System_Management_Mode

  6. Anonymous Coward
    Anonymous Coward

    At least the Windows 10 operating system is not phoning home...

    ... and no-one is collecting information from Google Chrome, and your AVG is not sending back your details, and tracking cookies are not being used to identify you, and your internet traffic not montitored.

    Welcome to IT - where you and your information is a tradable commodity and your government collects all of it.

    1. Tree
      Pirate

      Re: At least the Windows 10 operating system is not phoning home...

      Who would think that Michael Dell and Bill Gates would act as pirates? - Stealing your private info that is none of their business. I heard they both despise piracy. It's only when their own stuff is being stolen that they are against piracy.

      Gates also is behind some of the collections of data about your children to be used by users who you do not know even though you do not want the information to be shared. If that stuff is in the "cloud" it can likely be accessed by the worst kind of people, such as the Commies, Musselmen and even Goooogle.

  7. J__M__M

    Maybe it's just me

    but I'd be more worried about the fact that Dell has the capability to push a fix.

  8. Anonymous Coward
    Anonymous Coward

    What else does that REST endpoint do?

    The ServiceTag is but one call. What else can it do?

    It'll be funny - but entirely plausible - if arbitrary commands can be issued (even if not by design).

  9. Simple Simon

    Genuine Question

    It's a genuine question - so don't go flaming:

    How does this work? You can't do a cross domain JS call in the browser. Calling localhost is calling cross domain, surely?

    1. albaleo

      Re: Genuine Question

      Not sure, but I think the web page is making a jsonp call. I think that requires support/complicity on the server side.

    2. joepie91

      Re: Genuine Question

      Yeah, you can. You just can't read the response - *unless* the endpoint in question has misconfigured CORS headers, which I suspect to be the case here. Same thing as with Hola, really.

  10. theOtherJT

    Anyone else remember when...

    you used to go to the website for... pretty much anything really... and there was a "Support" button, and when you clicked the support button it had a little text box you typed your product ID into and it came up with a nice text heavy page full of detailed descriptions of what things did, along with direct links to an FTP site to get you the latest versions of those things?

    No "Would you like me to detect your hardware?" - because 90% of the time the reason you are here is because the hardware is acting up and so you're actually using a different machine.

    No "Would you like to take a survey?" - because the only thing I've ever wanted to put in those is "I want you to stop interrupting me when I'm trying to get shit done"

    No "Please read 37 pages of licencing before I release the download button" - because... because why? I mean, really, why? What _possible_ licencing term could there be that applies to a soundcard driver that would require me to read all that oh, and STOP BREAKING WGET YOU BASTARDS.

    In that world - before companies decided that all their users had to be treated like dribbling morons and had to be poked and prodded and directed every tiny step of the way - shit like this didn't happen!

    Stop trying to save people from themselves, Dell, YOU'RE. NOT. HELPING.

    1. Phil Kingston Silver badge

      Re: Anyone else remember when...

      You managed to get a driver download with only those obstacles?

      What about the animated, fly-in "Please take a minute to complete our survey" that seems compulsory on any tech support site these days?

    2. Anonymous Coward
      Anonymous Coward

      Re: Anyone else remember when...

      Yup.

      And for crying out loud, don't say you're unhappy with anything in a survey - this isn't want they want you to do. You will be hunted down when busy and Made To Understand ® that you haven't identified a flaw in their scripted support, you just don't understand why they use scripts.

      Just say everything's shiny.

  11. Anonymous Coward
    Anonymous Coward

    Ok

    This is a shitty exploit.

    But how is it any different to the bazillions of Belarc reports you can get dorking google?

    Or the gaziliquadramillitrillions of belarc portals that have default passwords set?

    intitle:”Belarc Advisor Current Profile” intext:”Click here for Belarc’s PC Management products, for large and small companies.”

    Or the endless network audit reports from other tools that are probably equally as trivial to find?

    Forget cold calling a typical luser, what about the software keys that could be mined?

    Ive never seen a news report or a solid journalistic investigation into that.

    Cmon El Reg. Do some proper journalism. Im begging you.

    Sack all the hacks and get some IT experts in.

  12. Steve Crook
    Headmaster

    You can do better

    "fingerprint that potentially identifies a person while she browses across the web"

    Are you saying this only affects women? Alternatively, you could do this:

    "fingerprint that potentially identifies people while they browse across the web"

    And avoid looking like someone hamstrung by gender issues :-)

    1. John 104

      Re: You can do better

      @Steve Crook

      Thank you. Glad to see that I'm not the only one who gets annoyed by that crap.

  13. ma1010 Silver badge
    Alert

    Just say no...

    ...to buying Dell.

    Unless you want to support "entrepreneurs" slurping your data.

    It really makes me wonder, though WHAT WERE THEY THINKING? Are they so stupid, or do they think everyone else in the world is so stupid, as to not realize how their actions affect the security of their users?

    After the recent discovery of all this insanity, I'm glad I bought the parts and built my own Linux machine.

    1. Anonymous Coward
      Anonymous Coward

      Re: Just say no...

      ...to buying a computer, full stop.

      There, FTFY.

      As someone else said, the customer is inherently worth a lot of money, so anyone and his/her mother is going to be eager to snap it up (before someone else does and runs them out of business). Since in this cutthroat world the only way to survive is to cheat, nice guys finish last and the only choice you get is who goes in after you bend over.

  14. Captain Badmouth
    Thumb Up

    Noscript?

    "All a website has to do is, in JavaScript, request this URL:"

    Another reason to run noscript on your win machine.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019