Certificate on Dell Laptops Breaks Encrypted HTTPS Connections
https://blog.hboeck.de/archives/876-Superfish-2.0-Dangerous-Certificate-on-Dell-Laptops-breaks-encrypted-HTTPS-Connections.html
More from: blog.hboeck.de
show/hide source |
https://blog.hboeck.de/archives/876-Superfish-2.0-Dangerous-Certificate-on-Dell-Laptops-breaks-encrypted-HTTPS-Connections.html
Similarly as to how Lenovo was found earlier this year to include the malicious Superfish root certificate on their new laptops to "enhance" users' experience by providing targeted ads, Dell has now been found to include their very own root cert called eDellRoot.
The certificate, which is installed in the system's certificate store under the name "eDellRoot", gets installed by a software called Dell Foundation Services. This software is still available on Dell's webpage. According to the somewhat unclear description from Dell it is used to provide "foundational services facilitating customer serviceability, messaging and support functions".While Dell claims that this was provided to provide user support and there is no evidence it is being used to inject ads like in the case of Superfish, this is still a huge security issue as anybody with access to the private key (which has already been extracted and posted online) can now perform MITM attacks on any user with the eDellRoot CA installed. Tags: ssl superfish dell certificates
More from: blog.hboeck.de
show/hide source |
Superfish 2.0: Dangerous Certificate on Dell Laptops breaks encrypted HTTPS Connections - Hanno's blog
Superfish 2.0: Dangerous Certificate on Dell Laptops breaks encrypted HTTPS Connections
Hanno's blog
Monday, November 23. 2015
Superfish 2.0: Dangerous Certificate on Dell Laptops breaks encrypted HTTPS Connections
tl;dr Dell laptops come preinstalled with a root certificate and a corresponding private key. That completely compromises the security of encrypted HTTPS connections. I've provided an online check, affected users should delete the certificate.
It seems that Dell hasn't learned anything from the Superfish-scandal earlier this year: Laptops from the company come with a preinstalled root certificate that will be accepted by browsers. The private key is also installed on the system and has been published now. Therefore attackers can use Man in the Middle attacks against Dell users to show them manipulated HTTPS webpages or read their encrypted data.
The certificate, which is installed in the system's certificate store under the name "eDellRoot", gets installed by a software called Dell Foundation Services. This software is still available on Dell's webpage. According to the somewhat unclear description from Dell it is used to provide "foundational services facilitating customer serviceability, messaging and support functions".
The private key of this certificate is marked as non-exportable in the Windows certificate store. However this provides no real protection, there are Tools to export such non-exportable certificate keys. A user of the plattform Reddit has posted the Key there.
For users of the affected Laptops this is a severe security risk. Every attacker can use this root certificate to create valid certificates for arbitrary web pages. Even HTTP Public Key Pinning (HPKP) does not protect against such attacks, because browser vendors allow locally installed certificates to override the key pinning protection. This is a compromise in the implementation that allows the operation of so-called TLS interception proxies.
I was made aware of this issue a while ago by Kristof Mattei. We asked Dell for a statement three weeks ago and didn't get any answer.
It is currently unclear which purpose this certificate served. However it seems unliklely that it was placed there deliberately for surveillance purposes. In that case Dell wouldn't have installed the private key on the system.
Affected are only users that use browsers or other applications that use the system's certificate store. Among the common Windows browsers this affects the Internet Explorer, Edge and Chrome. Not affected are Firefox-users, Mozilla's browser has its own certificate store.
Users of Dell laptops can check if they are affected with an online check tool. Affected users should immediately remove the certificate in the Windows certificate manager. The certificate manager can be started by clicking "Start" and typing in "certmgr.msc". The "eDellRoot" certificate can be found under "Trusted Root Certificate Authorities". You also need to remove the file Dell.Foundation.Agent.Plugins.eDell.dll, Dell has now posted an instruction and a removal tool.
This incident is almost identical with the Superfish-incident. Earlier this year it became public that Lenovo had preinstalled a software called Superfish on its Laptops. Superfish intercepts HTTPS-connections to inject ads. It used a root certificate for that and the corresponding private key was part of the software. After that incident several other programs with the same vulnerability were identified, they all used a software module called Komodia. Similar vulnerabilities were found in other software products, for example in Privdog and in the ad blocker Adguard.
This article is mostly a translation of a German article I wrote for Golem.de.
Image source and license: Wistula / Wikimedia Commons, Creative Commons by 3.0
Posted by Hanno Bck
in Cryptography, English, Security
at
17:39
| Comments (4)
| Trackbacks (0)
Defined tags for this entry: browser, certificate, cryptography, dell, edellroot, encryption, https, maninthemiddle, security, ssl, superfish, tls, vulnerabilityRelated entries by tags: TLS interception considered harmful - video and slides More TLS Man-in-the-Middle failures - Adguard, Privdog again and ProtocolFilters.dll Even more bypasses of Google Password Alert DNS AXFR scan data How Kaspersky makes you vulnerable to the FREAK attack and other ways Antivirus software lowers your HTTPS security
tl;dr Dell laptops come preinstalled with a root certificate and a corresponding private key. That completely compromises the security of encrypted HTTPS connections. I've provided an online check, affected users should delete the certificate. It seems that Dell hasn't learned anything from the Superfish-scandal earlier this year: Laptops from the company come with a preinstalled root certificate that will be accepted by browsers. The private key is also installed on the system and has been published now. Therefore attackers can use Man in the Middle attacks against Dell users to show them manipulated HTTPS webpages or read their encrypted data. The certificate, which is installed in the system's certificate store under the name "eDellRoot", gets installed by a software called Dell Foundation Services. This software is still available on Dell's webpage. According to the somewhat unclear description from Dell it is used to provide "foundational services facilitating custom
Trackbacks
Trackback specific URI for this entry
No Trackbacks
Comments
Display comments as
(Linear | Threaded)
It's not just laptops, it's their desktops too.
There's a Dell XPS 8700 desktop here that I have confirmed, has the bad certificate. There's a second one that we've set up for our office network but haven't yet pressed into service, and I'm thinking there's a good chance it has the certificate too.
I've deleted it from the machine I checked. I'll have to locate the other one.
http://forums.theregister.co.uk/forum/containing/2705367 suggests that it re-incarnates after deletion too. I'll be keeping a close eye on that machine though to see if the certificate comes back.
#1
Stuart Longland
(Homepage)
on
2015-11-23 21:24
(Reply)
You get rid of the certificate by performing following actions:
1) Stop and Disable Dell Foundations Service 2) Delete eDellRoot CA registry key here
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\98A04E4163357790C4A79E6D713FF0AF51FE6927
Then reboot and test.
#2
qasimchadhar
(Homepage)
on
2015-11-23 22:16
(Reply)
Just tried your instructions, sort-of (I did the deletion first through certmgr.msc).
Stopped and disabled the "Dell Foundations Service" then did a reboot. So far, so good. We'll be keeping an eye on the affected machine.
We have two machines both bought the same day, one has the certificate, the other does not. The one without was kept in a box the past month.
Not sure if the bad certificate has always been on the affected box or if it was since downloaded.
Apparently the certificate is being revoked automatically for some: http://forums.theregister.co.uk/forum/containing/2705481
#2.1
Stuart Longland
(Homepage)
on
2015-11-24 00:04
(Reply)
Hi, I'm Laura and I work for Dell.
Customer security and privacy is a top concern and priority for Dell, so I apologize that your attempts to contact us went unanswered.
The recent situation raised is related to an on-the-box support certificate intended to provide a better, faster and easier customer support experience. Unfortunately, the certificate introduced an unintended security vulnerability. To address this, we are providing our customers with instructions to permanently remove the certificate from their systems via direct email, on our support site and Technical Support. We are also removing the certificate from all Dell systems moving forward. Note, commercial customers who image their own systems will not be affected by this issue. Dell does not pre-install any adware or malware. The certificate will not reinstall itself once it is properly removed using the recommended Dell process.
#3
Laura P Thomas
(Homepage)
on
2015-11-24 04:10
(Reply)
Add Comment
Quicksearch
About me Informationen ber meine Arbeit als freier Journalist finden Sie hier.
Hanno Bck
mail: hanno@hboeck.de
jabber: hanno@hboeck.de
gpg: BBB51E42
ssh: RSA
Hanno on Google+
Hanno on Twitter
Hanno on identi.ca
Impressum
Tags aiglx asia asia2013 atomkraft bahn berlin blog bundestag cacert ccc certificate china co2 compiz copyright creativecommons cryptography datenschutz demonstration demoscene encryption english entropia esoterik ffmpeg film freeculture freesoftware games gentechnik gentoo gpg gps hardware https javascript karlsruhe kazakhstan kde kino klima klimaschutz klimawandel kohle kohlekraft laptop linux lug mongolia murrhardt musik nintendo notebook openssl openstreetmap pgp php planet presse privacy religion router rsa russia security spam ssl strom stuttgart supermario talk tls train travel trip2011 umwelt umweltschutz video visa vorratsdatenspeicherung vulnerability web websecurity wlan xgl xorg xss kologie berwachung
Anzeigen
Events
My pages
Picture gallery
Feeds
RSS 2.0 feed
ATOM 1.0 feed
RSS 2.0 Comments
Creative Commons
Unless noted otherwise, all content is CC Zero / public domain