Another root CA cert with key found on Dell’s machines

The main piece of news on Monday was that Dell’s desktop PCs and laptops shipped since August 2015 contain a root CA certificate (eDellRoot) complete with the private cryptographic key for it. Attackers could use this key to impersonate websites and deliver signed malware that will automatically be trusted.

But, as it turns out, this is not the only pre-installed certificate with key that can be found on these computers, nor is it the only potential security failing.

A second root certificate has been found on Dell laptops yesterday by Hanno Böck. Dubbed DSDTestProvider, the certificate is also self-signed and contains a private key, and opens users to the same dangers as the previous one.

“Dell System Detect (DSD) is an application that runs on your Windows-based PC or Tablet with your permission and interacts with the Dell Support website. DSD is pre-installed on some Dell systems. DSD installs a trusted root certificate (DSDTestProvider) that includes the private key,” Carnegie Mellon University’s CERT explained.

“An attacker can generate certificates signed by the DSDTestProvider CA. Systems that trusts the DSDTestProvider CA will trust any certificate issued by the CA. An attacker can impersonate web sites and other services, sign software and email messages, and decrypt network traffic and other data. Common attack scenarios include impersonating a web site, performing a MiTM attack to decrypt HTTPS traffic, and installing malicious software.”

To protect themselves, users are advised to revoke the DSDTestProvider certificate. As Dell has yet to publish instructions on how to do it – or acknowledge the existence of the cert – users can use the Windows certificate manager to move the offending cert from the Trusted Root Certificate Store to Untrusted Certificates.

“If I were a black-hat hacker, I’d immediately go to the nearest big city airport and sit outside the international first class lounges and eavesdrop on everyone’s encrypted communications. I suggest ‘international first class’, because if they can afford $10,000 for a ticket, they probably have something juicy on their computer worth hacking,” Errata Security’s Robert Graham commented the situation.

“I point this out in order to describe the severity of Dell’s mistake. It’s not a simple bug that needs to be fixed, it’s a drop-everything and panic sort of bug. Dell needs to panic. Dell’s corporate customers need to panic.”

Another security issue is the existence of the unique Dell service tag that every computer has, and which can be extracted by websites and used to track the user online.

There’s even a proof-of-concept site that demonstrates this. The tag/ID can be extracted from Dell computers running Dell Foundation Services, the remote support component that installs the aforementioned eDellRoot certificate.

“Fraudulent computer support services, which claim to be from Microsoft or another well-known company in an attempt to gain control of a target’s machine, could also use the identifier to make their ruse more convincing,” Ars Technica’s Dan Goodin also noted.