system-failureLenovo’s Superfish scandal earlier
this year was arguably the worst security flaw since the Sony rootkit debacle of ten years ago. Multiple IdeaPad product lines were shipped with a self-signed HTTPS certificate that could be used to spoof thesecure connection that using HTTPS is supposed to guarantee. In simple terms: Laptops with Superfish installed couldn’t actually verify if the banking sites or e-commerce destinations they connected to were actually the sites they claimed to be. There was no simple way to remove the software, and users were forced to jump through multiple hoops to resecure a system. Now, Dell appears to have done something similar, though the investigation is still ongoing.
According to programmer Joe Nord, Dell is shipping a self-signed certificate called eDellRoot. It expires in 2039 and is intended to be used for “All” purposes. Further poking revealed that the user has a private key that corresponds to the certificate, as shown below:
This is a serious problem. In order for cryptography to work, there must be two keys — a public key and a private key. The public key is used to encrypt messages transmitted to the server, while the private key is used by the server to decrypt those messages. The entire concept of public-key cryptography relies on the private key remaining private. Because it’s computationally impractical to derive the private key from analyzing public keys, public keys can be distributed everywhere, while the private keys used to decrypt the information remain under lock and key.
Shipping a computer with a private key already installed means that the key can be extracted and used to sign fraudulent websites. Dell computers with the eDellRoot certificate installed will not recognize that these websites are fraudulent, because the key that they rely on to do so has told the system that they aren’t.
What’s missing from this picture is any sense of why the eDellRoot key is installed on Dell laptops in the first place. In Lenovo’s case, it compromised user security and broke the entire HTTPS model to ship a lousy bit of adware that supposedly enabled “Visual search.” Lenovo later claimed that the revenue it earned from Superfish was tiny, which made sense, but didn’t explain why the company had broken HTTPS security in order to earn a trifling bit of cash.
Dell’s eDellRoot certificate doesn’t seem tied to any specific service or capability. It’s not linked to malware or customer complaints the way Superfish was, and it’s not clear how many systems have shipped with the certificate installed. So far, we’ve seen reports that at least some Inspiron 5000 models are affected. These are Windows 10 machines shipping nine months after Superfish.
The world of OEM systems is cutthroat, with thin margins and aggressive product positioning, but this isn’t exactly a feature anyone asked Dell to copy from Lenovo. It’s not clear yet how large the problem is, but testing has shown that systems with the eDellRoot certificate installed will establish connections to clearly fraudulent sites.
Wondering if your own Dell machine has this problem? This test site is designed to test if your system has eDellRoot installed — if your Dell connects to the link without error when using IE or Chrome, you’ve got an eDellRoot problem. According to Ars Technica, Firefox still reports that the site has certificate issues. Researchers have also apparently told Ars that this certificate can be used to sign applications, bypassing malware checks.
We’ve reached out to Dell, who provided the following statement:
Customer security and privacy is a top concern for Dell. We have a strict policy of minimizing the number of pre-load applications and assessing all applications for their security and usability. Dell has an extensive end-user security practice that develops capabilities and best practices to best protect our customers. We have a team investigating the current situation and will update you as soon as we have more information.
We’ll update you as we have more information.