Dell Danger! “Superfish 2.0” blunder: It gets worse

What part of private key did you not understand, Dell? #fail

Dell eDellRoot laptops Superfish
Dell, Inc.

Every single Dell desktop and laptop shipped since August contains three bogus root certificates, including eDellRoot. Not only that, but two certs include their own private keys! It’s like Superfish all over again... 

That means more than ten million computers were infected at source, allowing attackers to spoof secure websites. And they could install infected Windows updates, because the certificate is also able to sign code.

Oh, and if you try to remove eDellRoot, Dell’s bloatware reinstalls it. Nice.

What a freakin’ mess. Dell clearly learned nothing from Lenovo’s Superfish débâcle.

In IT Blogwatch, bloggers never tire of Slacker-Steve macros. Not to mention: Steve in happier times...

Your humble blogwatcher curated these bloggy bits for your entertainment.
[Developing story: Updated 5:48 am and 2:25 pm PST with more comment]

It's a “troubling” “blunder” by Dell. So says Dan Goodin, in Dell does a Superfish, ships PCs with easily cloneable root certificates:

Dell is shipping computers that come preinstalled with a digital certificate that makes it easy for attackers to cryptographically impersonate...HTTPS-protected website[s].

That means anyone with moderate technical skills can extract the key and use it to sign fraudulent TLS certificates. [It's a] troubling discovery.

The certificate can be used to sign applications so that they bypasses Microsoft malware checks [say] researchers...a finding that raises still more concerns.

What is clear now is that the eDellRoot certificate was generated two months after the Superfish debacle came to light. ... Ironically, Dell...publicly capitalized on the Superfish debacle even as it engaged in a blunder that poses the same threat.

Yikes, that sounds bad. Brian Krebs cycles through the story—Security Bug in Dell PCs Shipped Since 8/15:

[It’s] a serious security vulnerability that exposes users to online eavesdropping and malware.

At issue is a root certificate installed on newer Dell computers that also includes the private cryptographic key for that certificate.

The eDellRoot certificate was installed on all new desktop and laptops shipped from August.

It’s unclear why nobody at Dell saw this as a potential problem, especially since...Lenovo suffered a very similar security nightmare.

IDC [says Dell] will ship a little more than 10 million computers worldwide in the third quarter of 2015.

Time to roll out the PR fluffery? Dell’s Laura P. Thomas doesn’t disappoint, in her Response to Concerns Regarding eDellroot Certificate:

Today we became aware that a certificate (eDellRoot)...unintentionally introduced a security vulnerability.

We deeply regret that this has happened and are taking steps to address it.

The certificate is not malware or adware. ... [It] is not being used to collect personal customer information [and] will not reinstall itself once it is properly removed.

Ahem: “properly” removed? Shaun “braaaaiiins” Nichols drops the Z-word—Superfish 2.0 worsens: Dell's dodgy security certificate is an unkillable zombie:

The rogue root certificate...will magically reinstall itself even when deleted.

Run..."certmgr.msc"...right-click over it, hit "Remove"...reboot, reopen certmgr.msc...and search for the certificate "eDellRoot". Bingo, it's back.

This means that the recommended procedure to get rid of the vulnerable root CA file on Windows will not work.

Meanwhile, Taylor Swift tweets thuswise. (Yeah, I’m positive that @SwiftOnSecurity is fo’ realz):

SuperFish and today's Dell news show how invisible changes to the certificate stores are to even advanced users. This is a problem.

Remember, NSA has geniuses whose whole day is finding ****ups like eDellRoot.

Stop comparing Dell to Hitler. That's totally wrong. They're more like Rommel.

Dell's going to try to fix this mess, then Microsoft's actually going to fix it by adding it to Untrusted Certs.

Update 1: Here’s more about how to remove the zombie cert. Graham Cluley clues us in, with eDellRoot, the huge security hole shipped with Dell laptops and PCs - what you need to know:

It is bad.

[The] pre-installed trusted root certificate...can intercept HTTPS encrypted traffic for each and every website you visit. ... Criminally-minded hackers could...exploit the flaw through a silent man-in-the-middle attack, decrypting Wi-Fi communications without the knowledge of the victim.

The certificate isn't set to expire until the end of 2039. ... Frustratingly, Dell's dangerous root certificate will reinstall itself after being deleted.

A detailed analysis by researchers at Duo Security...explains that unless you also erase the Dell.Foundation.Agent.Plugins.eDell.dll module...the security vulnerability will continue to be present.

Dell is about to learn an important lesson: it takes years to earn your customers' trust, but only seconds to lose it.

Update 2: And then there were three. Here's Michael Mimoso, in Additional Self-Signed Certs, Private Keys Found on Dell Machines:

eDellroot is not the only self-signed trusted root certificate on Dell computers.

The impact of the two other certs is limited compared to the original offender. The Bluetooth certificate has been expired since March 2013, but Duo Security...said it was in the wild for 10-15 days. Now that the cert is expired, it could cause problems for the drivers.

[The other] has a similar name and is self-signed also, but has a different fingerprint. ... It too can be abused to snoop on encrypted traffic.

Reinstalling Windows will not resolve the issue since once the Dell drivers are reinstalled, [each] cert is put right back.

And Finally...

Steve in happier times

Click here for more “dude” videos.

You have been reading IT Blogwatch by Richi Jennings, who curates the best bloggy bits, finest forums, and weirdest websites… so you don’t have to. Catch the key commentary from around the Web every morning. Hatemail may be directed to @RiCHi or
Opinions expressed may not represent those of Computerworld. Ask your doctor before reading. Your mileage may vary. E&OE.

Copyright © 2015 IDG Communications, Inc.

Shop Tech Products at Amazon