Additional Self-Signed Certs, Private Keys Found on Dell Machines

Two more self-signed root certificates and corresponding private keys were found on Dell computers.

eDellroot is not the only self-signed trusted root certificate on Dell computers.

Researchers at Duo Security found two more on a Dell Inspiron 14-inch laptop purchased by Darren Kemp, one of its researchers who is based in Calgary, Canada, including one cert related to eDellroot that also ships with a corresponding private key, and a Atheros Authenticode certificate and private key used to sign Bluetooth drivers.

The impact of the two other certs is limited compared to the original offender. The Bluetooth certificate has been expired since March 2013, but Duo Security director of research Steve Manzuik said it was in the wild for 10-15 days. Now that the cert is expired, it could cause problems for the drivers.

“Because it’s expired, the risk is quite a bit lower. You can’t use cert to man-in-the-middle traffic,” Manzuik said of the Bluetooth cert. Duo published a report last night on its findings. “There was a period of 10-15 days when it was valid and being shipped. In that scenario, you could sign device drivers with it and the OS would trust them if signed by a known trusted cert. The risk now is when you revoke it, it will more than likely have an impact on Bluetooth drivers. You may have to reinstall new ones.”

As for the related eDellroot cert, it has a similar name and is self-signed also, but has a different fingerprint, Manzuik said. It too can be abused to snoop on encrypted traffic, but Manzuik said a scan conducted by Duo researchers turned up only 24 machines with the cert installed. One of those, Manzuik said, is a SCADA machine and Duo is taking steps to inform the owner.

“It’s a machine we don’t own, so we didn’t go any further. But it is a webserver identifying itself as a SCADA machine that’s using the compromised cert,” Manzuik said. “That doesn’t mean the machine is compromised, but if they’re expecting communication from the machine secure, they’re mistaken.”

Dell, meanwhile, late on Monday said that it was going to remove the eDellroot certificate from all Dell systems moving forward, and for existing affected customers, it has provided permanent removal instructions, and starting today will push a software update that checks for the eDellroot cert and removes it.

Manzuik cautions that reformatting the affected machine and reinstalling Windows will not resolve the issue since once the Dell drivers are reinstalled, the eDellroot cert is put right back.

“In order to fix this, it’s not a matter of just deleting the cert. You have to delete the cert and delete the [Dell Foundation Services] DLL as well to prevent it from reinstalling itself,” Manzuik said. “We’ve seen a Reddit thread where they’re saying a simple fix is to just delete the cert. That’s not complete.”

Dell Foundation Services installs the cert and its purpose is to quicken online support engagements with Dell staff. The certificate, Dell said, allows online support to identify the PC model, drivers, OS, hard drive and more.”

“Dell does not pre-install any adware or malware. The certificate will not reinstall itself once it is properly removed using the recommended Dell process,” Dell said in a statement provided to Threatpost. Dell also said that commercial customers who image their own systems are not vulnerable.

Already, eDellroot is being likened to the Superfish adware found on Lenovo computers in February. Superfish was Lenovo bloatware used to install ads in users’ browsers; it also opened the door to abuse leading to man-in-the-middle attacks similar to the Dell situation.

So far, eDellroot has been found on Dell XPS 15 laptops, M4800 workstations, and Inspiron desktops and laptops.

“It means attackers are de facto certificate authorities, free to generate man-in-the-middle certs, or just direct phishing sites that won’t get flagged as illegitimate,” said researcher Kenneth White, director of the Open Crypto Audit Project. “For these users, it’s as if there’s a bogus equivalent to Verisign, Comodo, or Symantec CA.”

White has built a website that checks whether machines are vulnerable to the cert. German security blogger Hanno Bock has also built a similar online check.

“This is not difficult at all to exploit. To man-in-the-middle traffic, the only roadblock you usually have is to get the cert loaded on the machine. In this case, it’s already on the machine,” Manzuik said. “Now you have the private key on the machine too. There are tools on the Net that would allow the average computer geek to do this.”

Suggested articles