Dell Backdoor Root Cert – What You Need To Know

The New Acunetix V12 Engine


So a few days ago the Internet exploded with chatter about a Dell backdoor root cert AKA a rogue root CA, almost exactly like what happened with Lenovo and Superfish.

It started with this Reddit thread – Dell ships laptops with rogue root CA, exactly like what happened with Lenovo and Superfish in the Technology sub and got a lot of traction from there.

Dell Backdoor Root Cert - There's TWO

It’s pretty ironic they made the above statement on their website..and then did exactly what they promised not to do. Twice.

And yes, it’s not a useless cert – it can be used to sign server certificates and therefore perform man in the middle attacks. Plus you can drop in signed malware posting as Chrome/Firefox/whatever updates and have the machine accept then as trusted by the rogue root. And yes, there’s proof you can sign code with it here.

New models from the XPS, Precision and Inspiron families include a powerful root CA certificate called eDellRoot, which puts the machines’ owners at risk of identity theft and banking fraud.

The self-signed certificate is bundled with its private key, which is a boon for man-in-the-middle attackers: for example, if an affected Dell connects to a malicious Wi-Fi hotspot, whoever runs that hotspot can use Dell’s cert and key to silently decrypt the victims’ web traffic. This would reveal their usernames, passwords, session cookies and other sensitive details, when shopping or banking online, or connecting to any other HTTPS-protected website.

Stunningly, the certificate cannot be simply removed: a .DLL plugin included with the root certificate reinstalls the file if it is deleted. One has to delete the .DLL – Dell.Foundation.Agent.Plugins.eDell.dll – as well as the eDellRoot certificate.

– Source: The Register.

So removing the cert and rebooting doesn’t even help as there’s a .DLL file which will reinstate the certificate on logon. It’s probably for support software, and self signed certificates aren’t uncommon, the problem comes into play when the private key is also available on the laptop – which it is. Which means you can sign whatever you want (including server certs and software) with this certificate (which then any Dell laptop with the cert installed, will automatically trust).

If you have a Dell laptop you can try and load this site, if it works you have the cert installed – https://bogus.lessonslearned.org/

Dell have made an official statement regarding this here: Response to Concerns Regarding eDellroot Certificate


Today we became aware that a certificate (eDellRoot), installed by our Dell Foundation Services application on our PCs, unintentionally introduced a security vulnerability. The certificate was implemented as part of a support tool and intended to make it faster and easier for our customers to service their system. Customer security and privacy is a top concern and priority for Dell; we deeply regret that this has happened and are taking steps to address it.

The certificate is not malware or adware. Rather, it was intended to provide the system service tag to Dell online support allowing us to quickly identify the computer model, making it easier and faster to service our customers. This certificate is not being used to collect personal customer information. It’s also important to note that the certificate will not reinstall itself once it is properly removed using the recommended Dell process.

And provided removal instructions here: eDellRootCertRemovalInstructions.docx [DOCX]

Then not long later, someone else pointed out there was another equally problematic cert which also had an available private key – DSDTestProvider

A second root certificate has been found in new Dell laptops days after the first backdoor was revealed.

The DSDTestProvider certificate was first discovered by Laptopmag. It is installed through Dell System Detect into the Trusted Root Certificate Store on new Windows laptops along with the private key.

Dell has been contacted for comment. The Texas tech titan has called the first certificate gaffe an “unintended security vulnerability” in boilerplate media statements. Carnegie Mellon University CERT says it allows attackers to create trusted certificates and impersonate sites, launch man-in-the-middle attacks, and passive decryption.

“An attacker can generate certificates signed by the DSDTestProvider CA (Certificate Authority),” CERT bod Brian Gardiner says. “Systems that trusts the DSDTestProvider CA will trust any certificate issued by the CA.

– Source: The Register

So yah, not once – but twice. Dell finally issued full instructions (not in a Word document) to remove both certs for good.

Information on the eDellRoot and DSDTestProvider certificates and how to remove them from your Dell PC

At the time of writing, a bunch of images in the document are broken – but it should be enough to remove the certs.

It’s surprising Dell would do this after the backlack over Superfish, which included a statement by the US-CERT: Lenovo Superfish Adware Vulnerable to HTTPS Spoofing

The best advice I’ve seen to avoid these types of issue is:

– Install Linux
– Use a Mac
– Buy a clean one from Microsoft directly (Surface being the best of course)
– Can’t get one direct from the MS? look for a model with “Microsoft Signature Edition”

So yah, Dell screwed up pretty badly this time and I’m guessing lost a lot of trust from consumers. It’s hard to know who to choose nowadays with Lenovo out the pictures (and they bought Thinkpad) and now Dell being dodgy.

I’ve had a good experience with Asus personally, but I always reinstall fresh Vanilla windows on any laptop I have to use so YMMV.

Posted in: Cryptography, Privacy


Latest Posts:


How To Recover When Your Website Got Hacked How To Recover When Your Website Got Hacked
The array of easily available Hacking Tools out there now is astounding, combined with self-propagating malware, people often come to me when their website got hacked and they don't know what to do, or even where to start.
HTTrack - Website Downloader Copier & Site Ripper Download HTTrack – Website Downloader Copier & Site Ripper Download
HTTrack is a free and easy-to-use offline browser utility which acts as a website downloader and a site ripper for copying websites and downloading them for offline viewing.
sshLooter - Script To Steal SSH Passwords sshLooter – Script To Steal SSH Passwords
sshLooter is a Python script using a PAM module to steal SSH passwords by logging the password and notifying the admin of the script via Telegram when a user logs in.
Intercepter-NG - Android App For Hacking Intercepter-NG – Android App For Hacking
Intercepter-NG is a multi functional network toolkit including an Android app for hacking, the main purpose is to recover interesting data from the network stream and perform different kinds of MiTM attacks.
dcipher - Online Hash Cracking Using Rainbow & Lookup Tables dcipher – Online Hash Cracking Using Rainbow & Lookup Tables
dcipher is a JavaScript-based online hash cracking tool to decipher hashes using online rainbow & lookup table attack services.
HTTP Security Considerations - An Introduction To HTTP Basics HTTP Security Considerations – An Introduction To HTTP Basics
HTTP is ubiquitous now with pretty much everything being powered by an API, a web application or some kind of cloud-based HTTP driven infrastructure. With that HTTP Security becomes paramount and to secure HTTP you have to understand it.


3 Responses to Dell Backdoor Root Cert – What You Need To Know

  1. BlueNexus November 29, 2015 at 10:52 pm #

    Delete the .dll file. Create a text file with the exact same name and same extension name in the same folder/directory. It should see the file name and not try to replace the deleted dll file. Will this work?

    • Darknet November 30, 2015 at 3:19 pm #

      Theoretically it may, I honestly don’t know though.

  2. Beth December 5, 2015 at 9:39 pm #

    The best advice – install Linux. For people that are used to Windows, don’t want to have these issues and don’t want to get Mac, the way from my experience was actually to install Elementary .. which is Ubuntu but when people hear Linux or Ubuntu they get scared (even PHP developers in a company I worked in!!)