Dell Backdoor Root Cert – What You Need To Know

Keep on Guard!


So a few days ago the Internet exploded with chatter about a Dell backdoor root cert AKA a rogue root CA, almost exactly like what happened with Lenovo and Superfish.

It started with this Reddit thread – Dell ships laptops with rogue root CA, exactly like what happened with Lenovo and Superfish in the Technology sub and got a lot of traction from there.

Dell Backdoor Root Cert - There's TWO

It’s pretty ironic they made the above statement on their website..and then did exactly what they promised not to do. Twice.

And yes, it’s not a useless cert – it can be used to sign server certificates and therefore perform man in the middle attacks. Plus you can drop in signed malware posting as Chrome/Firefox/whatever updates and have the machine accept then as trusted by the rogue root. And yes, there’s proof you can sign code with it here.

New models from the XPS, Precision and Inspiron families include a powerful root CA certificate called eDellRoot, which puts the machines’ owners at risk of identity theft and banking fraud.

The self-signed certificate is bundled with its private key, which is a boon for man-in-the-middle attackers: for example, if an affected Dell connects to a malicious Wi-Fi hotspot, whoever runs that hotspot can use Dell’s cert and key to silently decrypt the victims’ web traffic. This would reveal their usernames, passwords, session cookies and other sensitive details, when shopping or banking online, or connecting to any other HTTPS-protected website.

Stunningly, the certificate cannot be simply removed: a .DLL plugin included with the root certificate reinstalls the file if it is deleted. One has to delete the .DLL – Dell.Foundation.Agent.Plugins.eDell.dll – as well as the eDellRoot certificate.

– Source: The Register.

So removing the cert and rebooting doesn’t even help as there’s a .DLL file which will reinstate the certificate on logon. It’s probably for support software, and self signed certificates aren’t uncommon, the problem comes into play when the private key is also available on the laptop – which it is. Which means you can sign whatever you want (including server certs and software) with this certificate (which then any Dell laptop with the cert installed, will automatically trust).

If you have a Dell laptop you can try and load this site, if it works you have the cert installed – https://bogus.lessonslearned.org/

Dell have made an official statement regarding this here: Response to Concerns Regarding eDellroot Certificate


Today we became aware that a certificate (eDellRoot), installed by our Dell Foundation Services application on our PCs, unintentionally introduced a security vulnerability. The certificate was implemented as part of a support tool and intended to make it faster and easier for our customers to service their system. Customer security and privacy is a top concern and priority for Dell; we deeply regret that this has happened and are taking steps to address it.

The certificate is not malware or adware. Rather, it was intended to provide the system service tag to Dell online support allowing us to quickly identify the computer model, making it easier and faster to service our customers. This certificate is not being used to collect personal customer information. It’s also important to note that the certificate will not reinstall itself once it is properly removed using the recommended Dell process.

And provided removal instructions here: eDellRootCertRemovalInstructions.docx [DOCX]

Then not long later, someone else pointed out there was another equally problematic cert which also had an available private key – DSDTestProvider

A second root certificate has been found in new Dell laptops days after the first backdoor was revealed.

The DSDTestProvider certificate was first discovered by Laptopmag. It is installed through Dell System Detect into the Trusted Root Certificate Store on new Windows laptops along with the private key.

Dell has been contacted for comment. The Texas tech titan has called the first certificate gaffe an “unintended security vulnerability” in boilerplate media statements. Carnegie Mellon University CERT says it allows attackers to create trusted certificates and impersonate sites, launch man-in-the-middle attacks, and passive decryption.

“An attacker can generate certificates signed by the DSDTestProvider CA (Certificate Authority),” CERT bod Brian Gardiner says. “Systems that trusts the DSDTestProvider CA will trust any certificate issued by the CA.

– Source: The Register

So yah, not once – but twice. Dell finally issued full instructions (not in a Word document) to remove both certs for good.

Information on the eDellRoot and DSDTestProvider certificates and how to remove them from your Dell PC

At the time of writing, a bunch of images in the document are broken – but it should be enough to remove the certs.

It’s surprising Dell would do this after the backlack over Superfish, which included a statement by the US-CERT: Lenovo Superfish Adware Vulnerable to HTTPS Spoofing

The best advice I’ve seen to avoid these types of issue is:

– Install Linux
– Use a Mac
– Buy a clean one from Microsoft directly (Surface being the best of course)
– Can’t get one direct from the MS? look for a model with “Microsoft Signature Edition”

So yah, Dell screwed up pretty badly this time and I’m guessing lost a lot of trust from consumers. It’s hard to know who to choose nowadays with Lenovo out the pictures (and they bought Thinkpad) and now Dell being dodgy.

I’ve had a good experience with Asus personally, but I always reinstall fresh Vanilla windows on any laptop I have to use so YMMV.

Learn about Cryptography



Posted in: Cryptography, Privacy

Latest Posts:


CCleaner Hack - Spreading Malware To Specific Tech Companies CCleaner Hack – Spreading Malware To Specific Tech Companies
The CCleaner Hack is blowing up, initially estimated to be huge, it's hit at least 700k computers & is specifically targeting 20 top tech organisations.
AWSBucketDump - AWS S3 Security Scanning Tool AWSBucketDump – AWS S3 Security Scanning Tool
AWSBucketDump is an AWS S3 Security Scanning Tool, which allows you to quickly enumerate AWS S3 buckets to look for interesting or confidential files.
nbtscan Download - NetBIOS Scanner For Windows & Linux nbtscan Download – NetBIOS Scanner For Windows & Linux
nbtscan is a command-line NetBIOS scanner for Windows that is SUPER fast, it scans for open NetBIOS nameservers on a local or remote TCP/IP network.
Equifax Data Breach - Hack Due To Missed Apache Patch Equifax Data Breach – Hack Due To Missed Apache Patch
The Equifax data breach is pretty huge with 143 million records leaked from the hack in the US alone with unknown more in Canada and the UK.
Seth - RDP Man In The Middle Attack Tool Seth – RDP Man In The Middle Attack Tool
Seth is an RDP Man In The Middle attack tool written in Python to MiTM RDP connections by attempting to downgrade the connection to extract clear text creds
dcrawl - Web Crawler For Unique Domains dcrawl – Web Crawler For Unique Domains
dcrawl is a simple, but smart, multithreaded web crawler for randomly gathering huge lists of unique domain names. It will branch out indefinitely.


3 Responses to Dell Backdoor Root Cert – What You Need To Know

  1. BlueNexus November 29, 2015 at 10:52 pm #

    Delete the .dll file. Create a text file with the exact same name and same extension name in the same folder/directory. It should see the file name and not try to replace the deleted dll file. Will this work?

    • Darknet November 30, 2015 at 3:19 pm #

      Theoretically it may, I honestly don’t know though.

  2. Beth December 5, 2015 at 9:39 pm #

    The best advice – install Linux. For people that are used to Windows, don’t want to have these issues and don’t want to get Mac, the way from my experience was actually to install Elementary .. which is Ubuntu but when people hear Linux or Ubuntu they get scared (even PHP developers in a company I worked in!!)