Dell Backdoor Root Cert – What You Need To Know

So a few days ago the Internet exploded with chatter about a Dell backdoor root cert AKA a rogue root CA, almost exactly like what happened with Lenovo and Superfish.

It started with this Reddit thread – Dell ships laptops with rogue root CA, exactly like what happened with Lenovo and Superfish in the Technology sub and got a lot of traction from there.

Dell Backdoor Root Cert - There's TWO

It’s pretty ironic they made the above statement on their website..and then did exactly what they promised not to do. Twice.

And yes, it’s not a useless cert – it can be used to sign server certificates and therefore perform man in the middle attacks. Plus you can drop in signed malware posting as Chrome/Firefox/whatever updates and have the machine accept then as trusted by the rogue root. And yes, there’s proof you can sign code with it here.

New models from the XPS, Precision and Inspiron families include a powerful root CA certificate called eDellRoot, which puts the machines’ owners at risk of identity theft and banking fraud.

The self-signed certificate is bundled with its private key, which is a boon for man-in-the-middle attackers: for example, if an affected Dell connects to a malicious Wi-Fi hotspot, whoever runs that hotspot can use Dell’s cert and key to silently decrypt the victims’ web traffic. This would reveal their usernames, passwords, session cookies and other sensitive details, when shopping or banking online, or connecting to any other HTTPS-protected website.

Stunningly, the certificate cannot be simply removed: a .DLL plugin included with the root certificate reinstalls the file if it is deleted. One has to delete the .DLL – Dell.Foundation.Agent.Plugins.eDell.dll – as well as the eDellRoot certificate.

– Source: The Register.

So removing the cert and rebooting doesn’t even help as there’s a .DLL file which will reinstate the certificate on logon. It’s probably for support software, and self signed certificates aren’t uncommon, the problem comes into play when the private key is also available on the laptop – which it is. Which means you can sign whatever you want (including server certs and software) with this certificate (which then any Dell laptop with the cert installed, will automatically trust).

If you have a Dell laptop you can try and load this site, if it works you have the cert installed –

Dell have made an official statement regarding this here: Response to Concerns Regarding eDellroot Certificate

Today we became aware that a certificate (eDellRoot), installed by our Dell Foundation Services application on our PCs, unintentionally introduced a security vulnerability. The certificate was implemented as part of a support tool and intended to make it faster and easier for our customers to service their system. Customer security and privacy is a top concern and priority for Dell; we deeply regret that this has happened and are taking steps to address it.

The certificate is not malware or adware. Rather, it was intended to provide the system service tag to Dell online support allowing us to quickly identify the computer model, making it easier and faster to service our customers. This certificate is not being used to collect personal customer information. It’s also important to note that the certificate will not reinstall itself once it is properly removed using the recommended Dell process.

And provided removal instructions here: eDellRootCertRemovalInstructions.docx [DOCX]

Then not long later, someone else pointed out there was another equally problematic cert which also had an available private key – DSDTestProvider

A second root certificate has been found in new Dell laptops days after the first backdoor was revealed.

The DSDTestProvider certificate was first discovered by Laptopmag. It is installed through Dell System Detect into the Trusted Root Certificate Store on new Windows laptops along with the private key.

Dell has been contacted for comment. The Texas tech titan has called the first certificate gaffe an “unintended security vulnerability” in boilerplate media statements. Carnegie Mellon University CERT says it allows attackers to create trusted certificates and impersonate sites, launch man-in-the-middle attacks, and passive decryption.

“An attacker can generate certificates signed by the DSDTestProvider CA (Certificate Authority),” CERT bod Brian Gardiner says. “Systems that trusts the DSDTestProvider CA will trust any certificate issued by the CA.

– Source: The Register

So yah, not once – but twice. Dell finally issued full instructions (not in a Word document) to remove both certs for good.

Information on the eDellRoot and DSDTestProvider certificates and how to remove them from your Dell PC

At the time of writing, a bunch of images in the document are broken – but it should be enough to remove the certs.

It’s surprising Dell would do this after the backlack over Superfish, which included a statement by the US-CERT: Lenovo Superfish Adware Vulnerable to HTTPS Spoofing

The best advice I’ve seen to avoid these types of issue is:

– Install Linux
– Use a Mac
– Buy a clean one from Microsoft directly (Surface being the best of course)
– Can’t get one direct from the MS? look for a model with “Microsoft Signature Edition”

So yah, Dell screwed up pretty badly this time and I’m guessing lost a lot of trust from consumers. It’s hard to know who to choose nowadays with Lenovo out the pictures (and they bought Thinkpad) and now Dell being dodgy.

I’ve had a good experience with Asus personally, but I always reinstall fresh Vanilla windows on any laptop I have to use so YMMV.

Posted in: Cryptography, Privacy

Latest Posts:

Socialscan - Command-Line Tool To Check For Email And Social Media Username Usage Socialscan – Command-Line Tool To Check For Email And Social Media Username Usage
socialscan is an accurate command-line tool to check For email and social media username usage on online platforms, given an email address or username,
CFRipper - CloudFormation Security Scanning & Audit Tool CFRipper – CloudFormation Security Scanning & Audit Tool
CFRipper is a Python-based Library and CLI security analyzer that functions as an AWS CloudFormation security scanning and audit tool
CredNinja - Test Credential Validity of Dumped Credentials or Hashes CredNinja – Test Credential Validity of Dumped Credentials or Hashes
CredNinja is a tool to quickly test credential validity of dumped credentials (or hashes) across an entire network or domain very efficiently.
assetfinder - Find Related Domains and Subdomains assetfinder – Find Related Domains and Subdomains
assetfinder is a Go-based tool to find related domains and subdomains that are related to a given domain from a variety of sources including Facebook and more.
Karkinos - Beginner Friendly Penetration Testing Tool Karkinos – Beginner Friendly Penetration Testing Tool
Karkinos is a light-weight Beginner Friendly Penetration Testing Tool, which is basically a 'Swiss Army Knife' for pen-testing and/or hacking CTF's.
Aclpwn.Py - Exploit ACL Based Privilege Escalation Paths in Active Directory Aclpwn.Py – Exploit ACL Based Privilege Escalation Paths in Active Directory is a tool that interacts with BloodHound< to identify and exploit ACL based privilege escalation paths.

3 Responses to Dell Backdoor Root Cert – What You Need To Know

  1. BlueNexus November 29, 2015 at 10:52 pm #

    Delete the .dll file. Create a text file with the exact same name and same extension name in the same folder/directory. It should see the file name and not try to replace the deleted dll file. Will this work?

    • Darknet November 30, 2015 at 3:19 pm #

      Theoretically it may, I honestly don’t know though.

  2. Beth December 5, 2015 at 9:39 pm #

    The best advice – install Linux. For people that are used to Windows, don’t want to have these issues and don’t want to get Mac, the way from my experience was actually to install Elementary .. which is Ubuntu but when people hear Linux or Ubuntu they get scared (even PHP developers in a company I worked in!!)