Dell Backdoor Root Cert – What You Need To Know

Use Netsparker

So a few days ago the Internet exploded with chatter about a Dell backdoor root cert AKA a rogue root CA, almost exactly like what happened with Lenovo and Superfish.

It started with this Reddit thread – Dell ships laptops with rogue root CA, exactly like what happened with Lenovo and Superfish in the Technology sub and got a lot of traction from there.

Dell Backdoor Root Cert - There's TWO

It’s pretty ironic they made the above statement on their website..and then did exactly what they promised not to do. Twice.

And yes, it’s not a useless cert – it can be used to sign server certificates and therefore perform man in the middle attacks. Plus you can drop in signed malware posting as Chrome/Firefox/whatever updates and have the machine accept then as trusted by the rogue root. And yes, there’s proof you can sign code with it here.

New models from the XPS, Precision and Inspiron families include a powerful root CA certificate called eDellRoot, which puts the machines’ owners at risk of identity theft and banking fraud.

The self-signed certificate is bundled with its private key, which is a boon for man-in-the-middle attackers: for example, if an affected Dell connects to a malicious Wi-Fi hotspot, whoever runs that hotspot can use Dell’s cert and key to silently decrypt the victims’ web traffic. This would reveal their usernames, passwords, session cookies and other sensitive details, when shopping or banking online, or connecting to any other HTTPS-protected website.

Stunningly, the certificate cannot be simply removed: a .DLL plugin included with the root certificate reinstalls the file if it is deleted. One has to delete the .DLL – Dell.Foundation.Agent.Plugins.eDell.dll – as well as the eDellRoot certificate.

– Source: The Register.

So removing the cert and rebooting doesn’t even help as there’s a .DLL file which will reinstate the certificate on logon. It’s probably for support software, and self signed certificates aren’t uncommon, the problem comes into play when the private key is also available on the laptop – which it is. Which means you can sign whatever you want (including server certs and software) with this certificate (which then any Dell laptop with the cert installed, will automatically trust).

If you have a Dell laptop you can try and load this site, if it works you have the cert installed –

Dell have made an official statement regarding this here: Response to Concerns Regarding eDellroot Certificate

Today we became aware that a certificate (eDellRoot), installed by our Dell Foundation Services application on our PCs, unintentionally introduced a security vulnerability. The certificate was implemented as part of a support tool and intended to make it faster and easier for our customers to service their system. Customer security and privacy is a top concern and priority for Dell; we deeply regret that this has happened and are taking steps to address it.

The certificate is not malware or adware. Rather, it was intended to provide the system service tag to Dell online support allowing us to quickly identify the computer model, making it easier and faster to service our customers. This certificate is not being used to collect personal customer information. It’s also important to note that the certificate will not reinstall itself once it is properly removed using the recommended Dell process.

And provided removal instructions here: eDellRootCertRemovalInstructions.docx [DOCX]

Then not long later, someone else pointed out there was another equally problematic cert which also had an available private key – DSDTestProvider

A second root certificate has been found in new Dell laptops days after the first backdoor was revealed.

The DSDTestProvider certificate was first discovered by Laptopmag. It is installed through Dell System Detect into the Trusted Root Certificate Store on new Windows laptops along with the private key.

Dell has been contacted for comment. The Texas tech titan has called the first certificate gaffe an “unintended security vulnerability” in boilerplate media statements. Carnegie Mellon University CERT says it allows attackers to create trusted certificates and impersonate sites, launch man-in-the-middle attacks, and passive decryption.

“An attacker can generate certificates signed by the DSDTestProvider CA (Certificate Authority),” CERT bod Brian Gardiner says. “Systems that trusts the DSDTestProvider CA will trust any certificate issued by the CA.

– Source: The Register

So yah, not once – but twice. Dell finally issued full instructions (not in a Word document) to remove both certs for good.

Information on the eDellRoot and DSDTestProvider certificates and how to remove them from your Dell PC

At the time of writing, a bunch of images in the document are broken – but it should be enough to remove the certs.

It’s surprising Dell would do this after the backlack over Superfish, which included a statement by the US-CERT: Lenovo Superfish Adware Vulnerable to HTTPS Spoofing

The best advice I’ve seen to avoid these types of issue is:

– Install Linux
– Use a Mac
– Buy a clean one from Microsoft directly (Surface being the best of course)
– Can’t get one direct from the MS? look for a model with “Microsoft Signature Edition”

So yah, Dell screwed up pretty badly this time and I’m guessing lost a lot of trust from consumers. It’s hard to know who to choose nowadays with Lenovo out the pictures (and they bought Thinkpad) and now Dell being dodgy.

I’ve had a good experience with Asus personally, but I always reinstall fresh Vanilla windows on any laptop I have to use so YMMV.

Posted in: Cryptography, Privacy

Latest Posts:

Malcom - Malware Communication Analyzer Malcom – Malware Communication Analyzer
Malcom is a Malware Communication Analyzer designed to analyze a system's network communication using graphical representations of network traffic.
WepAttack - WLAN 802.11 WEP Key Hacking Tool WepAttack – WLAN 802.11 WEP Key Hacking Tool
WepAttack is a WLAN open source Linux WEP key hacking tool for breaking 802.11 WEP keys using a wordlist based dictionary attack.
Eraser - Windows Secure Erase Hard Drive Wiper Eraser – Windows Secure Erase Hard Drive Wiper
Eraser is a hard drive wiper for Windows which allows you to run a secure erase and completely remove sensitive data from your hard drive by overwriting it several times with carefully selected patterns.
Insecure software versions are a problem Web Security Stats Show XSS & Outdated Software Are Major Problems
Netsparker just published some anonymized Web Security Stats about the security vulnerabilities their online solution identified on their users’ web applications and web services during the last 3 years.
CTFR - Abuse Certificate Transparency Logs For HTTPS Subdomains CTFR – Abuse Certificate Transparency Logs For HTTPS Subdomains
CTFR is a Python-based tool to Abuse Certificate Transparency Logs to get subdomains from a HTTPS website in a few seconds. - Test SSL Security Including Ciphers, Protocols & Detect Flaws – Test SSL Security Including Ciphers, Protocols & Detect Flaws is a free command line tool to test SSL security, it checks a server's service on any port for the support of TLS/SSL ciphers, protocols as well as recent cryptographic flaws and more.

3 Responses to Dell Backdoor Root Cert – What You Need To Know

  1. BlueNexus November 29, 2015 at 10:52 pm #

    Delete the .dll file. Create a text file with the exact same name and same extension name in the same folder/directory. It should see the file name and not try to replace the deleted dll file. Will this work?

    • Darknet November 30, 2015 at 3:19 pm #

      Theoretically it may, I honestly don’t know though.

  2. Beth December 5, 2015 at 9:39 pm #

    The best advice – install Linux. For people that are used to Windows, don’t want to have these issues and don’t want to get Mac, the way from my experience was actually to install Elementary .. which is Ubuntu but when people hear Linux or Ubuntu they get scared (even PHP developers in a company I worked in!!)