{"id":4032,"date":"2015-11-26T18:58:01","date_gmt":"2015-11-26T10:58:01","guid":{"rendered":"https:\/\/www.darknet.org.uk\/?p=4032"},"modified":"2015-11-26T19:18:06","modified_gmt":"2015-11-26T11:18:06","slug":"dell-backdoor-root-cert-need-know","status":"publish","type":"post","link":"https:\/\/www.darknet.org.uk\/2015\/11\/dell-backdoor-root-cert-need-know\/","title":{"rendered":"Dell Backdoor Root Cert – What You Need To Know"},"content":{"rendered":"

So a few days ago the Internet exploded with chatter about a Dell backdoor root cert AKA a rogue root CA, almost exactly like what happened with Lenovo and Superfish<\/a>.<\/p>\n

It started with this Reddit thread – Dell ships laptops with rogue root CA, exactly like what happened with Lenovo and Superfish<\/a> in the Technology sub and got a lot of traction from there.<\/p>\n

\"Dell<\/p>\n

It’s pretty ironic they made the above statement on their website..and then did exactly what they promised not to do. Twice.<\/p>\n

And yes, it’s not a useless cert – it can be used to sign server certificates and therefore perform man in the middle attacks. Plus you can drop in signed malware posting as Chrome\/Firefox\/whatever updates and have the machine accept then as trusted by the rogue root. And yes, there’s proof you can sign code with it here<\/a>.<\/p>\n

New models from the XPS, Precision and Inspiron families include a powerful root CA certificate called eDellRoot, which puts the machines’ owners at risk of identity theft and banking fraud.<\/p>\n

The self-signed certificate is bundled with its private key, which is a boon for man-in-the-middle attackers: for example, if an affected Dell connects to a malicious Wi-Fi hotspot, whoever runs that hotspot can use Dell’s cert and key to silently decrypt the victims’ web traffic. This would reveal their usernames, passwords, session cookies and other sensitive details, when shopping or banking online, or connecting to any other HTTPS-protected website.<\/p>\n

Stunningly, the certificate cannot be simply removed: a .DLL plugin included with the root certificate reinstalls the file if it is deleted. One has to delete the .DLL \u2013 Dell.Foundation.Agent.Plugins.eDell.dll \u2013 as well as the eDellRoot certificate.<\/p><\/blockquote>\n

– Source: The Register<\/a>.<\/p>\n

So removing the cert and rebooting doesn’t even help as there’s a .DLL file which will reinstate the certificate on logon. It’s probably for support software, and self signed certificates aren’t uncommon, the problem comes into play when the private key is also available on the laptop – which it is. Which means you can sign whatever you want (including server certs and software) with this certificate (which then any Dell laptop with the cert installed, will automatically trust).<\/p>\n

If you have a Dell laptop you can try and load this site, if it works you have the cert installed – https:\/\/bogus.lessonslearned.org\/<\/a><\/p>\n

Dell have made an official statement regarding this here: Response to Concerns Regarding eDellroot Certificate<\/a><\/p>\n