Dell ships laptops with rogue root CA, exactly like what happened with Lenovo and Superfish
It seems that the backlash from users against the Superfish bloatware shipped with the Lenovo PCs and Laptops hasnt deterred the other manufacturers from installing similar preshipped bloatware. Dell is the another of such big manufacturers who are found to be shipping PCs and Laptops pre-installed with such rogue bloatware.
A Twitter user, Joe Nord has discovered that Dell PCs and Laptops ship with a rogue root level certificate.
New computer, "eDellRoot" in the list of trusted root certificates. Valid through 2039. Not a good feeling. pic.twitter.com/HqpatkwrSZ
— Joe Nord (@jhnord) November 2, 2015
Nord has made a webpost describing eDellRoot. He says that though the action performed by eDellRoot are not known at present, it may be in the same category as Superfish. He says, “the eDellRoot certificate is a trusted root that expires in 2039 and is intended for “All” purposes. Notice that this is more powerful than the clearly legitimate DigiCert certificate just above it, which spikes more curiosity.”
The problem with this rogue root level CA is that it is not know what spying activities it will perform unlike the Superfish in Lenovo which was known to inject adware into Lenovo PCs and Laptops without the users consent.
Nord further studied the certificate and stated that “You have a private key that corresponds to this certificate”. This is getting very fishy! As a user computer, I should NEVER have a private key that corresponds to a root CA. Only the certificate issuing computer should have a private key and that computer should be … very well protected!”
“This is the same action that existed with Superfish and in that case, Lenovo made the tremendously awful action of using the SAME private key on every computer. Has Dell done the same?”
Another user, Rotorcowboy has made a elaborate thread on Reddit about the rogue root level CA. The entire post is reproduced below :
I got a shiny new XPS 15 laptop from Dell, and while attempting to troubleshoot a problem, I discovered that it came pre-loaded with a self-signed root CA by the name of eDellRoot. With it came its private key, marked as non-exportable. However, it is still possible to obtain a raw copy of the private key by using several tools available (I used NCC Group’s Jailbreak tool). After briefly discussing this with someone else who had discovered this too, we determined that they are shipping every laptop they distribute with the exact same root certificate and private key, very similar to what Superfish did on Lenovo computers. For those that aren’t familiar, this is a major security vulnerability that endangers all recent Dell customers.
Surely Dell had to have seen what kind of bad press Lenovo got when people discovered what Superfish was up to. Yet, they decided to do the same thing but worse. This isn’t even a third-party application that placed it there; it’s from Dell’s very own bloatware. To add insult to injury, it’s not even apparent what purpose the certificate serves. At least with Superfish we knew that their rogue root CA was needed to inject ads into your web pages; the reason Dell’s is there is unclear.
If you have recently bought a Dell computer and want to see if you are affected by this, go to Start -> type “certmgr.msc” -> (accept on UAC prompt) -> Trusted Root Certification Authorities -> Certificates and check if you have an entry with the name “eDellRoot”. If so, congratulations, you’ve been pwned by Dell, the very company you paid for your computer!
Here is a link to the certificate, private key, and PFX file for the certificate I found on my machine. The password for the PFX file is “dell”. (The certificate itself is in the eDellRoot.crt file. Do NOT import the PFX file unless you know what you’re doing. I just included it for convenience.) If yours came with the eDellRoot certificate, its thumbprint will probably be:
98:A0:4E:41:63:35:77:90:C4:A7:9E:6D:71:3F:F0:AF:51:FE:69:27And its serial number:
6b:c5:7b:95:18:93:aa:97:4b:62:4a:c0:88:fc:3b:b6It’s upsetting that Dell would do this despite the backlash Lenovo experienced from its customers and the US Department of Homeland Security, and I really hope they quickly do something to correct this. The more people that know and speak up, the faster it will happen.
It is not known whether this certificate came from Dell Computer Corporation. All root certificates are always self-signed, so eDellRoot says that eDellRoot is a legitimate certificate. But having a private key logged into a computer is bad.
Rotorcowboy reached out to Dell on Twitter and @DellCares says that it is a trusted certificate.
@DellCares This is a MAJOR security concern, especially because your customers all have the exact same CA on their machines. (1)
— Kevin Hicks (@rotorcowboy) November 22, 2015
For those who say this is just a root level CA and not a full level spyware like Superfish, rotorcowboy has stated that “I’ve been reading that a lot of people are skeptical in the sense that this CA can’t actually do anything because the CA has no capabilities. I did some more research and found out that this CA can indeed sign server certificates. I’ve updated the list of files above to include a certificate issued by the CA with file name “badgoogle.crt”, which you can also see in this screenshot. For those that are unfamiliar with how this works, a network attacker could use this CA do sign his or her own fake certificates for use on real websites and an affected Dell user would be none the wiser unless they happened to check the website’s certificate chain. This CA could also be used to sign code to run on people’s machines, but I haven’t tested this out yet.”
Dell has so far not commented on the issue. We are reaching out to Dell for their comments. In the meantime, if you are a Dell PC/Laptop owner, you are requested to check whether your PC/Laptop has the rogue certificate as per the method given by Rotorcowboy.
So can this be easily remove by going to the trusted sites and removing this certificate? Or is it more involved in removing it?