After eDellRoot, second root level rogue CA discovered in newer Dell PCs and Laptops

Even as the user outcry over the rogue CA, eDellRoot refuses to die down, Laptop Mag has discovered another root level CA on a newly purchased Dell XPS 13 laptop. According to Laptop Mag, they found a root level CA called DSDTestProvider in addition to the eDellRoot which we have already reported here.

Like eDellRoot, the DSDTestProvider is also self-signed and contained a private key and expired on 9th November, 20132. It is installed through Dell System Detect into the Trusted Root Certificate Store on new Windows laptops along with the private key.

Both, eDell Root and DSDTestProvider can be used by potential hackers to launch man-in-the-middle attacks and intercept encrypted and private information between the Dell PC/Laptop owner and third party. Carnegie Mellon University CERT says it allows attackers to create trusted certificates and impersonate sites, launch man-in-the-middle attacks, and passive decryption.

According to CMU CERT, “An attacker can generate certificates signed by the DSDTestProvider CA (Certificate Authority). Systems that trusts the DSDTestProvider CA will trust any certificate issued by the CA. An attacker can impersonate web sites and other services, sign software and email messages, and decrypt network traffic and other data. Common attack scenarios include impersonating a web site, performing a MiTM attack to decrypt HTTPS traffic, and installing malicious software.”

CMU CERT advises Dell owners to revoke DSDTestProvider by moving ite from the Trusted Root Certificate Store to Untrusted Certificates. Revoking the certificate helps prevent reinstating trust if DSD is reinstalled. They will also have to  kill Dell.Foundation.Agent.Plugins.eDell.dll  to prevent the DSDTestProvider from reinstalling itself.

Dell has not commented on DSDTestProvider yet however it has posted instructions on how to fully remove the eDellRoot certificate here (Word doc), and says it will remove the certificate with a software patch to be issued today.