ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Dell root CA Shenanigans

    IT Discussion
    dell security windows
    3
    4
    928
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • nadnerBN
      nadnerB
      last edited by

      Updated to add at 1610 PT / 0010 GMT
      According to an analysis [PDF] by Duo Security, a bundled plugin reinstalls the root CA file if it is removed. First, you must delete Dell.Foundation.Agent.Plugins.eDell.dll from your system (search for it) and then remove the eDellRoot root CA certificate.

      The cert, we're told, is used with the plugin for receiving cryptographically signed telemetry requests; said telemetry includes things like the machine's service tag, a seven-character serial number that identifies the computer model, if not the individual machine.

      "This highlights a disturbing trend among original equipment manufacturer (OEM) hardware vendors. Tampering with certificate stores exposes users to unnecessary, increased risk," the Duo team – Darren Kemp, Mikhail Davidov, and Kyle Lady – wrote in their report.

      "Tampering with the certificate store is a questionable practice, and OEM’s need to be careful when adding new trusted certificates, especially root certificates. Sadly, OEM manufacturers seem to not be learning from historical mistakes and keep making them over and over."

      • Source: http://www.theregister.co.uk/2015/11/23/dell_security_nightmare_gets_worse/

      Also:

      • http://www.theregister.co.uk/2015/11/23/dude_youre_getting_pwned/
      1 Reply Last reply Reply Quote 0
      • DashrenderD
        Dashrender
        last edited by

        My question is, why do they need to do it this way? If the software is on the machine, why can't it collect the "allowed" data and just send it via SSL to the vendor?

        scottalanmillerS 1 Reply Last reply Reply Quote 0
        • scottalanmillerS
          scottalanmiller @Dashrender
          last edited by

          @Dashrender said:

          My question is, why do they need to do it this way? If the software is on the machine, why can't it collect the "allowed" data and just send it via SSL to the vendor?

          The logical answer would be either that they are lazy or that getting the "allowed" data is not the point. Given the risks of getting caught, being lazy makes little sense. How could they think that they would get away with it at all.

          1 Reply Last reply Reply Quote 0
          • nadnerBN
            nadnerB
            last edited by

            Dell acknowledge the issue:

            http://www.itnews.com.au/news/dell-owns-up-to-edellroot-fake-cert-security-gaffe-412229?eid=1&edate=20151125&utm_source=20151125_AM&utm_medium=newsletter&utm_campaign=daily_newsletter

            To get rid of the self-signed root certificate, Dell customers have the option of waiting for a software patch to be rolled out over the coming days, or downloading and running the fix themselves.

            • Link to fix: https://dellupdater.dell.com/Downloads/APP009/eDellRootCertFix.exe
            1 Reply Last reply Reply Quote 0
            • 1 / 1
            • First post
              Last post