Sadly, OEM manufacturers seem to not be learning from historical mistakes and keep making them over and over. Tampering with the certificate store is a questionable practice, and OEM’s need to be careful when adding new trusted certificates, especially root certificates. Tampering with certificate stores exposes users to unnecessary, increased risk. This highlights a disturbing trend among original equipment manufacturer (OEM) hardware vendors. Note that if you ever perform a factory reset on your Dell system, this certificate and the eDell plugin will be restored to the system and you will have to manually remove it again. Failure to do so may result in continued exposure to this security flaw. This can be accomplished by deleting the ‘.eDell.dll’ module from the system. This is not entirely accurate you must remove the eDell plugin entirely or the certificate will be reinstalled whenever it is loaded. Many people have indicated that removing the eDellRoot certificates from the root and personal certificate stores is sufficient to protect users. We are unsure what Dell Foundation Services (DFS) actually does on a Dell systems, however, Dell has a vague description here and a Dell support forum also contains this overly vague and unhelpful response from Dell. UPDATE: Official remediation instructions and a patch are now available from Dell. The earliest driver version that we could identify with this certificate was released on Mawith the “Dell Wireless 1601,10.0.0.227, A00 Driver” version 11.22.54.596. That means anything that was signed and timestamped prior to the certificate expiring could be valid. However, it appears that this certificate was in circulation while it was still valid (at least 11 days from what we can tell). Thankfully, this certificate expired on making it less prone to potential abuse. It turns out an Atheros signing certificate also shipped with the Bluetooth management software! It’s the certificate used to sign four of the Bluetooth drives that shipped with the install: pfx archive required a password which took us all of 6 hours worth of sub-optimal cloud cracking to recover the resulting password was: ‘t-span.’ The Bluetooth management tools which ship with the machine included a file called ‘Verisign.pfx’ the name alone was pretty ominous. Bonus Round: Leaked Atheros Authenticode CertificatesĮDellRoot was not the only certificate mishap we identified with our Dell machine. The attacker could also manipulate the user’s traffic, e.g., sending malware in response to requests to download legit software, or install automatic updates - and make it all appear to be signed by a trusted developer. If a user was using their Dell laptop at a coffee shop, an attacker sitting on the shop’s wi-fi network could potentially sniff all of their TLS encrypted traffic, including sensitive data like bank passwords, emails, etc. You can download a zip of all the affected certificates here. In the interest of full-disclosure, we are including the eDellRoot private key we identified and the entire Atheros certificate bundle with this post. We also found another certificate mishap on our Dell machine - an Atheros Authenticode signing certificate also shipped with the Bluetooth software.In the wild, we discovered a SCADA system associated with the water treatment facilities of a city in Kentucky using the eDellRoot certificate for HTTPS.This means an attacker could sniff a Dell user’s web browsing traffic and manipulate their traffic to deliver malware.Our research indicates that Dell is intentionally shipping identical private keys in other models.The eDellRoot certificate is shipped preinstalled with an associated private key, which is a critical mistake.There are two certificates we found on Dell machines, including a trusted eDellRoot root certificate.Read on for more about Superfish 2: eDellRoot Boogaloo, and reach out to our Duo Labs research team at if you have any questions! Download our research paper for the full technical breakdown of our findings. And we weren’t the only ones - a reddit thread and some Twitter activity prompted us to share our observations and the real-world impact of our findings. Recently, Duo Labs security researchers found a few sketchy certificates on a Dell Inspiron 14 laptop we purchased last week to conduct a larger research project.
0 Comments
Leave a Reply. |