Several months ago, news broke that Lenovo was shipping a rogue root certificate with its laptops. It was included as part of a pervasive adware called Superfish, which had already been annoying users (and support techs) for years prior to it being included by default on these machines. More recent news indicates that this is only the least of security concerns for Lenovo users — it appears that there are also backdoors in the hardware itself, and now governments around the world have blacklisted Lenovo as a vendor for this reason.
Dell and Lenovo have been battling over PC market share for years now, and this understandably gave Dell a pretty decent boost in popularity. This makes Dell’s latest action all the more surprising.
Reddit user rotorcowboy discovered this past Sunday that Dell is including its own rogue CA on new laptops, and has since demonstrated that it is feasible to launch an attack using it. Another user, iamwpg, has identified that the certificate is also being installed through an update for machines that didn’t include it from the factory.
Let’s backtrack a little bit. What exactly does this mean?
Websites are delivered securely using a protocol called Transport Layer Security (TLS). To use TLS effectively, you need to get a certificate signed by a Certificate Authority (CA). Each certificate names the website it is intended to be used with, and when a CA signs it they are essentially vouching that you are in charge of that site. There are several CAs that are trusted by default, and they all tend to play by the rules. If you have a signed certificate from a trusted CA for a particular website, then you can act as that website for all intents and purposes.
The CA certificate that Dell is now distributing can be trivially cracked so that you can use it to sign new certificates. And since Dell’s laptops now trust this CA by default, they will trust your fake certificates. Then you can perform a Man-In-The-Middle (MITM) attack against these Dell users, effectively impersonating any website they might use. While doing this, you can snoop on or modify any of their traffic without their knowledge. It’s a pretty effective way to acquire personal and financial information, if the attack can be orchestrated.
One of the main purposes of TLS is to prevent MITM attacks. It is relatively easy to hijack an IP address or a domain name, but a TLS certificate and its chain of trust to a root CA helps us identify when we aren’t talking to the website we expected. With Dell machines now trusting a vulnerable CA certificate, this line of defense is gone and the security of the Internet is greatly undermined for many users.
Dell has made a serious mistake here. If you have a Dell computer, do yourself a favor and check if the eDellRoot certificate is present on your machine.