Duo Labs recently purchased 14 Dell Laptops as part of a larger research project. What they found made them oddly uncomfortable; ‘eDellRoot’ on the list of trusted certificates, not expiring til 2039!
They’ve written up a report on their research and conclusions, which can be found here: https://www.duosecurity.com/static/pdf/Dude,_You_Got_Dell_d.pdf
The Findings
- There are two certificates found on Dell machines, including a trusted eDellRoot root certificate
- In the wild, we identified that one of the systems using these certificates for providing web services over HTTPS was a SCADA (supervisory control and data acquisition) system
- eDellRoot is shipped preinstalled with an associated private key, which is a pretty big mistake
- The research indicates that Dell is intentionally shipping identical private keys in other models
- This means an attacker could sniff a Dell user’s web browsing traffic and manipulate their traffic to deliver malware
- Duo Labs also found another certificate mishap on a Dell machine – an Atheros Authenticode certificate also shipped with the Bluetooth software In the interest of full-disclosure, we are including the eDellRoot private key we identified and the entire Atheros certificate bundle with this post.
Real-World Impact
If a user was using their Dell laptop at a coffee shop, an attacker sitting on the shop’s wi-fi network could potentially sniff all of their TLS encrypted traffic, including sensitive data like bank passwords, emails, etc.
The attacker could also manipulate the user’s traffic, e.g., sending malware in response to requests to download legit software, or install automatic updates – and make it all appear to be signed by a trusted developer.
https://www.duosecurity.com/blog/dude-you-got-dell-d-publishing-your-privates