Earlier last week it was discovered that the computer manufacturer Dell had mistakenly included with a Dell Support tool (called DFS (Dell Foundation Services)) used to assist customers in a more efficient manner; a preinstalled root certificate (named eDellRoot) and a private key (defined) that was used to create that certificate. Dell’s explanation for the purpose for this certificate was described as “it was intended to provide the system service tag to Dell online support allowing us to quickly identify the computer model, making it easier and faster to service our customers.” (Source).
A certificate is a means usually provided by a Certificate Authority (defined) to determine if a TLS certificate being used by a website can be trusted.
In addition, a second certificate (named DSDTestProvider) was found to be included with another Dell tool, namely DSD (Dell System Detect) which users are prompted to install when they visit the Dell support website and click the button to detect the type of Dell product they are using.
Why Should The Inclusion Of These Certificates On My Dell Device Be Considered Important?
Since the private keys for these certificates were also bundled with them (a severe deviation from best practice) they could be used by attackers to generate fake certificates for any website of their choice which would be accepted as legitimate by affected Dell systems. The attackers using these certificates could then decrypt the secured connections to those sites using the private keys. An example of another attack in this instance is a man-in-the-middle attack (defined) that could be used against affected devices is presented in this blog post.
These certificates could also be used to digitally sign malware and make it appear legitimate. If malicious drivers were signed using these certificates they could also bypass driver signature verification within 64 bit versions of Windows.
Which Dell Systems/Devices Are Affected By These Issues?
The following systems are reported to be affected: the XPS 15, Latitude E7450, Inspirion 5548, Inspirion 5000, Inspiron 3647, and the Precision M4800.
The Dell Foundation Services certificate may also be present on laptops, desktops, two-in-ones, all-in-ones, and towers from various Dell product lines, including XPS, Vostro and Precision Tower, OptiPlex and Inspiron since it is available to download for all of those devices.
How Can I Protect Myself From These Issues?
First of all you can check if your Dell device is affected by this issue by visiting this website (my thanks to Graham Cluley for this link). US-CERT have also provided a website to check if your system is affected by these issues and have provided a comprehensive set of steps to resolve these security issues.
Moreover, Microsoft have updated their anti-malware tools to detect and remove these certificates. Further details are available here.
Were you affected by this issue? If so, how did you resolve it? Were the above steps useful to you? As always if you have any questions or comments about this post or any other, please do not hesitate to contact me.