Sunday, November 22, 2015

New Dell computer comes with a eDellRoot trusted root certificate

I recently purchased a Dell Inspiron 5000 series notebook (October 2015).  Setting things up, I was surprised to see a trusted root certificate pre-installed on the machine labeled "eDellRoot".  I'm having a tough time coming up with a good reason that Dell Computer Corporation needs to be a trusted root CA on my computer.

It has me thinking things similar to the Lenovo mistakes earlier this year with Superfish which I described at the time on twitter as "Lenovo commits corporate suicide".  With this eDellRoot presence causing curiosity, I posted again on twitter and this has resulted in some queries to more specifics on what I know.

I'll start with the MMC console certificates view of the installed cert.

Observe, the eDellRoot certificate is a trusted root that expires in 2039 and is intended for "All" purposes.  Notice that this is more powerful than the clearly legitimate DigiCert certificate just above it, which spikes more curiosity.

Drill in to see the certificate details and alarm bells start going off. 

"You have a private key that corresponds to this certificate".  This is getting very fishy!  As a user computer, I should NEVER have a private key that corresponds to a root CA.  Only the certificate issuing computer should have a private key and that computer should be ... very well protected!

Certificate details


Serial number starts with "6b c5 7b 95 18 93 aa 97 4b 62" and the keys are marked non-exportable.  Notice that this doesn't mean that the private key isn't accessible, it only means that it isn't exportable.  Anyone possessing the private key which is on my computer is capable of minting certificates for any site, for any purpose and the computer will programmatically and falsely conclude the issued certificate to be valid.

This is the same action that existed with Superfish and in that case, Lenovo made the tremendously awful action of using the SAME private key on every computer.  Has Dell done the same?  When I get a few minutes, I'll try this technique to dump the private key.

Is it Dell?

Consider, while I do know that this certificate came pre-installed on the computer and I do know that it is named "Dell", I do not actually know that this certificate came from Dell Computer Corporation.  Root certificates are always self-signed, so all I really know is that eDellRoot says eDellRoot is legit. Where it breaks down is that the private key IS PRESENT on my computer and that means ... bad.

I'll note that I do not see MITM website proxy as described in this Sophos blog and the sites visited check out clean using Steve Gibson's fingerprints service.  A spot checking of web browsing here and there also shows certificate chains checking out as I would expect.  What is the purpose of eDellRoot?

And request arrives, Joe, would you kindly share the eDellRoot certificate from your computer?  Okay, here you go, link

I look forward to reading comments,

Joe Nord

10 comments:

Brent said...

I found the certificate on my Inspiron purchased in July. I also noticed that there was a certificicate in the personal store issued to localhost from that CA.

Unknown said...

Hi Joe,
My name is Laura and I work for Dell. Customer security and privacy is a top concern for us. We have a strict policy of minimizing the number of pre-load applications and assessing all applications for their security and usability. Dell has an extensive end-user security practice that develops capabilities and best practices to best protect our customers. We have a team investigating the current situation and will update you as soon as we have more information.
~LPT

Brian Kemp said...

Someone in the reddit thread says that it'll show up on older machines post-update:

https://www.reddit.com/r/technology/comments/3twmfv/dell_ships_laptops_with_rogue_root_ca_exactly/cxa8oyk

Ricardo Wong said...

Bought a computer in june, certificate matches. Thanks for sharing this information.

Justin Goldberg said...

This command would delete the certificate if I could find it's serial number. The help for the certutil command is huge and obtuse. This would be good for a network logon script if you had a lot of these deployed without MDT/SCCM imaging.

certutil -delstore my serialnumber

Unknown said...

I have an Precision M2800 running Windows 7 that I purchased in Dec 2014 that has the unsigned eDellroot certificate.

I called Dell support and they told me since it was a software problem that they would refer me to consult with their fee-based software support for

Unknown said...

To export private keys marked as non-exportable, you do not even need to use procdump or apply any kind of reverse engineering. Just use https://github.com/gentilkiwi/mimikatz ( http://stackoverflow.com/questions/3914882/how-to-export-non-exportable-private-key-from-store )

ecravn said...

Also FYI it looks like Dell System Detect (a support software provided by Dell) will add another trusted root cert with a private key onto your system. This cert is called "DSDTestProvider".

Päivi and Santeri Kannisto said...

You can avoid troubles if you format your Dell and re-install it using the drivers provided by original equipment manufacturers. Some drivers what you can't find, you can strip out from DUPs using 7zip (Open Inside) and avoid Dell's script. This way we managed to make our Dell Vostro 14 5000 Series laptop safe and secure with absolutely no ties to Dell.

Raymond said...

I have an Inspiron as well. I don't use it any more because of some problems it developed over time. However, I am loyal to the brand and currently use another Dell. Maybe I should check that out, or is it only a problem on the Inspiron? That sounds really strange to me. Dell does such a good job with ensuring that customers have a good service.

Raymond @ CKS Global Solutions LTD