Monday, November 23, 2015

Some notes on the eDellRoot key

It was discovered this weekend that new Dell computers, as well as old ones with updates, come with a CA certificate ("eDellRoot") that includes the private key. This means hackers can eavesdrop on the SSL communications of Dell computers. I explain how in this blog post, just replace the "ca.key" with "eDellRoot.key".

If I were a black-hat hacker, I'd immediately go to the nearest big city airport and sit outside the international first class lounges and eavesdrop on everyone's encrypted communications. I suggest "international first class", because if they can afford $10,000 for a ticket, they probably have something juicy on their computer worth hacking.

I point this out in order to describe the severity of Dell's mistake. It's not a simple bug that needs to be fixed, it's a drop-everything and panic sort of bug. Dell needs to panic. Dell's corporate customers need to panic.

Note that Dell's spinning of this issue has started, saying that they aren't like Lenovo, because they didn't install bloatware like Superfish. This doesn't matter. The problem with Superfish wasn't the software, but the private key. In this respect, Dell's error is exactly as bad as the Superfish error.


Unknown said...

My 4+ year old XPS15z has the DSDTestProvider cert, with private key. I don't know exactly where it came from, but my guess is DSD = Dell System Detect which I did recently update.

This is looking broader than was initially reported.

Lauree Tilton-Weaver said...

I wondered if this was going to be a way that the eDellRoot certificate could be introduced again later.

Unknown said...

Granted i think most large companies re-image oem hardware anyway.