Dell Promised Security … Then Delivered a Huge Security Hole
As part of the promotion of its flagship XPS 15, Dell touts the laptop’s security. “Worried about Superfish?” the product page asks, invoking a now-infamous Lenovo lapse from earlier this year. “Each application we pre-load undergoes security, privacy and usability testing to ensure that our customers experience … reduced privacy and security concerns.”
That messaging remains, even after Dell has experienced a security lapse of its own—one remarkably similar to Superfish. It might as well stay up, if only as a reminder that security is far easier to promise than it is to achieve.
If you own a Dell, go here (PDF) before you read any further. That’s where you’ll find detailed instructions on how to fix your PC’s vulnerability. You have three options: download a patch, fix it manually, or wait for a software update that Dell pushed out today to fix it for you. Dell tells WIRED that the latter could take about to a week to reach all affected models, and the manual method takes a little know-how and a lot of clicking, so your best bet is likely the patch.
Now, then! What exactly is it you were patching? A root certificate problem, as first noticed by programmer Joe Nord. It turns out that any commercial or consumer Dell PC that received a software update that began in August 15 has been saddled with something called eDellRoot, a pre-installed SSL certificate with a locally stored private key. Because the key is stored on the computer itself, it doesn’t take much for a hacker to acquire it.
“The same private key was found on multiple machines, meaning that anybody that has access to it can now use it to impersonate the certificate holder [i.e. the PC owner],” explains Jérôme Segura, senior security researcher at Malwarebytes. “It made matters worse that the password for that key was easily crackable.”
The result is that SSL, which secures communication between your browser and the servers that power your favorite websites, could become easily compromised. “A poorly set up root certificate can give an attacker a huge advantage by seriously undermining all of a user’s private communications,” says Segura. “Emails, instant messages, passwords, and other sensitive data that would normally flow via SSL could be intercepted or manipulated without the victim’s knowledge via an attack known as man-in-the-middle,” so-called because the hacker sits between you and your myriad internet destinations, collecting any information that passes through.
The comparisons to Lenovo’s security issue are apt, but not quite congruous. An SSL vulnerability is the core problem in both cases, but in Lenovo’s case the offending party was Superfish, pre-installed adware that turned out to be toxic bloat. Dell’s intentions appear to have been at least modestly more noble.
“The certificate is not malware or adware. Rather, it was intended to provide the system service tag to Dell online support allowing us to quickly identify the computer model, making it easier and faster to service our customers,” writes Dell spokesperson Laura Thomas. “This certificate is not being used to collect personal customer information.”
That may be cold comfort to those affected. And while it may make this current issue less gross than Superfish, it’s no less serious a lapse.
“Sometime good intentions, such as easier access to customers’ machines to reduce response time, can have dire consequences if the means to implement them require certain security and privacy tweaks,” says Segura.
A Tough Promise to Keep
In fact, those good intentions are what make the Dell example so instructive. If even a company that advertises itself as tough on security can slip this badly, how confident can we be in any of our gadgets?
“This plays to the narrative that PCs could be less safe than other devices, but the reality is that any smartphone or tablet company could have made the same mistake,” says Patrick Moorhead, president and founder of Moor Insights & Strategies. “There are no 100-percent-guaranteed safe electronic platforms, be it PC, tablet, smartphone, phone console, smartwatch, or car.”
Indeed, even the original Blackphone, a device whose very existence was predicated on impenetrable security, was felled earlier this year by a bug that allowed hackers to decrypt messages and more. And over the last two months, Google has publicly shamed Symantec, the world’s largest cybersecurity company, over a bevy of misissued security certificates.
As customers become more aware of the importance of security and privacy in their own lives, companies are more inclined to market it, whether they’re Blackphone or Apple (which had its own critical SSL failure revealed last year) or Dell. There is some demonstrable good in that. “I’m glad vendors talk about the degree of their security,” says Moorhead, “because it puts everyone at the company on notice that they need to be vigilant about it.”
The flip side, though, is that these companies may be advertising something that’s increasingly difficult to deliver. One day, Dell’s calling out Superfish and trumpeting its own methods. The next, its spokesperson is sending out a statement that “We are taking steps to actively address this issue including re-evaluating our processes companywide to ensure we’re providing the utmost security to our customers.”
It’s frustrating that Dell thought it had already taken those steps. It’s unsettling not knowing how many other companies wrongly think that they have as well.
Read the article: