Yesterday, Dell was advising customers not to try to uninstall the bogus root certificate it had snuck onto their Windows machine, which would allow attackers to undetectably impersonate their work intranets, bank sites, or Google mail. Today, they apologized and offered an uninstaller — even as we've learned that at least one SCADA controller was compromised by the bad cert, and that Dell has snuck even more bogus certs onto some of its machines.
Cryptographic certificates tell your computer whose "signatures" can be trusted for software updates, website connections and more. Normally, your computer comes preinstalled with certs from accredited "certificate authorities" (CAs) who are contractually bound to strict security and compliance procedures. Earlier this year, Lenovo snuck a bogus root cert onto its machines so that a spyware company called Snapfish could insert advertisements into its customers' web sessions.
Dell's use of bogus certs does not appear to be related to spyware; rather, the company installed them to make it simpler to offer tech support to Dell customers.
Nevertheless, a bogus Dell cert has turned up on at least one SCADA controller, the industrial systems used in power generation and other industrial applications.
Though Dell has apologized for the bogus cert, thanked the customers who brought it to the company's attention, and offered a permanent uninstaller, it has not come clean. Today, Threatpost disclosed the existence of two suspect certificates found in the wild on Dell machines.
As for the related eDellroot cert, it has a similar name and is self-signed also, but has a different fingerprint, Manzuik said. It too can be abused to snoop on encrypted traffic, but Manzuik said a scan conducted by Duo researchers turned up only 24 machines with the cert installed. One of those, Manzuik said, is a SCADA machine and Duo is taking steps to inform the owner.
"It's a machine we don't own, so we didn't go any further. But it is a webserver identifying itself as a SCADA machine that's using the compromised cert," Manzuik said. "That doesn't mean the machine is compromised, but if they're expecting communication from the machine secure, they're mistaken."
Dell, meanwhile, late on Monday said that it was going to remove the eDellroot certificate from all Dell systems moving forward, and for existing affected customers, it has provided permanent removal instructions, and starting today will push a software update that checks for the eDellroot cert and removes it.
Additional Self-Signed Certs, Private Keys Found on Dell Machines [Michael Mimoso/Threat Post]
Dell apologizes for HTTPS certificate fiasco, provides removal tool
[Dan Goodin/Ars Technica]