Dell pre-installing a default root certificate on new machines is a serious security faux pas, and the PC giant is deep in damage control mode. An eDellRoot removal utility is now available, but what's getting buried in the uproar is the fact that we still don't seem to understand how certificates and public key infrastructure work.
This week, researchers stumbled upon a previously unknown trusted root certificate authority on several Dell computers. Even though eDellRoot was not a valid CA, the fact that it was pre-installed meant the operating system automatically trusted it.
Windows recognizes and trusts 300 CAs, and with this move, Dell was able to add yet another to that list. Because the private key was shipped alongside the public key, anyone could use eDellRoot to spoof certificates and trick users into visiting fraudulent sites. Researchers demonstrated how users with Chrome and Internet Explorer could visit sites with fraudulent bankofamerica.com and google.com certificates and not see any errors.
Dell is "breaking everything that's been built over the past 20 years to create trust and privacy on the Internet by inserting a rogue CA into systems that can impersonate any trusted site," said Kevin Bocek, vice president of security strategy at Venafi.
All this should sound familiar since it is similar to what Lenovo was doing with Superfish earlier this year. In Lenovo's case, Superfish was a third-party product and was used for advertising purposes. But eDellRoot appears to be an internal product designed to streamline customer support.
Online trust relies on the system of certificate authorities and digital certificates. We know websites are legitimate and online messages are from the right sender because we trust the CA to issue certificates to the right persons or entities. Attackers like APT operators, online banking thieves, and other cyber-criminals steal certificates to subvert the trust system. By using Trojans and other malware to monitor private communications or trick users into accessing fake sites, they perform completely transparent and successful man-in-the-middle attacks.
"Compromised certificates are being sold for more than $1,000 on the black market," Bocek said. Man-in-the-middle attacks are becoming an "everyday experience."
The fact that the private key and the public key were stored together is a basic no-no in encryption. Anyone who can access the machine's encrypted traffic can use the private key to see everything. That private key needs to be protected; otherwise, there's no point to having one.
"There is no reason for the certificate authority to generate a random number [for the key] if it is going to just expose the private key," Bocek said. "Someone did not know what they were doing. It's as simple as that."
With the private key in hand, attackers can craft various malware and phishing attacks against Dell computers. Malware signed with the certificate would be able to bypass anti-malware checks on Dell PCs. In fact, samples of the Conficker virus using Dell's eDellRoot certificate have been spotted on Tor, said David Maciejak, senior researcher for Fortinet's FortiGuard Labs. While this version of Conficker is just a sample and not a full-blown variant observed in the wild, the potential for exploit is now much higher.
No one should ever think it's OK to insert a root certificate into a Windows machine, as it circumvents established processes. The user sees an error if the certificate on the Web server is invalid. If the code is signed by an unknown CA, the operating system refuses to run the executable.
What Dell did -- creating a trusted CA of its own and modifying the Windows OS to accept it -- is bad, but that itself isn't the core problem. The problem is that people still don't understand the power of certificates, what they can do, and how to protect them. And this lack of understanding is not limited to just Dell, as developers around the world struggle with the challenge, too, Bocek said.
If Dell wanted to use a certificate for support purposes, it should have followed protocol and gotten a valid certificate from an already existing authority, Bocek said. Anyone can create a CA ("five minutes at the keyboard"), but most people cannot deploy the certificates on a large enough number of devices. Dell pre-installing the certificate on thousands of machines created the large pool of machines currently vulnerable to attack.
Dell has apologized, and there are instructions on how to remove eDellRoot from affected computers. Enterprises should also consider CA certificate whitelisting to remove the bulk of CAs and certificates trusted by the operating system. Most organizations don't need their users to be accessing sites signed by questionable authorities, or those operating in a different geographic location. There may be no business need for a Windows machine in the United States to trust certificates signed in Hong Kong, for example.
This eDellRoot fiasco and the earlier Superfish scandal is just two of many instances of how digital certificates have been abused in recent months. "Online trust is near the breaking point," Bocek said, noting that he expects things to get even worse.
That shouldn't be cause for despair, but rather a sign that big changes are coming. Bocek believes the entire CA system is currently part of a revolution, with the model shifting away from the current static hierarchy to one that is much more fluid and gives enterprises control over which CAs to trust. As more free CAs come online, more organizations will focus on certificate reputation. This is already happening with Venafi's Certificate Reputation and Google's Certificate Transparency efforts.
"We are changing how we view online trust," Bocek said.