Dell laptops may have a Lenovo Superfish-size security problem

[DaNGeROuS KiLLeR]

 

 

 

 

Lenovo’s Superfish scandal earlier this year was arguably the worst security flaw since the Sony rootkit debacle of ten years ago. Multiple IdeaPad product lines were shipped with a self-signed HTTPS certificate that could be used to spoof the secure connection that using HTTPS is supposed to guarantee. In simple terms: Laptops with Superfish installed couldn’t actually verify if the banking sites or e-commerce destinations they connected to were actually the sites they claimed to be. There was no simple way to remove the software, and users were forced to jump through multiple hoops to resecure a system. Now, Dell appears to have done something similar, though the investigation is still ongoing.

 

 

According to programmer Joe Nord, Dell is shipping a self-signed certificate called eDellRoot. It expires in 2039 and is intended to be used for “All” purposes. Further poking revealed that the user has a private key that corresponds to the certificate, as shown below:

 

 

This is a serious problem. In order for cryptography to work, there must be two keys — a public key and a private key. The public key is used to encrypt messages transmitted to the server, while the private key is used by the server to decrypt those messages. The entire concept of public-key cryptography relies on the private key remaining private. Because it’s computationally impractical to derive the private key from analyzing public keys, public keys can be distributed everywhere, while the private keys used to decrypt the information remain under lock and key.

Shipping a computer with a private key already installed means that the key can be extracted and used to sign fraudulent websites. Dell computers with the eDellRoot certificate installed will not recognize that these websites are fraudulent, because the key that they rely on to do so has told the system that they aren’t.

What’s missing from this picture is any sense of why the eDellRoot key is installed on Dell laptops in the first place. In Lenovo’s case, it compromised user security and broke the entire HTTPS model to ship a lousy bit of adware that supposedly enabled “Visual search.” Lenovo later claimed that the revenue it earned from Superfish was tiny, which made sense, but didn’t explain why the company had broken HTTPS security in order to earn a trifling bit of cash.

Dell’s eDellRoot certificate doesn’t seem tied to any specific service or capability. It’s not linked to malware or customer complaints the way Superfish was, and it’s not clear how many systems have shipped with the certificate installed. So far, we’ve seen reports that at least some Inspiron 5000 models are affected. These are Windows 10 machines shipping nine months after Superfish.

The world of OEM systems is cutthroat, with thin margins and aggressive product positioning, but this isn’t exactly a feature anyone asked Dell to copy from Lenovo. It’s not clear yet how large the problem is, but testing has shown that systems with the eDellRoot certificate installed will establish connections to clearly fraudulent sites.

Wondering if your own Dell machine has this problem? This test site is designed to test if your system has eDellRoot installed — if your Dell connects to the link without error when using IE or Chrome, you’ve got an eDellRoot problem. According to Ars Technica, Firefox still reports that the site has certificate issues. Researchers have also apparently told Ars that this certificate can be used to sign applications, bypassing malware checks.

We’ve reached out to Dell, who provided the following statement:

Customer security and privacy is a top concern for Dell. We have a strict policy of minimizing the number of pre-load applications and assessing all applications for their security and usability. Dell has an extensive end-user security practice that develops capabilities and best practices to best protect our customers. We have a team investigating the current situation and will update you as soon as we have more information.

 

 

 TechNewsWorld > Computing > Hardware | Next Article in Hardware
HP, Hewlett Packard Enterprise Go Separate Ways
Print
Email
By David Jones • E-Commerce Times • ECT News Network
Nov 2, 2015 4:55 PM PT
hewlett-packard-enterprise-hpe

The long-awaited split of HP's personal computer and enterprise operations has taken place, and CEO Meg Whitman, who oversaw the transition of the massive, listing ship, clearly faces the most challenging crisis of her career -- trying to save a legacy business from being buried by the sands of time and progress.

HP, which struggled for more than 15 years to compete in a modern age of mobile computing and cloud services, on Monday began its first official business day as a house divided into two brand new US$50 billion enterprises.

Whitman is now president and chief executive of Hewlett Packard Enterprise, which offers cloud services and data center infrastructure to the HP corporate customer base.

Despite having served just three years at HP, Dion Weisler, who was executive vice president of the company's printer and personal systems unit, has been named chief executive of the new HP, which will focus on those core businesses.

The split is another symbol of the company's failure to adapt to the rapid changes taking place in the increasingly cloud- and mobile-dominated technology industry, suggested Rob Enderle, principal analyst of the Enderle Group.

The failure to react to those changes resulted a disastrous series of failed acquisitions, only to be followed by a rescue deal involving a new dance partner that failed to materialize, he told the E-Commerce Times.

"They were trying to package the company to be bought by EMC," Enderle said. "They instead opened the door for Dell to buy EMC, creating perhaps the biggest failure since Meg Whitman took over HP. In terms of catastrophic outcomes, this overshadows even the Palm and Autonomy moves."

New Opportunities

The move will streamline management of HP's printer and personal computer business and help it adjust to the rapid changes taking place in the personal computing space, observed Ryan Reith, program director of mobile device trackers at IDC. However, HP may have acted too late.

"I think this will certainly help the company become more nimble and [give it] flexibility to pivot as needed," he told the

E-Commerce Times. "The challenge is that a lot of the HP business has needed to move -- mainly into mobile -- a few years back. So despite these efforts, they are still playing catch-up in some aspects of today's computing world."

Shifting its personal computer business away from standalone desktops and laptops and toward detachable tablets and 2-in-1 hybrid models is a good strategy, Reith noted.

"They will continue to do battle with the same guys [as] in the PC space -- including Dell, Lenovo and Apple," he said.

However, "with Microsoft seeming to double down on its hardware investment with the updates to Surface and now Surface Book, if I were a PC OEM, I would be questioning what the longer-term strategy is," added Reith.

The enterprise business strategy will allow the company to provide customized solutions for its various business partners, Whitman said at an analysts' meeting last month.

"We all live in a hybrid world with applications across a blend of public and private cloud, as well as traditional IT, and that's why infrastructure isn't one size fits all anymore," she remarked. "It isn't just in the data center. It isn't just in the cloud. Infrastructure has to be everywhere at the right cost, with the right management at the right scale."

 

Transition Period

Both Hewlett Packard Enterprise and HP will have to go through a period of difficulty as each new company works to position itself to compete in a new competitive environment.

At the end of the day, a streamlined pair of HP companies will have better resources to face challenges head on, said Jeff Kaplan, managing director of THINKstrategies.

"Both companies are going to face organizational issues, including restructuring their operations and reorienting their go-to-market strategies and tactics," he told the E-Commerce Times.

"Until they resolve these internal challenges, they will lose momentum in the marketplace," Kaplan cautioned. "Their ability to overcome these challenges will determine if they are able to resurrect their competitive positions in their respective market segments and preserve Meg Whitman's legacy as a bold leader."