After news broke that Dell desktop and laptop computers include a self-signed root certificate that can be exploited for man-in-the-middle (MitM) attacks, experts found a second such certificate, along with a security issue that can be leveraged to track users.
Experts discovered last week that Dell commercial and consumer systems running an application called Dell Foundation Services included a root certificate, eDellRoot, and its private key. An MitM attacker could have exploited this weakness to intercept HTTPS communications and steal sensitive data or serve malware to the victim.
Dell said it had been shipping the root certificate with Dell Foundation Services updates since August. The certificate was used to allow online support staff to identify the computer model when helping customers.
After security experts raised the alarm, Dell provided instructions on how to remove eDellRoot and started pushing out new updates designed to delete the certificate.
The incident reminded many of the Lenovo Superfish adware discovered earlier this year. Ironically, Dell has been using the Superfish story to advertise its laptops, claiming that all preinstalled software undergoes security and privacy testing.
It turns out that there is a second certificate on Dell devices that can be exploited by MitM attackers. According to researchers, Dell System Detect, a support app preloaded on many PCs, installs a root certificate named DSDTestProvider into the Trusted Root Certification Authorities store in Windows.
This certificate also includes the private key, which means malicious actors could generate rogue certificates and use them to impersonate websites, sign software, and decrypt network traffic, CERT/CC said in an advisory. Dell says it’s currently investigating the issue of the DSDTestProvider certificate.
This is not the first time experts have found a security issue related to Dell System Detect. Earlier this year, researcher Tom Forbes reported that older versions of the application were vulnerable to remote code execution attacks, which led to Malwarebytes classifying the tool as a potentially unwanted program (PUP).
On Monday, a researcher reported finding another privacy issue related to Dell Foundation Services. The expert, known online as “Slipstream,” discovered that any website can obtain a device’s service tag, which Dell uses to obtain information on a product’s technical specifications and warranty.
A proof-of-concept site set up by Slipstream shows how easily websites can track Dell Foundation Services users. The information obtained from the service tag can be used by malicious actors to trick victims into thinking they are Dell support technicians, F-Secure’s Mikko Hypponen told Motherboard.
Cloud-based access security provider Duo Security has also identified a certificate-related issue. Experts found that an attacker could have obtained a code signing certificate shipped by Dell with its Bluetooth management software. The certificate expired in 2013, but Duo says there was a period of at least 11 days when the certificate could have been abused.