First of all read up on the details over at Krebs On Security. He has a pretty good explanation as to what Dell did as well as additional reference sites on the matter. The Reddit discussion in the reference section has some good technical details. But what does all this mean to the regular folks out there who buy their Dell laptops and like to enjoy their drink while using the free wi-fi at the local coffee shop?
So you are in the coffee shop sipping your latte, you decide that it’s time to update your social networks on how great the latte is or throw up a pic of the foam design on Instagram. So you go ahead, log in, and do your thing. Now what you didn’t notice was that you probably logged into a bogus Instagram site which just captured your credentials.
“What’s that you say??? Everything was green, I am safe! Right?”
What you didn’t see was the gal (we will call her Eve) on the other side of the coffee shop intercepting all the wireless traffic on the network and then passing it off to the legitimate destinations.
“How come I didn’t see that? ”
Eve used this nicely signed Dell certificate to tell your computer that you were connecting to a trusted source. So as far as the computer and browser were concerned you were in safe waters. So this is a special type of certificate, the private key is included and with that, an attacker could reuse the cert to tell the Dell laptops they are visiting a trusted site. The certificate also has the ability to sign other bogus certs for fake Facebook, Google, or other sites, and your new Dell laptop already trusts the root (the cert who signed the bogus certs). Eve could have just used that same cert for her proxy server and any Dell computer that had the cert already trusted, would accept it and move on. The only way to know if the cert was bogus would be to look at the details of it and see that Dell signed a certificate for Instagram. But who really takes the time to do this each time we log into a website we use frequently? We expect a certain level of trust and SSL certs are supposed to validate this trust relationship.
“So how does one protect themselves from such things???”
Well for one, try to avoid using public open WiFi. But we are a society on the move and this is easier said than done. You can do your best to avoid them by utilizing a personal hotspot through your mobile phone. But this only works if you have a decent mobile signal. Other things you can do is practice some OpSec, be aware of your surroundings and utilize virtual private network services. If you are using your work laptop/tablet, this should already be something you do regularly. If this IS a work device then it should already be using a standard corporate image, and this particular situation would not apply (but it is still possible to fall victim to such attacks). If you are a small business user, then you may not have a clean install of Windows on your Dell laptop, so the VPN option is still your best bet along with not using free WiFi hotspots. Now might be a good time to hire that consultant to help you with your IT needs!
Hopefully these incidents work well as warnings to other manufacturers to better check their products. There really is no good reason to do what Dell did. They could easily utilize a publicly trusted certificate for these services and avoided this whole mess. Now, people are comparing this to Lenovo’s Superfish incident, but the only thing it has in common is that Dell installed a persistent SSL cert and a dll file to keep installing it. Lenovo installed actual software that sent intercepted data to 3rd parties, so they took Eve out of the equation entirely. The Dell vulnerability does require a bit more leg work from the attacker’s side than the Lenovo incident.
So when you get that new laptop, you may want to make sure you order install media, usually the OS comes on separate media and you can just reinstall from there. Macs aren’t a bad idea either, so you can always avoid the Windows markets all together. It is tough since PC’s tend to cost much less than the Macs. But there really is no silver bullet when it comes to this and it comes down to improving their internal review processes. The only way that will happen is if the customers demand a better product.