Security

Dell computers bundled with backdoor that blurts hardware fingerprint to websites

How it works

By Shaun Nichols in San Francisco

27 SHARE

Analysis Dell ships Windows computers with software that lets websites slurp up the machine's exact specifications, warranty status, and other details without the user knowing.

This information can be used to build a fingerprint that potentially identifies a person while she browses across the web. It can be abused by phishers and scammers, who can quote the information to trick victims into thinking they're talking to a legit Dell employee. And, well, it's just plain rude.

A website created by a bloke called Slipstream – previously in these pages for exposing security holes in UK school IT software – shows exactly how it can work.

This proof-of-concept code exploits a weakness in the design of Dell's support software to access the computer's seven-character service tag – an identifier that Dell's support website uses to look up information on the machine, including the model number, installed components, and warranty data.

Visit Slip's page above to see it in action – assuming you have a Dell running Dell Foundation Services. Be warned, though, it does play some fun chiptune music, so mute your speakers if you're still at work.

Slipstream says his website does not exploit the eDellRoot root CA certificate that turned up in new models of Dell laptops and PCs – but the Dell Foundation Services software that uses the dodgy cert.

As documented by Duo Security, Dell Foundation Services starts up a web server on TCP port 7779 that accepts requests for the service tag.

All a website has to do is, in JavaScript, request this URL:

http://localhost:7779/Dell%20Foundation%20Services/eDell/IeDellCapabilitiesApi/REST/ServiceTag

and the foundation services returns exactly that – the service tag. No authentication required. This serial code can then be fed into Dell's support site to look up information about the machine.

The Register has tested the proof-of-concept site and verified that it does indeed pull up the service code on an Inspiron 15 series laptop bought in July. Slipstream also confirmed to The Reg that his script works even when the vulnerable root CA cert is removed by Dell's prescribed methods.

Aside from the possibility that a scammer could use the support number to gain user trust for a phony tech support call or other security con job, the proof-of-concept demonstrates just how deeply a third party can probe into a user's system by exploiting Dell's now-notorious support tools.

Dell was thrust into the spotlight yesterday when researchers first broke word of eDellRoot, a rogue certificate authority quietly installed on Windows machines that can be exploited by man-in-the-middle attackers to decrypt people's encrypted web traffic.

The Texas PC-slinger said the issue was merely a mishap related to its user support tools. Dell bristled at suggestions the flaw should be considered malware or adware, but nonetheless it has provided users with a removal tool.

The American biz has also pushed a software update that will automatically remove the vulnerable root CA cert from its machines. ®

Sign up to our NewsletterGet IT in your inbox daily

27 Comments

More from The Register

IoT CloudPets in the doghouse after damning security audit: Now Amazon bans sales

Self-appointed privacy paladin Mozilla points out fatal flaws

Flipping 'ell, Dell! IT giant preps to go public again, files its homework

Five-year private ownership period to end in Q4, according to paperwork sent to the SEC

Going public again would swell profits by two-thirds, claims Dell

Shhh, little VMware, go back to sleep

This is the Dell security team. We have you surrounded. Come out with a purchase order

RSA/VMware/Dell pincer movement to sell all the cybers

Will Dell eat VMware? Or will Carl Icahn snack on Dell? And where does Uber fit in? Yes, Uber!

Let’s get up to date on the crazy world of reverse mergers

New Dell theme song:
I just don’t know what to do with myself

SEC filing says still no decision on float, VMware acqui-merge or other fiscal gymnastics

Amazon can't or won't collect sales tax in Australia

How much can a koala bear? Aussies forced to shop in inferior Amazon AU

Is it OK if we call $53bn-a-quarter Amazon the Bit Barns and Ignoble?

Get it, like Barnes and No– oh, just gimme that beer. It's been 5 o'clock somewhere for hours

Amazon warns you have 30 days before Music Storage files bloodbath

Jeff Bezos will do to your MP3s what he did to your bookstore

Konichiw-aaaaargh! Amazon's Japanese HQ raided in antitrust probe

Bezos Bunch under the microscope of anti-monopoly cops