On Monday, Ars Technica reported that Dell has been shipping computers with self-signed certificates--files that usually assure web users the site they are browsing is legitimate--making it easy for even moderately skilled hackers to hijack encrypted browsing sessions. Now a researcher has found that if a website is configured in a certain way, an attacker can use it to extract a device-identifying code from a Dell laptop.
This code could be useful information for carrying out tech support scams. Typically, these scams involve a crook contacting a victim and pretending to be from well-known tech companies, all in an effort to gain control of the target's computer.
The researcher who discovered the problem, known as slipstream/RoL, has setup a website where Dell users can check if they're vulnerable. The site pulls a Dell user's "service tag," a 7-character code located on the bottom of the laptop, by taking advantage of the software that sets up the rogue certificate.
That software, the Dell Foundation Services application, "sets up an HTTP API listening on all interfaces," slipstream/RoL told Motherboard in an online chat. With this, slipstream/RoL's site calls back to the API running on a user's computer. An attacker could grab and store the user's service tag. Aside from the laptop's code, the problem "lets an attacker see the warranty dates and when the product got shipped," slipstream/RoL added.
Erik Loman from cybersecurity company SurfRight confirmed for Motherboard that the website could extract a Dell service tag.
This issue certainly isn't as problematic as the rogue certificate reported by Ars Technica. Armed with that, just about any hacker could spoof HTTPS protected websites without triggering any alarm bells in a Dell user's browser, as long as the browser wasn't Firefox. Dell has released a tool to remove the certificate.
But extracting service tags could still cause headaches for Dell users. Mikko Hypponen, CRO at cybersecurity company F-Secure, told Motherboard in a Twitter direct message that an attacker could take a Dell computer code and then use that information while pretending to be a Dell support technician.
"It's OK, you can trust me," Hypponen imagined an attacker might say to a victim. "I will confirm my identity by reading out your tag. Check the bottom of your computer to confirm." After convincing the victim they were from Dell, the scammer would then trick the target into booting up a remote access program, where they could then take control of the computer.
"It would work," Hypponen said, but added that "I don't think leaking the service tag is end of the world."
It's not clear how many laptops are affected by this issue, but the rogue certificate problem has been found on several different Dell models. Sally Moore, a Dell spokesperson, didn't answer questions about the extraction of service tags, but wrote in an email "Customer security and privacy is a top concern and priority for Dell."