Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Identity & Access

Root Certificate Shipped With Dell PCs Poses Serious Risk

For the past several months, Dell has been shipping new desktop and laptop computers with a preloaded self-signed root certificate which, according to experts, poses serious security and privacy risks.

For the past several months, Dell has been shipping new desktop and laptop computers with a preloaded self-signed root certificate which, according to experts, poses serious security and privacy risks.

The root certificate, named eDellRoot, is installed into the system store by an application called Dell Foundation Services. Dell has been shipping the certificate since August to allow online support staff to quickly identify the computer model when providing service to customers.

However, since the root certificate also includes a private key that can be easily obtained, a man-in-the-middle (MitM) attacker could create rogue certificates that would help them break HTTPS browsing and intercept users’ communications. This type of access can be used to steal sensitive information and even serve malware to the victim.

“If I were a black-hat hacker, I’d immediately go to the nearest big city airport and sit outside the international first class lounges and eavesdrop on everyone’s encrypted communications. I suggest ‘international first class’, because if they can afford $10,000 for a ticket, they probably have something juicy on their computer worth hacking,” said Errata Security’s Robert Graham. “I point this out in order to describe the severity of Dell’s mistake. It’s not a simple bug that needs to be fixed, it’s a drop-everything and panic sort of bug. Dell needs to panic. Dell’s corporate customers need to panic.”

It’s worth pointing out that attacks are only possible against Chrome, Internet Explorer and Microsoft Edge; Firefox is not affected as it has its own certificate store. German security expert Hanno Böck, who along with Joe Nord and Kevin Hicks (rotorcowboy) has been credited by Dell for reporting the issue, has created an online tool that helps users check if they have the eDellRoot certificate installed.

Cloud-based access security provider Duo Security has discovered eDellRoot certificates with identical keys on two dozen IP addresses from across the world, including one associated with a SCADA system.

Dell has pointed out that the certificate is not malware or adware, and it has not been used to collect personal customer information. The company has provided instructions for permanently removing the certificate from a system.

“We will also push a software update starting on November 24 that will check for the certificate, and if detected remove it. Commercial customers who reimaged their systems without Dell Foundation Services are not affected by this issue. Additionally, the certificate will be removed from all Dell systems moving forward,” Dell said.

Advertisement. Scroll to continue reading.

Superfish 2.0

The use of the eDellRoot certificates has led to Dell being compared to Lenovo, which was found earlier this year to ship PCs with a browser add-on developed by visual search company Superfish. The application, designed to help users find deals and compare prices, has been classified as adware because it injects third-party ads into the websites visited by the user.

The problem with the Superfish adware was that it relied on a self-signed root certificate that, just like eDellRoot, could have been used for MitM attacks against HTTPS connections.

While Dell has rushed to clarify that it hasn’t installed malware or adware on its devices, Errata’s Robert Graham has pointed out that the main issue with Superfish was the existence of the private key that could be easily extracted. “In this respect, Dell’s error is exactly as bad as the Superfish error,” Graham said.

Ironically, Dell uses the Superfish incident to advertise its own laptops, claiming that the small number of pre-loaded applications undergo security and privacy testing.

Dell uses Superfish to advertise privacy

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

CISO Strategy

Okta is blaming the recent hack of its support system on an employee who logged into a personal Google account on a company-managed laptop.

Compliance

Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...

Email Security

Many Fortune 500, FTSE 100 and ASX 100 companies have failed to properly implement the DMARC standard, exposing their customers and partners to phishing...

Funding/M&A

The private equity firm merges the newly acquired ForgeRock with Ping Identity, combining two of the biggest names in enterprise IAM market.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...