Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Identity & Access

Root Certificate Shipped With Dell PCs Poses Serious Risk

For the past several months, Dell has been shipping new desktop and laptop computers with a preloaded self-signed root certificate which, according to experts, poses serious security and privacy risks.

For the past several months, Dell has been shipping new desktop and laptop computers with a preloaded self-signed root certificate which, according to experts, poses serious security and privacy risks.

The root certificate, named eDellRoot, is installed into the system store by an application called Dell Foundation Services. Dell has been shipping the certificate since August to allow online support staff to quickly identify the computer model when providing service to customers.

However, since the root certificate also includes a private key that can be easily obtained, a man-in-the-middle (MitM) attacker could create rogue certificates that would help them break HTTPS browsing and intercept users’ communications. This type of access can be used to steal sensitive information and even serve malware to the victim.

“If I were a black-hat hacker, I’d immediately go to the nearest big city airport and sit outside the international first class lounges and eavesdrop on everyone’s encrypted communications. I suggest ‘international first class’, because if they can afford $10,000 for a ticket, they probably have something juicy on their computer worth hacking,” said Errata Security’s Robert Graham. “I point this out in order to describe the severity of Dell’s mistake. It’s not a simple bug that needs to be fixed, it’s a drop-everything and panic sort of bug. Dell needs to panic. Dell’s corporate customers need to panic.”

It’s worth pointing out that attacks are only possible against Chrome, Internet Explorer and Microsoft Edge; Firefox is not affected as it has its own certificate store. German security expert Hanno Böck, who along with Joe Nord and Kevin Hicks (rotorcowboy) has been credited by Dell for reporting the issue, has created an online tool that helps users check if they have the eDellRoot certificate installed.

Cloud-based access security provider Duo Security has discovered eDellRoot certificates with identical keys on two dozen IP addresses from across the world, including one associated with a SCADA system.

Dell has pointed out that the certificate is not malware or adware, and it has not been used to collect personal customer information. The company has provided instructions for permanently removing the certificate from a system.

Advertisement. Scroll to continue reading.

“We will also push a software update starting on November 24 that will check for the certificate, and if detected remove it. Commercial customers who reimaged their systems without Dell Foundation Services are not affected by this issue. Additionally, the certificate will be removed from all Dell systems moving forward,” Dell said.

Superfish 2.0

The use of the eDellRoot certificates has led to Dell being compared to Lenovo, which was found earlier this year to ship PCs with a browser add-on developed by visual search company Superfish. The application, designed to help users find deals and compare prices, has been classified as adware because it injects third-party ads into the websites visited by the user.

The problem with the Superfish adware was that it relied on a self-signed root certificate that, just like eDellRoot, could have been used for MitM attacks against HTTPS connections.

While Dell has rushed to clarify that it hasn’t installed malware or adware on its devices, Errata’s Robert Graham has pointed out that the main issue with Superfish was the existence of the private key that could be easily extracted. “In this respect, Dell’s error is exactly as bad as the Superfish error,” Graham said.

Ironically, Dell uses the Superfish incident to advertise its own laptops, claiming that the small number of pre-loaded applications undergo security and privacy testing.

Dell uses Superfish to advertise privacy

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.

Register

Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.

Register

Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Identity & Access

NSA publishes recommendations on maturing identity, credential, and access management capabilities to improve cyberthreat protections.