For the past several months, Dell has been shipping new desktop and laptop computers with a preloaded self-signed root certificate which, according to experts, poses serious security and privacy risks.
The root certificate, named eDellRoot, is installed into the system store by an application called Dell Foundation Services. Dell has been shipping the certificate since August to allow online support staff to quickly identify the computer model when providing service to customers.
However, since the root certificate also includes a private key that can be easily obtained, a man-in-the-middle (MitM) attacker could create rogue certificates that would help them break HTTPS browsing and intercept users’ communications. This type of access can be used to steal sensitive information and even serve malware to the victim.
“If I were a black-hat hacker, I’d immediately go to the nearest big city airport and sit outside the international first class lounges and eavesdrop on everyone’s encrypted communications. I suggest ‘international first class’, because if they can afford $10,000 for a ticket, they probably have something juicy on their computer worth hacking,” said Errata Security’s Robert Graham. “I point this out in order to describe the severity of Dell’s mistake. It’s not a simple bug that needs to be fixed, it’s a drop-everything and panic sort of bug. Dell needs to panic. Dell’s corporate customers need to panic.”
It’s worth pointing out that attacks are only possible against Chrome, Internet Explorer and Microsoft Edge; Firefox is not affected as it has its own certificate store. German security expert Hanno Böck, who along with Joe Nord and Kevin Hicks (rotorcowboy) has been credited by Dell for reporting the issue, has created an online tool that helps users check if they have the eDellRoot certificate installed.
Cloud-based access security provider Duo Security has discovered eDellRoot certificates with identical keys on two dozen IP addresses from across the world, including one associated with a SCADA system.
Dell has pointed out that the certificate is not malware or adware, and it has not been used to collect personal customer information. The company has provided instructions for permanently removing the certificate from a system.
“We will also push a software update starting on November 24 that will check for the certificate, and if detected remove it. Commercial customers who reimaged their systems without Dell Foundation Services are not affected by this issue. Additionally, the certificate will be removed from all Dell systems moving forward,” Dell said.
The use of the eDellRoot certificates has led to Dell being compared to Lenovo, which was found earlier this year to ship PCs with a browser add-on developed by visual search company Superfish. The application, designed to help users find deals and compare prices, has been classified as adware because it injects third-party ads into the websites visited by the user.
The problem with the Superfish adware was that it relied on a self-signed root certificate that, just like eDellRoot, could have been used for MitM attacks against HTTPS connections.
While Dell has rushed to clarify that it hasn’t installed malware or adware on its devices, Errata’s Robert Graham has pointed out that the main issue with Superfish was the existence of the private key that could be easily extracted. “In this respect, Dell’s error is exactly as bad as the Superfish error,” Graham said.
Ironically, Dell uses the Superfish incident to advertise its own laptops, claiming that the small number of pre-loaded applications undergo security and privacy testing.