Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Identity & Access

Root Certificate Shipped With Dell PCs Poses Serious Risk

For the past several months, Dell has been shipping new desktop and laptop computers with a preloaded self-signed root certificate which, according to experts, poses serious security and privacy risks.

For the past several months, Dell has been shipping new desktop and laptop computers with a preloaded self-signed root certificate which, according to experts, poses serious security and privacy risks.

The root certificate, named eDellRoot, is installed into the system store by an application called Dell Foundation Services. Dell has been shipping the certificate since August to allow online support staff to quickly identify the computer model when providing service to customers.

However, since the root certificate also includes a private key that can be easily obtained, a man-in-the-middle (MitM) attacker could create rogue certificates that would help them break HTTPS browsing and intercept users’ communications. This type of access can be used to steal sensitive information and even serve malware to the victim.

“If I were a black-hat hacker, I’d immediately go to the nearest big city airport and sit outside the international first class lounges and eavesdrop on everyone’s encrypted communications. I suggest ‘international first class’, because if they can afford $10,000 for a ticket, they probably have something juicy on their computer worth hacking,” said Errata Security’s Robert Graham. “I point this out in order to describe the severity of Dell’s mistake. It’s not a simple bug that needs to be fixed, it’s a drop-everything and panic sort of bug. Dell needs to panic. Dell’s corporate customers need to panic.”

It’s worth pointing out that attacks are only possible against Chrome, Internet Explorer and Microsoft Edge; Firefox is not affected as it has its own certificate store. German security expert Hanno Böck, who along with Joe Nord and Kevin Hicks (rotorcowboy) has been credited by Dell for reporting the issue, has created an online tool that helps users check if they have the eDellRoot certificate installed.

Cloud-based access security provider Duo Security has discovered eDellRoot certificates with identical keys on two dozen IP addresses from across the world, including one associated with a SCADA system.

Dell has pointed out that the certificate is not malware or adware, and it has not been used to collect personal customer information. The company has provided instructions for permanently removing the certificate from a system.

“We will also push a software update starting on November 24 that will check for the certificate, and if detected remove it. Commercial customers who reimaged their systems without Dell Foundation Services are not affected by this issue. Additionally, the certificate will be removed from all Dell systems moving forward,” Dell said.

Advertisement. Scroll to continue reading.

Superfish 2.0

The use of the eDellRoot certificates has led to Dell being compared to Lenovo, which was found earlier this year to ship PCs with a browser add-on developed by visual search company Superfish. The application, designed to help users find deals and compare prices, has been classified as adware because it injects third-party ads into the websites visited by the user.

The problem with the Superfish adware was that it relied on a self-signed root certificate that, just like eDellRoot, could have been used for MitM attacks against HTTPS connections.

While Dell has rushed to clarify that it hasn’t installed malware or adware on its devices, Errata’s Robert Graham has pointed out that the main issue with Superfish was the existence of the private key that could be easily extracted. “In this respect, Dell’s error is exactly as bad as the Superfish error,” Graham said.

Ironically, Dell uses the Superfish incident to advertise its own laptops, claiming that the small number of pre-loaded applications undergo security and privacy testing.

Dell uses Superfish to advertise privacy

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

David Currie, former CISO of Nubank and Klarna, has been appointed CEO of Vaultree.

Chris Burger has been named Chief Information Security Officer at F5.

Bedrock Security has appointed George Gerchow as Chief Security Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.