Dell is facing mounting criticism from users following the discovery of a major security vulnerability pre-installed in even the most up to date computer hardware which can leave sensitive data wide open to attack from hackers.
In similar fashion to the much-publicised Superfish debacle that hit Lenovo less than a year ago, the security flaw stems from a certificate named eDellRoot which can be exploited to intercept and modify web traffic, including usernames and passwords, while passing through a system connected to open Wi-Fi.
The flaw was first exposed by security researcher Joe Nord on 22 November, who discovered the eDellRoot certificate issue on a Dell Inspiron 5000 series notebook 2015 model.
“Setting things up, I was surprised to see a trusted root certificate pre-installed on the machine labelled “eDellRoot”. I’m having a tough time coming up with a good reason that Dell Computer Corporation needs to be a trusted root CA on my computer,” he wrote in a blog post.
“The eDellRoot certificate is a trusted root that expires in 2039 and is intended for “all” purposes. Notice that this is more powerful than the clearly legitimate DigiCert certificate just above it, which spikes more curiosity.
“As a user computer, I should never have a private key that corresponds to a root CA. Only the certificate issuing computer should have a private key and that computer should be very well protected.”
The finding was backed up by a user on Reddit under the pseudonym Rotorcowboy, who discovered the same security flaw on a “shiny new” XPS 15 Dell laptop.
“While attempting to troubleshoot a problem, I discovered that it came pre-loaded with a self-signed root CA (certificate authority) by the name of eDellRoot,” explained the Reddit post.
“With it came its private key, marked as non-exportable. However, it is still possible to obtain a raw copy of the private key by using several tools available.
“After briefly discussing this with someone else who had discovered this too, we determined that they are shipping every laptop they distribute with the exact same root certificate and private key, very similar to what Superfish did on Lenovo computers. For those that aren’t familiar, this is a major security vulnerability that endangers all recent Dell customers.”
Very quickly, Dell faced a barrage of messages via social media demanding an explanation for the certificate mix-up.
@nixcraft – Customer security and privacy is a top concern for Dell. We are investigating the issue and will have further updates soon.
— Dell (@Dell) November 24, 2015
Dell has now released a statement admitting the problem and outlining the steps it is now taking to solve the issue.
“Today we became aware that a certificate (eDellRoot), installed by our Dell Foundation Services application on our PCs, unintentionally introduced a security vulnerability,” the firm said.
According to Dell, the certificate was intended to make it easier for Dell customer support to assist customers in troubleshooting issues with their hardware.
“The certificate was implemented as part of a support tool and intended to make it faster and easier for our customers to service their system. Customer security and privacy is a top concern and priority for Dell; we deeply regret that this has happened and are taking steps to address it.”
The firm has stressed that the pre-installed certificate is “not malware or adware”.
“It was intended to provide the system service tag to Dell online support allowing us to quickly identify the computer model, making it easier and faster to service our customers,” the statement continued.
“This certificate is not being used to collect personal customer information. It’s also important to note that the certificate will not reinstall itself once it is properly removed using the recommended Dell process.”
Dell has also released step by step instructions in how remove the certificate. Furthermore, the firm has said it will now push a software update to fully solve the problem.
“Commercial customers who reimaged their systems without Dell Foundation Services are not affected by this issue. Additionally, the certificate will be removed from all Dell systems moving forward,” said the firm.
“Your trust is important to us and we are actively working to address this issue.”
According to Kevin Bocek, vice president of security strategy and threat intelligence at security firm Venafi, the discovery could lead to a loss of trust from customers.
“In this case, they’re breaking everything that’s been built over the past 20 years to create trust and privacy on the Internet, by inserting a rogue CA into systems that can impersonate any trusted site.
“This is exactly what bad guys do with Trojans and other malicious software to trick users to access fake sites to surveil/monitor private communications. It’s what APT operators, online banking thieves, and other cyber criminals have been doing for years.”
Security researcher Graham Cluley agreed, saying: “Dell is about to learn an important lesson: it takes years to earn your customers’ trust, but only seconds to lose it.”