Dell pulls a Lenovo and ships security-breaking root certificate
In February of this year, China-based computer maker Lenovo maker was roundly condemned for shipping certain of its consumer laptops pre-installed with the Superfish adware, which used a self-signed root certificate to break website encryption.
Now, nine months later, U.S. computer maker Dell Inc. has been caught doing much the same thing — shipping some number of Windows 10 laptops pre-installed with a self-signed root certificate that can be used to defeat the encryption on secure web sessions.
Dell and damnation! Another root (certificate) of all evil
The actual purpose of Dell’s self-signed root certificate — which is named named “eDellRoot” — is not immediately known (it’s listed for “All” purposes) but the malicious purposes that it could potentially be put to are well known.
For example, if a malicious third party gains access to the secret private key of one of the Dell self-signed root certificates then that third party could hijack the root certificate and use it to trick the web browser on the laptop into accepting a fake version of a banking or ecommerce website as the real thing, allowing the interception of passwords, credit card numbers and the like.
Researchers have also reportedly told Ars Technica that the eDellRoot certificate can be used to sign applications and thus bypass malware checks.
Unfortunately, as was the case with the Lenovo Superfish certificate, all the eDellRoot certificates found so far on Dell laptops are all self-signed with the exact same private key; meaning that if you extract the key from one laptop, you can use the same key to commandeer the certificates installed on all other Dell laptops.
According to an Extreme Tech report, the eDellRoot certificate has been found on some Inspiron 5000 Windows 10 laptops shipped no earlier than the middle of 2015. The certificate itself is dated to be valid from May 7, 2015 to December 31, 2039.
On a Reddit thread on Dell’s “rogue root CA“, users say that the eDellRoot certificate is turning up on a whole variety of brand new Dell laptops, including, Inspirons, XPS 15s and Alienware 15s.
A few Reddit posters say that the certificate is also being added via software update. One user posted earlier today, that a new Dell Inspiron, as received on November 21, didn’t have the certificate but that the first Dell update they performed added it (screenshots here).
If you have a Dell computer purchased anytime between between April 2015 and now, you may want to test it for the eDellRoot certificate.
If your Dell connects to this this test site without displaying an error screen when using Internet Explorer or Google Chrome, then you’ve got eDellRoot.
You can also check Windows for yourself.
In the Start menu search field, type: “certmgr.msc”, hit “Enter” and choose “Accept” if a User Account Control window pops up. Then choose “Trusted Root Certification Authorities” > “Certificate”. Look for “eDellRoot” in the left column.
If your Dell does have the rogue root certificate, one way to avoid problem in the sort term is to use Firefox for the time being, because Mozilla’s browser can’t be fooled by eDellRoot — it uses its own set of security certificates rather than the operating system’s set.
Will Dell’s blunder end up being just a one day wonder?
Update: Withing the last two hours, Steve Ragan of CSO has reported that the self-signed eDellRoot certificate was part of an August update to the Dell Foundation Services application (DFS).
And as of 10:29 p.m. EST, Dell has issued at least its third statement of the day regarding the eDellRoot controversy, finally giving both a link to removal instructions and a promise that the company will use a future software update to make sure the root certificate is removed from affected Dell systems.
The post on the official Dell corporate blog Direct2Dell, titled “Response to Concerns Regarding eDellroot Certificate” reads in part:
“The certificate is not malware or adware. Rather, it was intended to provide the system service tag to Dell online support allowing us to quickly identify the computer model, making it easier and faster to service our customers. This certificate is not being used to collect personal customer information. It’s also important to note that the certificate will not reinstall itself once it is properly removed using the recommended Dell process.
We have posted instructions to permanently remove the certificate from your system here. We will also push a software update starting on November 24 that will check for the certificate, and if detected remove it. Commercial customers who reimaged their systems without Dell Foundation Services are not affected by this issue. Additionally, the certificate will be removed from all Dell systems moving forward. “
The blog post ends graciously by going so far as to thank the three “Dell users”, Hanno Böck, Joe Nord and rotorcowboy who brought the “vulnerability” to the company’s attention. Click the images to enlarge them.