BETA
This is a BETA experience. You may opt-out by clicking here

More From Forbes

Edit Story

Dell Promises To Kill Dangerous Security Certificate It Shipped On PCs

Following
This article is more than 8 years old.

Dell has today decided to remove a certificate that was supposed to provide security and assistance to its PC owners, after it was heavily criticised for actually placing users in danger.

Such certificates typically act as tokens of trust. When a user visits encrypted sites, there is a certificate chain, where websites provide a certificate to prove they are who they say they are. But “root certificates”, like Dell’s soon-to-be-dead eDellRoot, grant the creator with the power to produce encryption certificates for any sites using HTTPS so the user's browser will accept them. For instance, Dell could effectively create its own fake version of Facebook , using what the browser would believe to be a genuine certificate, indicating the site was the real deal.

But it gets way worse. Though Dell said eDellRoot was installed by Dell Foundation Services to act as a support tool and was “intended to make it faster and easier for our customers to service their system”, it was possible to extract the private key that signed the certificate. That meant anyone could grab that key, sign their own certificate and do exactly as Dell could do.

A wily hacker could, for instance, easily get on the same network as any affected Dell PC user, intercept their traffic and serve up fake versions of HTTPS sites, from Facebook to Google to Twitter to banking websites. Such man-in-the-middle attacks can also be used to deliver malware via fake updates over HTTPS.

Dell, recognizing this was a potential security nightmare, said it regretted the decision to install eDellRoot and announced it would be sending out updates to delete the certificate. It claimed the certificate was “intended to provide the system service tag to Dell online support allowing us to quickly identify the computer model, making it easier and faster to service our customers”, yet that wasn’t enough to justify its presence on computers.

“We have posted instructions to permanently remove the certificate from your system here. We will also push a software update starting on November 24 that will check for the certificate, and if detected remove it. Commercial customers who reimaged their systems without Dell Foundation Services are not affected by this issue. Additionally, the certificate will be removed from all Dell systems moving forward,” Dell wrote on its site today.

The vulnerability was not dissimilar to Superfish, another root certificate installed by Lenovo on its laptops. In that case, Superfish was used to inject ads, and was somewhat more surreptitious than Dell’s certificate. Nevertheless, the same security threat existed on both companies's PCs, showing just how simple decisions made during the design phase can completely undo security without the customer having a clue.

Dell should have known about the problem earlier this month, as security researcher Hanno Böck said he’d warned the company two weeks ago. But it was only when a Reddit post caught the attention of the security world that the tech giant reacted.

Duo Security said Dell was shipping the certificate in various models other than the Inspiron 14 laptop it had tested. Duo also found another potentially dangerous certificate, one used to sign four Bluetooth drives on the Dell laptop. And it discovered at least one of the machines using the certificates for providing web services over HTTPS was a SCADA (supervisory control and data acquisition) system. SCADA devices are used to manage critical infrastructure, such as nuclear power plants and water processing facilities.

As they await an update, users can check if their Dell PCs are affected using this simple online tool.

Follow me on TwitterCheck out my websiteSend me a secure tip