Dell puts privacy at risk with dangerous root certificate

Dell shipped systems with the eDellRoot certificate's public and private key

dell booth

People check out computers at the Dell booth at the Rootstech Conference sponsored by Family Search in Salt Lake City, Utah February 7, 2014.

Credit: REUTERS/George Frey

Dell has come under fire for shipping PCs with a pre-installed trusted root certificate that can be used to compromise the security of encrypted HTTPS connections. The issue is similar to one Lenovo customers faced after the company shipped their systems with the Adware known as Superfish.

The Lenovo issue gained a good deal of attention, and led to safer systems for consumers. However, six months after the Lenovo incident, Dell started using a trusted root certificate with similar problems called eDellRoot.

The certificate ships with both the public and private key. On Reddit over the weekend, both were released to the public.

"Surely Dell had to have seen what kind of bad press Lenovo got when people discovered what Superfish was up to. Yet, they decided to do the same thing but worse. This isn't even a third-party application that placed it there; it's from Dell's very own bloatware," commented the Reddit poster under the name "rotorcowboy".

"To add insult to injury, it's not even apparent what purpose the certificate serves. At least with Superfish we knew that their rogue root CA was needed to inject ads into your web pages; the reason Dell's is there is unclear."

Systems with the certificate installed are at risk should an attack use eDellRoot to create valid certificates for various websites, as demonstrated by Kenn White:

-

dell forged certificate via twitter

-

The certificate problems created by Dell will only impact users of Internet Explorer, Microsoft's Edge browser, and Chrome. Firefox users will not be affected, because Mozilla uses its own certificate store.

Freelance journalist and security writer Hanno Böck has created a website for Dell customers who want to test their systems and check to see if they're vulnerable.

Dell hasn't issued any comment to the public, but in a statement to Ars Technica, the company said that technicians were looking into the matter.

Update:

Shortly after this story went live, Dell issued the following statement to members of the media.

Customer security and privacy is a top concern and priority for Dell. The recent situation raised is related to an on-the-box support certificate intended to provide a better, faster and easier customer support experience.

Unfortunately, the certificate introduced an unintended security vulnerability. To address this, we are providing our customers with instructions to permanently remove the certificate from their systems via direct email, on our support site and Technical Support.

We are also removing the certificate from all Dell systems moving forward. Note, commercial customers who image their own systems will not be affected by this issue. Dell does not pre-install any adware or malware. The certificate will not reinstall itself once it is properly removed using the recommended Dell process.

Dell didn't respond to questions about the models that were affected by this issue, but when asked for additional details by Jeremy Kirk, of IDG's News Service, the company said the certificate was added for support reasons.

We began loading the current version on our consumer and commercial devices in August to make servicing PC issues faster and easier for customers.

When a PC engages with Dell online support, the certificate provides the system service tag allowing Dell online support to immediately identify the PC model, drivers, OS, hard drive, etc. making it easier and faster to service. No personal information has been collected or shared by Dell without the customer’s permission.

To comment on this article and other CSO content, visit our Facebook page or our Twitter stream.
Insider: Hacking the elections: myths and realities
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.