November 22, 2015 information about critical vulnerability which can be found in a range of products from Dell appeared on the Internet. The situation with Dell is quite similar to what happened with Lenovo and Superfish malware. The first one who found an error was a programmer Joe Nord, who described it in his blog. The developer said that he had purchased a Dell Inspiron 5000 laptop, which had pre-installed root safety certificate called eDellRoot.
The problem is that the private key of the root certificate is stored on the computer, which allows hackers to conduct various attacks such as “man in the middle”. Nord found that eDellRoot certificate is trusted in the system and is designed for “any” purposes – that means that certificate is even more powerful than fully legitimate certificate from DigiCert. Its period of validy is limited to the year 2039. In addition, in the description of the certificate there is a line stating that the user has a private key for him – usually users shouldn’t have a key.
This way, hackers who gain access to the private key for the certificate can easily falsify other certificates for access to any websites, and the computer will recognize them as trusted – all of this opens up opportunities for the “man in the middle” attacks, characterized by substitution of legitimate resources with harmful copies. Moreover, there is no difficulty to access this key, since it is installed on a various new models of Dell XPS, Precision and Inspirion computers, and stored locally on each such device.
Dell started to supply those devices with preinstalled eDellRoot from August of this year.
How to protect yourself?
Representatives of the device manufacturer stated that the certificate eDellRoot is not malicious (“malware or adware”), with the help of this certificate the company does not collect any personal information, but only wanted to be able to quickly identify the product model when owner contacts customer support. According to Dell representative Laura Thomas, the company just wanted to improve the level of service and reduce waiting time of solution while contacting support.
“Sometimes good intentions, such as faster access to the customers’ machines to improve speed of service, can have terrible consequences in terms of the security of the system, if the implementation of such measures may carry security risks”.
In addition, the company also published instructions how to remove the certificate from the computer. From this instructions, in particular, it is clear that it is not very easy to remove it. There is a plugin .DLL included in the certificate and it is being automatically installed after removing it. Therefore, for the complete removal of the certificate user must remove .DLL – Dell.Foundation.Agent.Plugins.eDell.dll and after that eDellRoot certificate.
In a statement provided on official Dell website, developers promised in the future to not use insecure certificates.
You can check your computer for presence of eDellRoot certificate here: edell.tlsfun.de.