Dell has apologised to customers for deliberately shipping new computers with an inherently insecure support tool and has provided a removal tool to fix affected machines.
Recently-produced Dell machines were shipped with a security certificate which makes it easy for an attacker to perform a man-in-the-middle attack and potentially steal personal information, even over an encrypted connection.
But the flawed security certificate wasn’t accidental. Instead, Dell decided to put the credentials, which were labelled with “eDellRoot” as their issuer, on machines as part of a support tool.
Since the certificates are all identical and “self-signed” (meaning that their security is only verified by themselves and not a certification authority such as Verisign) it is possible for an attacker to extract the private key and use it to forge security certificates for other websites, which would then be accepted by the Dell machines.
As a result, an attacker could, for instance, sit in a coffee shop with public Wi-Fi and intercept any login details sent from an affected Dell laptop, or pose as their online banking website in order to extract further information.
The flaw is reminiscent of PC manufacturer Lenovo’s decision to ship its computers infected with a brand of malware named Superfish, which also installed a self-signed certificate on PCs. That was used to inject Superfish’s own adverts into Google searches, but opened up customers to hacking attacks.
Unlike Lenovo, Dell apologised rapidly after the eDellRoot certificate was discovered by customers and researchers.
In a blogpost, a spokeswoman wrote that: “The certificate was implemented as part of a support tool and intended to make it faster and easier for our customers to service their system. Customer security and privacy is a top concern and priority for Dell; we deeply regret that this has happened and are taking steps to address it.
“The certificate is not malware or adware. Rather, it was intended to provide the system service tag to Dell online support allowing us to quickly identify the computer model, making it easier and faster to service our customers. This certificate is not being used to collect personal customer information. It’s also important to note that the certificate will not reinstall itself once it is properly removed using the recommended Dell process.”
Starting on Tuesday, Dell will push a software update to remove the certificate from machines. In the meantime, it has posted instructions for users who want to remove the certificate manually.
