Reporting the weak digital certificate in a few of Dell’s new Windows laptops, the security researchers said that the affected Dell laptops come pre-installed with self-signed digital certificates which can enable cybercriminals to masquerade as Dell, and upload malware to the affected laptops.
Advertisement
While consumers can manually remove the pre-installed certificate, it compromises the root security of a system and can allow cyber-criminals to read private messages, carry out phishing attacks and steal private data.
Dell in a statement told Reuters, “The recent situation raised is related to an on-the-box support certificate meant to provide a better, faster and easier customer support experience…Unfortunately, the certificate introduced an unintended security vulnerability”. Should intruders manage to get a hold of a raw copy of the self-signed security certificate’s private key, they will have a much easier way to attack every PC that ships with the code. As a user computer, I should NEVER have a private key that corresponds to a root CA.
On Monday, Duo Security published a report saying that it had also recently come across the eDellRoot issue while checking out a Dell Inspiron 14 laptop it recently bought. In a statement to The Verge, a Dell representative said the company was still looking into the certificate, but emphasized Dell’s policy of minimizing pre-loaded software for security reasons.
“To address this, we are providing our customers with instructions to permanently remove the certificate from their systems via direct email, on our support site and Technical Support”. Users reported finding it on Dell XPS 15 and XPS 13 models, but also on a Latitude and an Inspiron 5000 series model.
It is understood that the eDellRoot certificate was installed on desktops and laptops shipped from August 2015 to today.
Just a refresher, Lenovo received tremendous backlash when it was discovered the company had been loading a similar rootkit certificate called superfish on select Lenovo devices.
Research so far has provided proof of concept scenarios where the eDellRoot could be manipulated and used for valid certificates that could trigger attacks.
This root certificate, named eDellRoot, can be extracted with special tools from the laptop’s filesystem, and then used to sign malicious software, passing it as a safe source. A number of security researchers have already been able to exploit the flaw.
Advertisement
While Dell is now promising a fix for the issue, the scenario is being compared to Lenovo’s “Superfish” gaffe in February this year. “Only the certificate issuing computer should have a private key and that computer should be… very well protected!”
