Dell does a Lenovo: ships laptops with rogue root CA
Some Dell laptops ship with a self-signed root certificate eDellRoot and private key that attackers can exploit. The issue, first reported on Reddit, has resemblances to the Lenovo incident earlier this year when the company shipped some of its laptops with a pre-installed third-party root certificate that could be exploited in a similar fashion.
The self-signed root certificate and private key appear to be identical on all affected Dell machines.
Update: Dell published an official response on the official Dell website. stating that the purpose of the certificate was "not malware or adware", but to "provide system service tag to Dell online support" and here specifically to allow Dell to "quickly identify the computer model".
The company has posted instructions on how to remove the certificate from Dell systems. End
Update 2: A second certificate vulnerability similar to the first has been discovered. The certificate DSDTestProvider is installed by Dell System Detect and includes the private key as well making systems running with it vulnerable as well to attacks. End
The preinstalled root certificate is accepted by browsers who use the system's certificate store, and that is Chrome and Internet Explorer on Windows for instance. Mozilla Firefox on the other hand is not affected by this as it uses its own certificate store.
The issue is severe, as it enables attackers to sign fake certificates for use on websites, and users would not notice this unless they pay attention to the certificate chain.
The certificate, which is installed on laptops by default, is installed by the software Dell Foundation Services which, according to the description on Dell's website, "provides foundational services facilitating customer serviceability, messaging and support functions".
The private key is not exportable by default but there are tools that can export it. The key has been posted in the meantime on Reddit.
It is unclear why Dell added the certificate in this way to some of its machines. It seems unlikely that spying is the reason for this, considering that the company would not include the private key if this would be the case.
It is surprising however that another manufacturer of Windows PCs and devices would make the same mistake that Lenovo did earlier that year considering that the company should have paid close attention to the fallout afterwards.
Test your laptop
Hanno Böck created a web test to find out if the bad eDell certificate is installed on the system. Simply connect to the test website and you will receive information whether your system is vulnerable or not.
Remove the certificate
If the root certificate is installed on your laptop, you may want to remove it immediately to block any attacks from being carried out successfully against your system.
Windows users need to do the following to remove the certificate:
- Tap on the Windows-key.
- Type certmgr.msc and hit enter.
- Accept the UAC prompt if it is shown.
- Switch to Trusted Root Certification Authorities > Certificates.
- Locate the eDellRoot certificate in the list.
- Right-click the certificate and select Delete.