Programmer Joe Nord made the vulnerability public on Sunday. Nord noticed that his new Dell Inspiron 5000 series laptop had a security certificate preinstalled on it, issued by Dell Computer Corporation and known as “eDellRoot.” The certificate forces Windows to trust software built by the company and doesn’t naturally expire until 2039.
Nord found the certificate includes its own private key stored locally on the user’s machine. A hacker could therefore easily reverse-engineer the key and use the certificate’s elevated permissions to take control of the computer and force web browsers to trust malicious content. Within hours of Nord’s blog post, other security researchers had already cracked the key and developed exploits to confront Dell with.
The company has since responded to the allegations, confirming that the eDellRoot SSL certificate is installed by one of its programs, Dell Foundation Services. It admits it “unintentionally introduced a security vulnerability” but says the certificate is “not malware or adware.” It is apparently used to help with customer service requests, automatically presenting the computer’s model number to online support websites.
Dell may claim the security vulnerability was unintentional but comparisons have already been drawn with Lenovo’s Superfish debacle from earlier this year. Software bundled with many of Lenovo’s computers could intercept encrypted website traffic.
It also used the same private key on every computer it was installed on so a hacker that decrypted the key could have created a fake website and forced target computers to trust it. They could then collect banking details and other personal information whenever users went to login. The computer owner wouldn’t realise anything was wrong as the hacker could force requests to legitimate websites to route themselves to their fake one.
Dell maintains that its root certificate wasn’t designed to collect data from users. It wrote in a statement: “The certificate is not malware or adware. Rather, it was intended to provide the system service tag to Dell online support allowing us to quickly identify the computer model, making it easier and faster to service our customers. This certificate is not being used to collect personal customer information. It’s also important to note that the certificate will not reinstall itself once it is properly removed using the recommended Dell process.”
Dell has provided instructions on how to remove the certificate from affected systems. It reassures users that once removed the certificate will not be automatically reinstalled. The company says a software update will soon remove the certificate and private key “from all” of the affected computers.
Dell XPS 15, XPS 13 and Inspiron 5000 model lines are currently known to include the certificate but it is likely it is present in many other ranges too. Owners can find instructions on removing it manually on Dell’s website. Dell is attempting to work out how many people are affected and will then explain why the decision was made to include a self-signed certificate on user machines.
