Dell is back-pedaling today after it was revealed that the PC giant has been shipping a number of its laptops with a preinstalled, self-signed root certificate authority called eDellRoot. The impact of this is that users could be left at risk from attackers, potentially enabling information theft.
Dell is now responding to the issue by advising impacted customers on how to remove the rogue CA. In a statement Dell sent to eWEEK, the company emphasized that customer security and privacy is a top concern and priority for Dell.
“The recent situation raised is related to an on-the-box support certificate intended to provide a better, faster and easier customer support experience,” Dell stated. “Unfortunately, the certificate introduced an unintended security vulnerability.”
Dell has now publicly posted instructions on how the eDellRoot CA can be removed from users’ systems. Dell also stated that it will be removing the certificate from all Dell systems moving forward.
“Dell does not pre-install any adware or malware,” Dell stated. “The certificate will not reinstall itself once it is properly removed using the recommended Dell process.”
Duo Security is among the many security vendors that have been investigating the DellRoot issue and has been able to find multiple instances of the rogue root certificate, including one installed on a supervisory control and data acquisition (SCADA) system.
Darren Kemp, security researcher at Duo Labs, the advanced research division of Duo Security, said his team was able to find the rogue certificates as an ancillary discovery during the course of some other research that is ongoing. Because the certificate is a root certificate that is trusted for pretty much any purpose, anything where certificate signing is used could potentially be attacked, he said.
It’s also not entirely clear what, if any, benefit there is to Dell for installing the eDellRoot certificate.
“There is absolutely no good reason why a hardware manufacturer would insert its own CA certificate into machines it ships,” Kevin Bocek, vice president of security strategy and threat intelligence at Venafi, told eWEEK. “This completely undermines the system of trust established for the Internet.”
The eDellRoot issue is somewhat similar to the “SuperFish” incident involving rival PC vendor Lenovo. With SuperFish, Lenovo was also bundling a root certificate that could have potentially exposed users to a man-in-the-middle exploitation risk.
“Just as we saw with Lenovo and SuperFish, the installation of eDellRoot is a huge threat to not just individual users, but it’s an attack on the system of trust that secures the Internet,” Bocek said.
Bocek suggests that IT security administrators inspect all their systems to identify potential root CA risks. He added that there are more than 300 trusted CAs on Windows, while most organizations need to trust, at most, a dozen or so.
“Enterprise systems that scan, report and then whitelist and blacklist CAs are available,” Bocek said. “For individual users, you can manually inspect and delete CAs using the Microsoft certmgr.msc app. Instructions can be found on how to run the app from Microsoft here.”
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.
