Pinterest Stumbleupon Whatsapp
Ads by Google

Oh dear. Dell is in a bit of hot water. The world’s third largest computer manufacturer has been caught shipping rogue root certificates on all of their computers, and in the process presenting a humongous security risk to all of their customers.

If that sounds strangely familiar, it’s because it is. Last year, Lenovo was caught doing virtually the same thing with its SuperFish malware Lenovo Laptop Owners Beware: Your Device May Have Preinstalled Malware Lenovo Laptop Owners Beware: Your Device May Have Preinstalled Malware Chinese computer manufacturer Lenovo has admitted that laptops shipped to stores and consumers in late 2014 had malware preinstalled. Read More , in a move that caused consumer fury, and resulted in the Chinese manufacturer being censured by the US Department of Homeland Security.

So, what’s happening? And should you be concerned?

Meet eDellRoot

Regardless who manufactured your computer, it came shipped with a collection of secure and trusted certificates What Is a Website Security Certificate and Why Should You Care? What Is a Website Security Certificate and Why Should You Care? Read More for a few trusted servers operated by companies like Verisign and Thawte. Think of these as being like passwords, or signatures.

These certificates are essential for encryption to work. They allow you securely access encrypted web pages, download system updates, and to check the certificates of other webpages. As a result, it’s important that these certificates are handled properly.

Early on Monday morning, a Reddit user by the name of RotorCowboy (real name Kevin Hicks) submitted a text post to the Technology subreddit, warning of a self-signed root Certificate Authority (CA) that he found installed on his brand-new Dell XPS laptop, called eDellRoot.

Ads by Google

DellReddit

The certificate shipped with a private key, which was marked as “non-exportable”. But by using a tool produced by the NCC Group called Jailbreak, he was able to extract it. After some investigation, Hicks discovered that eDellRoot was shipping on every brand new Dell laptop with the exact same certificate and private key.

This presents a significant security risk for users. But why?

The Risks Posted by eDellRoot

There’s a reason why e-commerce sites, online banking apps, and social networks all encrypt their traffic What Is HTTPS & How To Enable Secure Connections Per Default What Is HTTPS & How To Enable Secure Connections Per Default Security concerns are spreading far and wide and have reached the forefront of most everybody's mind. Terms like antivirus or firewall are no longer strange vocabulary and are not only understood, but also used by... Read More . Without it, anybody could intercept the messages sent from their servers to their users, and in turn get access to their private information, and even login credentials.

If you can preload a fake, or duplicate certificate, it then becomes possible to intercept all secure communications sent by that user, with the user being none the wiser. This type of attack is called a “man in the middle” attack What Is A Man-In-The-Middle Attack? Security Jargon Explained What Is A Man-In-The-Middle Attack? Security Jargon Explained Read More .

If someone was to copy the root certificate from the Dell laptop and pretend to be the website of HSBC Bank, the user would still see the green padlock in the address bar, and would be able to interact with the site as they normally would. There would be no red screen. No warning.

ErrorMessage

But here’s where it gets really interesting. Dell shipped the same certificate and key with every Dell laptop. If you’ve bought a Dell laptop over the past year, chances are high you’re at risk.

Another terrifying side-effect of this is that it also means that an attacker would be able to sign malware with a legitimate root certificate, which would make it seem slightly more legitimate, and even obfuscate the origins of the software.

It’s nasty stuff. At this point, you could be forgiven for scratching your head, and wondering why Dell would choose to do such a thing, especially after the fallout following SuperFish.

What the Hell Was Dell Thinking?

We all know why Lenovo wanted to ship their own root CA with their computers. It allowed them to inject adverts into every single webpage. Even the encrypted ones.

Computers – particularly those at the cheaper end – are a low-margin business. Retailers don’t make much money from them, which is why you are constantly being upsold additional services and products whenever you buy a new machine. But manufacturers don’t make much money from them, either. They try to make up for that by routinely installing mountains of trialware and crapware How To Remove Bloatware & Avoid It On New Laptops How To Remove Bloatware & Avoid It On New Laptops Tired of software you never wanted consuming your laptop's resources? Your computer isn't free ad space. Here's how to get rid of bloatware. Read More on all new machines.

But many of the computers that’ve been identified as being infected with eDellRoot are not low end machines. The cheapest Dell XPS, for example, costs $799.

XPS

Nobody really knows what Dell’s motivations were. There’s nothing to suggest they were trying to inject their own adverts, or hijack web traffic.

So far, everything points to there being a significant lapse of judgement at Dell. Especially given that the eDellRoot CA was created six months after the SuperFish fiasco.

How to Get Rid of eDellRoot

Getting rid of eDellRoot is simple. First, open the Start menu, and search for “certmgr.msc“. This is the standard Windows tool used to manage, modify, delete and request certificates. To use it, you must be logged into an account with administrator privileges.

Certs

Then click on Trusted Root Certificate Authorities > Certificates. This lists every Root CA installed on your machine. Search for eDellRoot. It should look like this.

If it’s there, you’ve got the dodgy certificate installed.  To delete it, right click the certificate, and click Delete.

You can also find out if you are effected with a single line of Powershell code.

A PR Disaster of Epic Proportions

Given the size of Dell, the vast number of affected machines, and the propensity for businesses to use Dell machines, I guarantee there’ll be some major fallout from this episode. Apologies will be issued from higher-up, and people will lose their jobs. Tech-savvy consumers will think twice about ever buying a Dell laptop ever again. But what about you?

Were you affected? Will you buy a Dell ever again? Tell me about it in the comments below.

Photo Credits: Dell Keyboard (David Precious) 

  1. Mike Spurlock
    November 27, 2015 at 7:51 pm

    And Acer, HP, Samsung and Proline aren't under the same scrutiny as the frontline makers.
    I wouldn't assume they're safer, and they're probably less safe.

    • Matthew Hughes
      November 30, 2015 at 5:55 pm

      I'm not sure about that. I think they're all under some degree of scrutiny. I mean, we're talking about manufacturers who ship tens of millions of units, yearly.

  2. jonen560ti
    November 25, 2015 at 8:40 pm

    I dont think im ever gonna use a manufacturer edited version of Windows again. i just cant be sure whether or not they`ve done something stupid on it. first thing im gonna do on a new computer is install a fresh copy of Windows. its not odd that the pre-built computer market is suffering with crap like this going on.

    • Matthew Hughes
      November 30, 2015 at 5:55 pm

      That's sensible.

  3. Colonel Angus
    November 24, 2015 at 1:52 pm

    Until consumers begin to hold these companies accountable for this sort of nonchalant approach to end user security, there is no motivation for them to change their behavior. Unfortunately, Mr. and Mrs. Average Buyer are largely never even aware that things like this happen. It gets mentioned on tech sites, where most never visit, or a brief clip on the news, which is easily missed.

    • Matthew Hughes
      November 30, 2015 at 5:56 pm

      I think Mr and Mrs Average Buyer will be somewhat aware of this. I mean, it was big news, and covered by all the major news networks.

      But I agree, Dell need to be held accountable.

  4. Tom Willoughby
    November 24, 2015 at 8:56 am

    I bought a Dell Inspiron 15 at the beginning of the year. It doesn't have eDellRoot certificate, but I certainly won't be buying from Dell again. This goes for all products, such as monitors and peripherals too. Once a makes a decision that could breach my trust and put my security at risk, I won't give them my money.

    • Matthew Hughes
      November 30, 2015 at 5:56 pm

      Sensible, Tom.

  5. ringhalg
    November 24, 2015 at 7:36 am

    What manufacturers are left? Acer, HP, Samsung, Proline etc? It's only a matter of time before these manufacturers turn for the worst. The only way to prevent it, is to stop buying laptops, but of course, most people can't do that.

    • Matthew Hughes
      November 30, 2015 at 5:57 pm

      I'm not even sure about that. I just think we need to hold the manufacturers to account.

  6. Read and Share
    November 24, 2015 at 7:24 am

    No Sony. No Lenovo. And now, no Dell.

    Every business decision is a cost / benefit decision. Saying “sorry“ after getting caught costs little to nothing. All companies must be made to know - and be continually reminded of severe consequences when they treat their customers or their staff or the environment in underhanded ways.

    • Matthew Hughes
      November 30, 2015 at 5:58 pm

      That's the best thing about the free market. We can vote with our wallets. I think people will stop buying Dell machines. Particularly the Prosumer market, who tend to buy more expensive units, and will be well aware of this debacle.

  7. Josh H
    November 24, 2015 at 5:22 am

    For what it's worth, I'm typing this on a Dell XPS 15 9550 "Signature Edition" from the Microsoft Store and the eDellRoot certificate is nowhere to be found. So at least there's that...

    • Matthew Hughes
      November 30, 2015 at 5:59 pm

      You wouldn't on a Signature Edition.

  8. Gary
    November 24, 2015 at 5:04 am

    For what it's worth, my Alienware 15 laptop purchased in June has, or rather had, the certificate in question.

    • Matthew Hughes
      November 30, 2015 at 5:59 pm

      Eish. Dell own Alienware.

      Did you manage to get rid of it okay?

      • Gary
        December 1, 2015 at 3:13 am

        Yes, following the instructions posted at the time (before Dell released the removal tool) let me delete it without issue.

  9. chad
    November 24, 2015 at 1:58 am

    Based upon this evidence, I will never consider a Dell computer again

    • Matthew Hughes
      November 30, 2015 at 5:59 pm

      Sensible.

Leave a Reply

Your email address will not be published. Required fields are marked *