A Reddit user reported that Dell is bundling its own certificate in the Windows certificate root store, as well as the certificate's private key. This can leave Dell customers vulnerable to attacks and surveillance by malicious hackers, much like what happened with Lenovo earlier this year in the "Superfish" scandal.
The worst part about this is the bundling of the private key with the Dell root certificate, because now others can use that key to generate other certificates for sites such as google.com or bankofamerica.com. Those certificates should work on browsers such as Internet Explorer and Chrome, which use the Windows root store. Firefox comes with its own certificate root store, so it shouldn't be affected.
This has been a worrying trend, with PC makers such as Lenovo, Dell, and perhaps others that we don't know about yet, bundling their own certificates on PCs that come pre-installed with Windows. It's surprising Dell would still do something like this now after the whole Superfish scandal Lenovo experienced this spring.
It's also surprising that Microsoft is still allowing OEMs to install their own root certificates. Even if Microsoft can't technically stop PC makers or retailers from installing other certificates in the Windows root store, it could at least make it clear in its contracts with them that they can't do that.
Robert Graham, from Errata Security, posted the following in a recent blog post:
“If I were a black-hat hacker, I'd immediately go to the nearest big city airport and sit outside the international first class lounges and eavesdrop on everyone's encrypted communications," he said. "I suggest 'international first class,' because if they can afford $10,000 for a ticket, they probably have something juicy on their computer worth hacking."He added: “I point this out in order to describe the severity of Dell's mistake. It's not a simple bug that needs to be fixed, it's a drop-everything and panic sort of bug. Dell needs to panic. Dell's corporate customers need to panic."
Graham also noted that even though Dell didn't add the Superfish software to its systems, that's irrelevant, as the real problem in Lenovo's case was also including its own root certificate and private key, just like Dell did now.
Dell said that the certificate was introduced to make it easier for its online technical support teams to quickly identify the computer models they were trying to fix. The company said that it will stop adding this certificate to new laptops in the future. It added that it will release an update on November 24 to remove the certificate. Dell also pointed customers to a list of instructions they can follow to remove the eDellRoot certificate themselves.
______________________________________________________________________
Lucian Armasu joined Tom’s Hardware in early 2014. He writes news stories on mobile, chipsets, security, privacy, and anything else that might be of interest to him from the technology world. Outside of Tom’s Hardware, he dreams of becoming an entrepreneur.
You can follow him at @lucian_armasu. Follow us on Facebook, Google+, RSS, Twitter and YouTube.
