Dell's 'Superfish:' Customer Discovers 'eDellRoot' Certificate And Private Key On Laptop
A Reddit user reported that Dell is bundling its own certificate in the Windows certificate root store, as well as the certificate's private key. This can leave Dell customers vulnerable to attacks and surveillance by malicious hackers, much like what happened with Lenovo earlier this year in the "Superfish" scandal.
The worst part about this is the bundling of the private key with the Dell root certificate, because now others can use that key to generate other certificates for sites such as google.com or bankofamerica.com. Those certificates should work on browsers such as Internet Explorer and Chrome, which use the Windows root store. Firefox comes with its own certificate root store, so it shouldn't be affected.
This has been a worrying trend, with PC makers such as Lenovo, Dell, and perhaps others that we don't know about yet, bundling their own certificates on PCs that come pre-installed with Windows. It's surprising Dell would still do something like this now after the whole Superfish scandal Lenovo experienced this spring.
It's also surprising that Microsoft is still allowing OEMs to install their own root certificates. Even if Microsoft can't technically stop PC makers or retailers from installing other certificates in the Windows root store, it could at least make it clear in its contracts with them that they can't do that.
Robert Graham, from Errata Security, posted the following in a recent blog post:
“If I were a black-hat hacker, I'd immediately go to the nearest big city airport and sit outside the international first class lounges and eavesdrop on everyone's encrypted communications," he said. "I suggest 'international first class,' because if they can afford $10,000 for a ticket, they probably have something juicy on their computer worth hacking."He added: “I point this out in order to describe the severity of Dell's mistake. It's not a simple bug that needs to be fixed, it's a drop-everything and panic sort of bug. Dell needs to panic. Dell's corporate customers need to panic."
Graham also noted that even though Dell didn't add the Superfish software to its systems, that's irrelevant, as the real problem in Lenovo's case was also including its own root certificate and private key, just like Dell did now.
Stay On the Cutting Edge: Get the Tom's Hardware Newsletter
Get Tom's Hardware's best news and in-depth reviews, straight to your inbox.
Dell said that the certificate was introduced to make it easier for its online technical support teams to quickly identify the computer models they were trying to fix. The company said that it will stop adding this certificate to new laptops in the future. It added that it will release an update on November 24 to remove the certificate. Dell also pointed customers to a list of instructions they can follow to remove the eDellRoot certificate themselves.
______________________________________________________________________
Lucian Armasu joined Tom’s Hardware in early 2014. He writes news stories on mobile, chipsets, security, privacy, and anything else that might be of interest to him from the technology world. Outside of Tom’s Hardware, he dreams of becoming an entrepreneur.
You can follow him at @lucian_armasu. Follow us on Facebook, Google+, RSS, Twitter and YouTube.
-
koss64 The blogger quoted isn't doing any of Dell's customers or the industry for that matter by telling them they need to panic, for situations like this running around screaming your head off isn't going to protect one customer at the end of the day. I understand the reason Dell put the certificate on their machines as it would help customer service(lots of customers I have dealt with cant find their model numbers, all they can tell me is that its a Dell or a HP) but its not excusable, you cant be putting that on people's laptops and they don't know,it would have been better if they explained why they did it and its benefits beforehand.Regardless at least they have addressed the issue and wont be putting it back on their machines and have left instructions to take it off if you so desire, again that blogger's response to this issue will only serve to get him hits and advertising revenue and not necessarily help our security shellshocked industry.Reply -
KevITGuy I used the .EXE fix and it doesnt even fix the problem. I did the manual way to make the stuff go away. What a bunch of Bull from dell.Reply -
computerguy72 They actually reacted pretty quickly. Just 1 day after it was pointed out. This is nothing like Superfish.Reply -
"Dell's corporate customers need to panic"Reply
In reality, any of Dell's corporate customers with any reasonable sized IT department will have their own custom build. For everyone else this is a huge deal. There goes another manufacturer off my list that I can no longer recommend.
This isn't so much an issue about the security of a bunch of laptops and desktops, it's a much more fundamental issue of trust. And it's because of that that issues like this won't just stop with customers buying laptops and desktops, but also server and storage kit too. More worrying is that Dell now owns EMC, who in turn owns VMware. Who knows what they have in mind in the enterprise. Where does it end? -
captaincharisma i guessUEFI BIOS has it cons. in this case the pc manufacturers found a way to spam and make sure thei bloatware stays on their PC's.Reply -
captaincharisma 17008990 said:"Dell's corporate customers need to panic"
In reality, any of Dell's corporate customers with any reasonable sized IT department will have their own custom build. For everyone else this is a huge deal. There goes another manufacturer off my list that I can no longer recommend.
This isn't so much an issue about the security of a bunch of laptops and desktops, it's a much more fundamental issue of trust. And it's because of that that issues like this won't just stop with customers buying laptops and desktops, but also server and storage kit too. More worrying is that Dell now owns EMC, who in turn owns VMware. Who knows what they have in mind in the enterprise. Where does it end?
well get ready to not recommend any of them. odds are they will start finding them on every other band name PC. i guarantee you HP is doing it
-
d_kuhn I've bought a lot of Dell Workstations... they've never had any crapware bundled (that's consumer), I wonder if this isn't the same issue. With ANY new machine I always wipe and reinstall from a clean ISO (or have our Corporate IT folks put their own image on in some cases) but at least with their corporate targeted hardware I've never had any visible preinstalled junk on Dell or HP machines (the two vendors I use the most).Reply