PC maker Dell has announced a fix for a major security flaw found in computers that the company shipped this year. Some of its systems came preinstalled with a self-signed root certificate that makes it easy for attackers to exploit all affected systems.
Programmer Joe Nord found that a couple of Dell laptops, including an Inspiron 5000 series model and an XPS 15, had a self-signed transport layer security credential issued by ‘eDellRoot’. Nord noted that the certificates on both systems are signed using the same private cryptographic key.
That means that an attacker could extract the key using publicly available tools and create a site that appears to be secured using the HTTPS protocol, which would be trusted by all computers that have this certificate preinstalled.
They can then intercept their traffic using a man-in-the-middle attack and do things like capture users’ credit card details and passwords or install malware on their computers.
Dell has acknowledged the issue and has published instructions for permanently removing the certificate. The company says it will also push a security update on November 24 to help get rid of it automatically.
Today we became aware that a certificate (eDellRoot), installed by our Dell Foundation Services application on our PCs, unintentionally introduced a security vulnerability. The certificate was implemented as part of a support tool and intended to make it faster and easier for our customers to service their system. Customer security and privacy is a top concern and priority for Dell; we deeply regret that this has happened and are taking steps to address it.
The certificate is not malware or adware. Rather, it was intended to provide the system service tag to Dell online support allowing us to quickly identify the computer model, making it easier and faster to service our customers. This certificate is not being used to collect personal customer information. It’s also important to note that the certificate will not reinstall itself once it is properly removed using the recommended Dell process.
We have posted instructions to permanently remove the certificate from your system here. We will also push a software update starting on November 24 that will check for the certificate, and if detected remove it. Commercial customers who reimaged their systems without Dell Foundation Services are not affected by this issue. Additionally, the certificate will be removed from all Dell systems moving forward.
The security flaw is similar to Lenovo’s Superfish fiasco, which came to light in February. The company shipped several PCs with a self-signed certificate as well as adware that injected third-party ads on Google searches and websites without the user’s permission.
Published November 24, 2015 — 05:11 UTC