Recently manufactured Dell laptops were shipped with a security certificate which makes it easy for an attacker to perform a man-in-the-middle attack and potentially steal personal information, even over an encrypted connection. But the flawed security certificate wasn’t accidental. Instead, Dell decided to put the credentials, which were labeled with “eDellRoot” as their issuer, on machines as part of a support tool.
Since the certificates are all identical and “self-signed” (meaning that their security is only verified by themselves and not a certification authority such as VeriSign) it is possible for an attacker to extract the private key and use it to forge security certificates for other websites, which would then be accepted by the Dell machines.
As a result, an attacker could, for instance, sit in a coffee shop with public Wi-Fi and intercept any login details sent from an affected Dell laptop, or pose as their online banking website in order to extract further information.
In the recent statement, Dell acknowledged the vulnerability and linked to a guide on permanently removing the software that caused it.
The company stated “We became aware that a certificate (eDellRoot), installed by our Dell Foundation Services application on our PCs, unintentionally introduced a security vulnerability. The certificate was implemented as part of a support tool and intended to make it faster and easier for our customers to service their system. Customer security and privacy is a top concern and priority for Dell, we deeply regret that this has happened and are taking steps to address it.”
It stressed that the certificate was not itself “malware or adware”, nor was it “being used to collect personal customer information”. It said: “We will also push a software update starting on November 24 that will check for the certificate and if detected remove it. Commercial customers who reimaged their systems without Dell Foundation Services are not affected by this issue. Additionally, the certificate will be removed from all Dell systems moving forward.”
The firm thanked users who brought it to their attention and invited others to flag up any further security issues