Sergey Nivens - Fotolia

Refried fish: Dell admits pre-installing dodgy certificate on PCs

Superfish-like certificate leaves Dell machines vulnerable to man-in-the-middle attacks

PC resellers should be prepared for a deluge of questions from customers, as Dell confirmed that its Dell Foundation Services application installed a self-signed root certification authentication (CA) on laptops.

The self-signed certificate came to light over the weekend. One of the first customers to speak up was a Reddit user, Kevin Hicks, who revealed his findings on Monday.

“I got a shiny new XPS 15 laptop from Dell, and while attempting to troubleshoot a problem, I discovered that it came pre-loaded with a self-signed root CA (Certificate Authority) by the name of eDellRoot,” wrote Hicks, aka. rotorcowboy. “After briefly discussing this with someone else who had discovered this too, we determined that they are shipping every laptop they distribute with the exact same root certificate and private key.”

The Internet did its thing and within a few hours, users around the world were confirming that they too had the rogue certificate.

Certificates are used by internet browsers to identify websites as safe. The problem with this certificate in particular is that the key is universal and bundled in on the users machine, meaning that a hacker could easily conduct a man in the middle attack, creating a spoof website, and the certificate would validate the bogus site as legitimate.

Dell was impressively quick to respond and by the end of Monday, issued a statement:

"We became aware that a certificate (eDellRoot), installed by our Dell Foundation Services application on our PCs, unintentionally introduced a security vulnerability,” Dell admitted in a blog post. “The certificate was implemented as part of a support tool and intended to make it faster and easier for our customers to service their system. Customer security and privacy is a top concern and priority for Dell; we deeply regret that this has happened and are taking steps to address it."

Users and media pundits have quickly likened the vulnerability to Lenovo’s Superfish, which caused a splash back in February; but Dell insisted that the certificate’s intentions in life were less ominous.

“The certificate is not malware or adware,” Dell said. “Rather, it was intended to provide the system service tag to Dell online support allowing us to quickly identify the computer model, making it easier and faster to service our customers. This certificate is not being used to collect personal customer information.”

Dell has issued instructions on how to manually remove the certificate and while the process is relatively straightforward, the PC giant said it would be releasing an automatic update for the less technically inclined. A few websites have sprung up (here and here), allowing Dell users to test their system for eDellRoot.

Security research expert David Kennerley said that such vulnerabilities were more commonplace than we might expect. 

“The eDellRoot is not the first software of this type installed on PCs, sadly it is common practice in the industry,” Kennerley said. “Many customers aren’t aware of it being installed, leaving them wondering how they have an infection on a brand new laptop when it is picked up by an anti-virus program. Above and beyond this, it is [sic] raises questions on how ethical it is.”  

It is difficult to know what the long term ramifications will be on Dell’s reputation, but given that over 40% of its business globally is coming from the channel (50% in EMEA), there are many resellers that may feel the fallout. Partners would do well to be as proactive as possible in cleaning up this little mess.


Read more on Threat Management Solutions and Services