Andrea Danti - Fotolia
The discovery of potentially two vulnerable security certificates being shipped on Dell PCs has reignited the debate on pre-installed software.
The debate was raised in February 2015 when Lenovo was found to be shipping the Superfish pre-installed adware that made customers vulnerable to HTTPS man-in-the-middle attacks through its use of self-signed root HTTPS certificates.
Dell has also been using self-signed root certificates as part of a support tool, to provide information to make it faster and easier for their customers to service their system, but like Superfish, the eDellRoot certificates introduced a significant security vulnerability.
But Dell emphasised in a blog post that the eDellRoot certificate is not malware or adware, and is not being used to collect personal customer information.
Security experts have warned that attackers could easily clone these certificates by using hacker tools to extract the private key contained by the certificates to impersonate any HTTPS-protected website or to impersonate Dell, which would enable attackers to steal personal data, install data-stealing malware, or hijack the PC as part of a botnet.
Dell responded quickly by publishing a guide on how to remove the vulnerability once the issue was flagged up by Kevin Hicks, aka rotorcowboy, on Reddit. The company also said it would issue a software update to remove the certificate.
However, Laptop Mag claims to have discovered a second self-signed certificate called DSDTestProvider that also contained a private key on recently made Dell XPS 13.
Dell has subsequently responded by releasing a fix, reports the BBC. The company said the second problem affects users who downloaded its Dell System Detect product between 20 October and 24 November 2015, and was not pre-installed on computers.
Dell said the product was removed from its site once the issue was spotted and a replacement application was made available.
"The news that some Dell laptops are shipping with at least one, and now likely two, rogue root certificates represents a potential security breakdown in the process of laying down the factory operating system image on new laptops for consumer use,” said Tod Beardsley, security engineering manager at security firm Rapid7.
He urged users to contact their support representatives for instructions on how to remove these rogue certificates.
“Users rely on factory images of operating systems to be reasonably secure by default; the act of re-installing an operating system from original sources is often beyond the technical capabilities of the average end user,” said Beardsley.
Read more about digital certificates
- Even though 90% of security professionals believe a leading CA will be compromised in next two years, only 13% have existing automation to deal with that happening
- Every Global 2000 organisation faces $398m in potential losses from attacks on their ability to control online trust with cryptographic keys and digital certificates, a study reveals
- Digital certificates are an increasingly important topic of interest in the security community, and an area of opportunity for innovative attackers
- Errors are bound to occur when SSL certificate management is handled manually. Learn how to avoid these common mistakes
David Kennerley, senior manager for threat research at cyber security firm Webroot, said that pre-installing self-signed certificates is common practice despite the Lenovo Superfish scandal.
“Some manufacturers give the option of not having these installed, but you have to know about such software before you can opt out.
“Whether is it is unwanted adware or a self-signed root certificate authority, consumers should take precautions to know who is watching them on their own device and take the necessary security actions,” he said.
According to Andrew Lewman, vice-president of data development at security intelligence firm Norse, any enterprise should be reloading their operating systems on delivery and not simply using what comes from the factory by default.
“As for protection, all enterprises should block the Dell certificate authority both on the network and on their devices. Uninstalling the certificate authority from laptops and desktops should be a matter of a policy update,” he said.
Dell has confirmed that commercial customers who re-imaged their systems without Dell Foundation Services are not affected by this issue. Researchers at security firm Tripwire have published a free tool to enable Dell users to test for the eDellRoot certificate.
Brian Spector, chief executive of security firm Certivox, said the issue once again shows that the commercial digital certificate industry in general is broken and needs to be replaced.
“This latest incident is just one of many whereby the commercial certificate authority's position as a single point of trust is causing serious problems,” he said.
“In the short term, Dell should immediately stop delivering devices with this root certificate. In the long term, the tech industry must realise that PKI [public key infrastructure] isn't fit for purpose since the entity holding the root key can have such an adverse impact on the trust relationship with end users.”
According to Spector, the best thing to do is start over. “A new distributed trust paradigm needs to be established that replaces the single points of failure model. We are currently working with a small group of impactful partners to bring that future forward and would welcome others into our collective effort,” he said.