Dell computers shipping with potentially dangerous root certificate authority

The threat posed by the pre-installed CA is being likened to Superfish

At least some Dell laptops are shipping with a trusted root certificate authority pre-installed, something that those who discovered the CA are comparing to the Superfish adware installed on Lenovo machines that left them open to man-in the-middle attacks.

Called eDellRoot, the trusted root CA comes as part of the standard software load on new Dell machines. A Reddit contributor who uses rotocowboy for a screen name says the implications could be dire. “For those that are unfamiliar with how this works,” he writes, “a network attacker could use this CA to sign his or her own fake certificates for use on real websites and an affected Dell user would be none the wiser unless they happened to check the website's certificate chain. This CA could also be used to sign code to run on people's machines, but I haven't tested this out yet.”

The eDellRoot certificate is intended for all purposes, meaning its privileges are more extensive than a DigiCert certificate also installed on the machine being examined by another Dell owner, according to programmer Joe Nord, who also owns a Dell. “I'm having a tough time coming up with a good reason that Dell Computer Corporation needs to be a trusted root CA on my computer,” Nord writes in his blog.

Dell hasn’t responded yet to a request for an explanation of eDellRoot and whether customers should worry. This story will be updated when it does.

However, the DellCares Twitter account responded to rotocowboy promising to check into his concerns. “We understand your situation. We will reach out to our product group team and let you know as to why eDellroot is present,” the tweet says.

It’s not clear whether the CA was installed by Dell or by a partner allowed to pre-install software on the machine or by an attacker who has infiltrated Dell’s production line.

Nord’s post also includes a screenshot of information about the certificate that says, “You have a private key that corresponds to this certificate.” Nord writes: “As a user computer, I should NEVER have a private key that corresponds to a root CA. Only the certificate issuing computer should have a private key and that computer should be ... very well protected!”

He writes that it’s impossible to tell whether Dell itself installed the certificate. “Root certificates are always self-signed, so all I really know is that eDellRoot says eDellRoot is legit,” Nord says. “Where it breaks down is that the private key IS PRESENT on my computer and that means ... bad.”

Nord and rotocowboy both liken the potential danger of eDellRoot to the Superfish adware that was discovered on new Lenovo computers earlier this year. Superfish proxied HTTPS connections between Web sites and users’ machines, which allowed insertion of data into any page the machine was downloading. In addition, Superfish used the same certificate across all Lenovo machines and the private key for the certificate was easy to capture.

Mikko Hypponen, Chief Research Officer for F-Secure, posted on Twitter linking Superfish to eDellRoot: “Note: Dell created their #eDellRoot certificate six months after Lenovo's Superfish scandal hit the news. No lessons learned.”

Join the CSO newsletter!

Error: Please check your email address.

Tags Dell

More about DellDell ComputerF-SecureLenovoTwitter

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Tim Greene

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place