Two Dell laptop models are shipping with a Superfish-style certificate hack – The Verge
Dell users may have a serious security problem on their hands, thanks to an unorthodox SSL certificate that comes pre-installed on a number of the company’s laptops. The certificate is called eDellRoot, first discovered by a programmer named Joe Nord, and because of Dell’s pre-installed permissions, affected computers are set to trust any SSL certificate it signs.
The problem is, because the key is stored locally, it’s likely that an attacker could create a forged version of the signing key, exposing users to all manner of SSL attacks. Users have found the certificate key on both the Inspiron 5000 and XPS 15 and The Verge was able to detect it on an XPS 13, suggesting it may be present on a significant portion of the Dell laptops currently on the market.
Reminiscent of Lenovo’s Superfish scandal
It’s reminiscent of a similar scandal that hit Lenovo in February, when the company was caught pre-installing an adware program called Superfish with a similar self-signed certificate. Dell’s case is different, since there’s no indication that the certificate is being used to plant ads on the laptops, but the resulting security problem is the same. To fix the issue, users will need to manually revoke the certificate permissions, a complex and technically demanding task.
Because the private key for the certificate is hosted on each computer, it would be simple for a technically adept criminal to reverse-engineer that signing key, using it to certify unsafe traffic as if it were legitimate. That power could be used attack to target Dell users logged onto a public Wi-Fi hotspot or target traffic from deeper in the network through a more sophisticated attack, harvesting credit card numbers, passwords, or other sensitive information.
In fact, some security researchers have already been able to exploit the bad certificates. Darren Kemp, a researcher at DuoSecurity, says the problem may be more even complex than Nord’s first post suggests. “It appears that there is definitely more than one eDellRoot thumbprint as well as at least one other defunct private certificate on the system that we were able to crack the password on without substantial effort,” Kemp said in a statement.
In the meantime, it’s still unclear how many Dell computers are affected by the certificate problem, and why the self-signed certificate was included in the first place. In a statement to The Verge, a Dell representative said the company was still looking into the certificate, but emphasized Dell’s policy of minimizing pre-loaded software for security reasons. “Customer security and privacy is a top concern for Dell,” a representative said. “We have a team investigating the current situation and will update you as soon as we have more information.”
3:00PM ET: Updated with statement from Duo Security.