Dell, the world's third-biggest PC maker, has apologized to customers for making it very easy for hackers to breach the security of its computers by shipping them with a self-signed certificate -- but researchers have found the vulnerability is present in at least one system used to control critical infrastructure.
Responding to the concerns raised by customers who had recently purchased Dell PCs, the company admitted that "a certificate [called eDellRoot], installed by our Dell Foundation Services application on our PCs, unintentionally introduced a security vulnerability." While some have linked this to the controversy over Lenovo shipping its PCs with the Superfish adware earlier this year, Dell has played down such claims, saying the certificate was present "to make it faster and easier for our customers to service their system."
In an emailed statement to International Business Times, the company said it did not pre-install any adware or malware on its devices. "Customer security and privacy is a top concern and priority for Dell. The recent situation raised is related to an on-the-box support certificate intended to provide a better, faster and easier customer support experience," the statement said.
Root certificates are a critical part of how encrypted connections like HTTPS validate the site you're connecting to. Typically these certificates are signed by what is known as a Certificate Authority (CA), but in this case the certificate was signed by Dell and the cryptographic private key used to decrypt the communications was shipped with the certificate (a big security no-no) and the same key was used on all Dell machines. This means a hacker could monitor a Dell user’s web browsing traffic and manipulate it to deliver malware to the user's PC.
"If a user was using their Dell laptop at a coffee shop, an attacker sitting on the shop’s Wi-Fi network could potentially sniff all of their TLS encrypted traffic, including sensitive data like bank passwords, emails, etc," Darren Kemp, a security researcher at Duo Labs, said.
Dell has released instructions to allow customers to remove the certificate but the problem could go much deeper as researchers at Duo Labs revealed that the insecure certificate had been used by at least one supervisory control and data acquisition (SCADA) system, which are typically used to control critical infrastructure such as electricity grids, power stations and dams. The researchers didn't go into any more detail about the location of the system or what industry it was being used in.
Kemp points out that in conjunction with the Lenovo-Superfish fiasco, there is "a disturbing trend among original equipment manufacturer (OEM) hardware vendors. Tampering with certificate stores exposes users to unnecessary, increased risk. Sadly, OEM manufacturers seem to not be learning from historical mistakes and keep making them over and over."
How To Remove eDellRoot Certificate
- Go to the Start Menu, type "mmc" and press Enter
- Go to File > Add/Remove Snap in
- Pick certificates and press Add
- Choose Computer account and press Next
- Choose Local computer and press Finish
- Press OK
- Expand Certificates and Trusted Root Certification Authorities
- Pick the Certificates folder, and look to see if the eDellRoot is present