Dell reported that it has been shipping Inspiron 14 laptops since August that inadvertently contained a security certificate, eDellRoot, that essentially gives hackers complete access to the system.
The issue was first unveiled on Reddit and then further explored by Darren Kemp, Mikhail Davidov and Kyle Lady at Duo Security who found the eDellRoot certificate, normally used to encrypt data, on a laptop they were using for a different project. The real kicker was Dell included the associated private key leaving the laptop wide open.
In order to properly exploit the eDellRoot certificate the bad actors have to interpose themselves between the Dell laptop and the internet.
“If a user was using their Dell laptop at a coffee shop, an attacker sitting on the shop’s Wi-Fi network could potentially sniff all of their TLS encrypted traffic, including sensitive data like bank passwords, emails, etc. The attacker could also manipulate the user’s traffic, e.g., sending malware in response to requests to download legit software, or install automatic updates – and make it all appear to be signed by a trusted developer,” the Duo team explained.
The private key can also be used to make malicious websites appear legitimate.
To help rectify the problem Dell has posted an 11-page set of instructions on how to remove the eDellRoot Certificate and plans to push an automatic update that will de-install the certificate. The company also issued a statement informing its customers that the certificate was placed with the best of intentions.
“It was intended to provide the system service tag to Dell online support allowing us to quickly identify the computer model, making it easier and faster to service our customers. This certificate is not being used to collect personal customer information. It’s also important to note that the certificate will not reinstall itself once it is properly removed using the recommended Dell process,” said Dell spokesperson Laura P. Thomas in a blog post.
Wolfgang Kandek, Qualys CTO, told SCMagazine.com Tuesday in an email that it is also a good practice for companies to keep an up to date list of certificates. This will enable the organization to quickly track down if any of its devices contain a problem.
“Superfish and now Dell root are just 2 examples where a good inventory enables the security folks to be able to react quickly, or even be ahead of the game by auditing their installed certificates from time to time,” Kandek said.
The number of laptops containing eDellRoot has not been made public.