Earlier this week, there were three posts around the web showing that Dell notebooks were being shipped with a root certificate installed in the Trusted Root store. The certificate Dell computers have installed is named eDellRoot. This is reminiscent of Lenovo’s SuperFish incident where they allowed third-party adware to have a root certificate installed to monitor HTTPS traffic.
The three posts include:
- Joe Nord – New Dell computer comes with a eDellRoot trusted root certificate
- Reddit /u/rotorcowboy – Dell ships laptops with rogue root CA, exactly like what happened with Lenovo and Superfish
- Hanno’s blog – Superfish 2.0: Dangerous Certificate on Dell Laptops breaks encrypted HTTPS Connections
The write-ups detail the certificate and capture it in screenshots.
Image credit: Joe Nord
If you would like to check to see if you have the eDellRoot certificate, you can use the online check built by Hanno Böck.
Researchers at Duo Security found two more certificates on a Dell Inspiron 14-inch laptop. One is related to the eDellRoot certificate while the other is related to Atheros to sign the Bluetooth drivers.
The problem with the certificates is that they allow TLS encrypted traffic to be decrypted, such as if you were using WiFi in a location where the traffic could be sniffed.
Dell responded to the concerns last night with a post to the corporate blog, simply titled Response to Concerns Regarding eDellroot Certificate. In it, they explain the origination of the certificate and provide instructions (.docx) on how to remove it to secure your system. On November 24th, they will also begin pushing a software update to automatically check for the certificate and remove it if found.
Today we became aware that a certificate (eDellRoot), installed by our Dell Foundation Services application on our PCs, unintentionally introduced a security vulnerability. The certificate was implemented as part of a support tool and intended to make it faster and easier for our customers to service their system. Customer security and privacy is a top concern and priority for Dell; we deeply regret that this has happened and are taking steps to address it.
The certificate is not malware or adware. Rather, it was intended to provide the system service tag to Dell online support allowing us to quickly identify the computer model, making it easier and faster to service our customers. This certificate is not being used to collect personal customer information. It’s also important to note that the certificate will not reinstall itself once it is properly removed using the recommended Dell process.
The instructions cover stopping the Dell Foundation Services service, and then removing the plugin and certificate manually. They also provide a link to an automatic cleanup tool (.exe). If you image the computer and do not use the Dell Foundation Services, you will not be impacted.
In closing, Dell directs people to their Vulnerability reporting site for future security concerns.