Leading PC manufacturer Dell is being accused of shipping its desktops and laptops with a self-signed digital certificate dubbed eDellRoot that could be exploited by hackers to leave the system vulnerable to man-in-the-middle attacks, letting them snoop on Internet traffic. Several users have confirmed on forums and social media networks that their Dell computers has the eDellRoot certificate preinstalled. The US-based company has acknowledged a security vulnerability in the said certificate.
"The recent situation raised is related to an on-the-box support certificate intended to provide a better, faster and easier customer support experience," Dell said in a statement to Reuters. "Unfortunately, the certificate introduced an unintended security vulnerability."
Dell declined to say how many PCs or which models were affected. A Dell spokeswoman said the software began getting installed on laptops in August. Dell added PCs shipping would not contain the bug in the future.
The company added it would provide customers with instructions to permanently remove the certificate by email and on its support website.
The discovery comes nearly six months after Lenovo was caught pre-installing its own, self-signed root certificates on its machines. The certificates were provided by an adware advertising company called Superfish. Lenovo has since been caught in another such practice, where it was found to force installing suspicious programs on startup.
As for Dell, the digital certificate in question comes preinstalled as a root certificate and contains its private key. An attacker can exploit the vulnerability and use the key to sign certificates for other non-HTTPs websites. This could allow an attacker to decrypt encrypted Web browser traffic without a victim noticing anything. The vulnerability could allow an attacker to get fake Web pages pretend to be any other site, as Web browsers installed on a victim's Dell machine will trust any certificate issued by eDellRoot. For instance, a fake webpage can tap on eDellRoot-signed SSL certificate to pretend it's your banking website.
"Dell seems to be repeating the Lenovo Superfish fiasco. With the pre-installed certificate and its private key, any website can claim to be any other site and Dell computers wouldn't be able to tell the difference," Mikko Hypponen, Chief Research Officer at F-Secure told Gadgets 360 in a statement. "Bad stuff," he added.
As researchers point out, an attacker could get access to a victim's username, passwords, session cookies, and other sensitive information. The certificate can also be used to sign malicious apps and the computer wouldn't be able to tell a difference. Users are also reporting that it seems impossible to get rid of the digital certificate as even if you delete it, it pops-up right back after a reboot.
"'You have a private key that corresponds to this certificate'," wrote Joe Nord, a security researcher. "This is getting very fishy! As a user computer, I should NEVER have a private key that corresponds to a root CA. Only the certificate issuing computer should have a private key and that computer should be ... very well protected!"
Nord confirmed that his computer was vulnerable to attacks after visiting an HTTPS test website, which if visited from a Web browser on an unaffected computer will flag vulnerabilities in the webpage. Nord noted that Google's Chrome, Microsoft's Edge and Internet Explorer showed no warnings. Mozilla Firefox, however, alerted trust issues with the certificate on the said website.
Written with inputs from AFP