Dell Fails Security 101 with eDellRoot Certificate Flaw

Dell learned the hard way that creating your own security certificates can have unintended consequences, like opening major security holes on user's PCs. That's exactly what happened when Dell started including its own root certificate on new computers and opened the door for attackers to create their own valid certificates for webpages.

Oops! Dell's PCs are open to phishing attacks.Oops! Dell's PCs are open to phishing attacks.

Security blogger Hanno Böck said Dell included a root certificate called eDellRoot Certificate and corresponding private key on its computers, effectively giving attackers everything they need to craft their own valid certificates for webpages.

He said,

Laptops from the company come with a preinstalled root certificate that will be accepted by browsers. The private key is also installed on the system and has been published now. Therefore attackers can use Man in the Middle attacks against Dell users to show them manipulated HTTPS webpages or read their encrypted data.

In other words, hackers can spoof websites and trick browsers into thinking they're legit sites, then collect whatever data they can get victims to hand over. Dell users wouldn't have any indication there was a problem because the malicious websites they visit would verify as legit.

Dell is now offering instructions on how to remove the dangerous certificate, but it turns out that solves only part of the problem. Mr. Böck found a second certificate creating the same vulnerability in the Dell System Detect software.

Dell responded to the news saying eDellRoot " was implemented as part of a support tool and intended to make it faster and easier for our customers to service their system," and added that the certificate was included to make it easier for the company's online support to identify which computer model customers were using.

The PC maker posted instructions detailing how to remove the certificate, which is good, but the bigger issue is still there: Apparently Dell couldn't see the major security risk including a self-signed certificate and private key on every PC they make actually poses. The company essentially opened the door to customer's computers and told hackers to do as they please.

That doesn't do much to foster confidence in the company's products even knowing the certificate won't be included on future PCs. Despite the bad press Dell is getting, the company likely won't see a new decline in PC sales because the average Dell customer probably won't be aware of the problem when they buy their new PC.