Update 11/24/1015: Dell Responds to the Security Concerns:
Dell has officially responded to the eDellRoot issue on its Support blog. It released a manual: eDellRoot Certificate Removal Instructions as well as a small utility (direct link) that will remove it automatically for you.
You can test if you have the eDellRoot Certificate by clicking this link (which we explain below). If you do have it, we suggest you read Dell’s blog post, download the PDF, and follow the instructions for getting rid of it.
It’s also worth noting that today we discovered it’s not just an issue with laptops (which we originally reported. In fact, this is a problem with all form factors of Dell PCs. If you have a Dell PC you should check if eDellRoot is on your system. For the full story read our report below.
eDellRoot Certificate Security Risk
In what is turning out to be another déjà vu, Dell Inc, it was discovered over the weekend, has (since August) been slipping a rootkit certificate called eDellRoot to assist with what the company claims to be easier access to support services for their customers. A message by a Reddit poster who goes by the name rotorcowboy posted details on the popular social media site about the discovery.
I got a shiny new XPS 15 laptop from Dell, and while attempting to troubleshoot a problem, I discovered that it came pre-loaded with a self-signed root CA (Certificate Authority) by the name of eDellRoot. With it came its private key, marked as non-exportable. However, it is still possible to obtain a raw copy of the private key by using several tools available (I used NCC Group’s Jailbreak tool). After briefly discussing this with someone else who had discovered this too, we determined that they are shipping every laptop they distribute with the exact same root certificate and private key, very similar to what Superfish did on Lenovo computers. For those that aren’t familiar, this is a major security vulnerability that endangers all recent Dell customers. Source
Just a refresher, Lenovo received tremendous backlash when it was discovered the company had been loading a similar rootkit certificate called superfish on select Lenovo devices. The company received so much bad press for the act that some have said the incident probably tarnished the company’s long-standing reputation as a popular brand among consumers and businesses. With Lenovo being a Chinese-owned company and the recent icy political relations with China and the US, the company has been trying to rebuild trust with consumers ever since. The incident was so bad that Microsoft had to help with the clean up by issuing a definition update for Windows Defender that assisted with removing the certificate.
So far, users have found the vulnerable certificate on the Dell Inspiron 5000, XPS 15 and XPS 13. Since this is a new development, it could be on other Dell PCs on the market, too.
The incident was thought to have been a proper warning for other vendors, but obviously, Dell, one of the top three PC makers, seems to have fallen through the cracks. The company is trying to turn things around already by issuing the following statement to the media:
Customer security and privacy is a top concern and priority for Dell. The recent situation raised is related to an on-the-box support certificate intended to provide a better, faster and easier customer support experience.
Unfortunately, the certificate introduced an unintended security vulnerability. To address this, we are providing our customers with instructions to permanently remove the certificate from their systems via direct email, on our support site and Technical Support.
We are also removing the certificate from all Dell systems moving forward. Note, commercial customers who image their own systems will not be affected by this issue. Dell does not pre-install any adware or malware. The certificate will not reinstall itself once it is properly removed using the recommended Dell process.
A Dell representative also made a statement to The Verge saying: “We have a team investigating the current situation and will update you as soon as we have more information.”
Because there are no details on which systems might be affected, customers will have to depend on Dell for assistance.
Is Your Dell PC at Risk? Here’s How to Test It
If you want to know if your system might be affected, you can check this website created by security journalist Hanno Böck to test your system for its presence.
Research so far has provided proof of concept scenarios where the eDellRoot could be manipulated and used for valid certificates that could trigger attacks.