Dell’s self-signed certificate exposes PCs to hacking

JC Torres - Nov 24, 2015, 4:00am CST
Dell’s self-signed certificate exposes PCs to hacking

Earlier this year, Lenovo was discovered to have pre-installed a third-party “adware” called Superfish, a scandal that has made many a PC user and security company wary of such OEM tactics. It seems that indeed, Lenovo isn’t the only one. To some extent, Dell‘s mistake might be even worse. The PC maker has now been discovered to be installing a self-signed security certificate on many if not all of its laptops that exposes all of those affected models to hacking which can be done by simply hacking a single vulnerable laptop.

While Lenovo can partly feign ignorance by claiming it wasn’t fully aware of what the third party Superfish software did, Dell has no escape. The eDellRoot certificate is something that it has written itself and pre-installed on a number of laptops. But more than that, Dell makes a few almost unbelievably illogical steps that compounds the security issue even further.

For one, it bundles the private key together with the certificate. It only took a matter of time before that key became available on the Internet, which isn’t surprising at all. But to make matters worse, Dell uses the same certificate, which means the same private key, on all affected systems. This means that if you are able to gain access to one, you can gain access to all. Hackers need only perform a Man in the Middle or MitM attack, one of the most common techniques, to spoof owners into connecting to what they might think to be secure public Wi-Fi or even their home routers.

Dell says that the original intention of the certificate was to provide a secure and convenient access to online customer service. It allows people from Dell’s side to immediately identify a PCs model, drivers, OS, and other specs when users connect to Dell’s online support. The company, however, admits that it has unfortunately introduced a gaping hole in the security of the laptops. An ironic twist of events to say the least.

Right now, the only way out is for users to remove the certificate themselves, with Dell providing instructions via e-mail and on its tech support site. The company, however, remains quiet on which specific models and series are affected by this security hole, though user reports indicate a list that includes the XPS 15, XPS 13, Latitude, and Inspiron 5000.

VIA: PCWorld


Must Read Bits & Bytes