Dell ships computers with all the tools necessary for crooks to spy on the owners' online banking, shopping, webmail, and more.
The US IT titan installs a powerful root CA certificate, including its private key, on its Windows notebooks and desktops. These can be abused by eavesdropping miscreants to silently decrypt encrypted web browser traffic without victims noticing.
If you try to remove the dodgy certificate, the file is automatically reinstalled during or after the next boot up. The self-signed root CA cert appears to have been created in early April this year, and expires in the year 2039.
How can this certificate be abused? Well, an attacker could, for example, set up a malicious Wi-Fi hotspot in a cafe or hospital, intercept connections from Dell machines, and then automatically strip away the encryption – a classic man-in-the-middle attack, all enabled by Dell's security blunder.
The decrypted traffic will include usernames, passwords, session cookies, and other sensitive information. The root CA certificate – eDellRoot – can even be used to sign programs, allowing scumbags to dress up malware as legit apps.
Web browsers, and other software, running on the affected Dell hardware will trust any certificates issued by eDellRoot. When the browser tries to connect to, say, your bank's HTTPS-protected website, it could in fact be connecting to a malicious system on your network, such as the aforementioned evil wireless hotspot. This system can pretend to be your bank's website, using an eDellRoot-signed SSL certificate, and you would be none the wiser as you type in your username and password. The intercepting system can even log into the bank on your behalf and pass the webpages back to your browser so you're none the wiser of what's going on.
Dell customers reported over the weekend finding the root CA certificate on newer Dell XPS, Precision and Inspiron desktops and notebooks.
So far, we've seen reports on Twitter and Reddit of the following affected gear: the XPS 15, Latitude E7450, Inspirion 5548, Inspirion 5000, Inspiron 3647, and the Precision M4800.
Our San Francisco office's Inspirion 15 series laptop is also affected.
Caught red-handed ... the eDellRoot CA cert on a Dell machine – click to enlarge (Source)
Information security expert Kenn White has created a webpage that demonstrates how vulnerable Dell computers will happily accept HTTPS connections signed with the eDellRoot key.
Crucially, White also said Firefox is not affected by the rogue certificate because it uses its own set of trusted certs.
If you have a recent XPS 15 running Windows and can load my page: https://t.co/qExUHLQwH0 then you're vulnerable to Dell's bogus root cert.— Kenn White (@kennwhite) November 23, 2015
Another site to test whether your Dell is vulnerable to man-in-the-middle attacks can be found here.
Dell computer owner Joe Nord, who blogged details of the certificate installed in his Inspirion machine, noted the obvious security flaw with eDellRoot.
"Root certificates are always self-signed, so all I really know is that eDellRoot says eDellRoot is legit," he explained. "Where it breaks down is that the private key IS PRESENT on my computer and that means ... bad."
Dell has yet to respond to a request for comment on the matter, although the Dell Cares support account on Twitter is downplaying the risk of attack for users:
@rotorcowboy It's a Dell trusted certificate that is mentioned in the OS. It doesn't cause any threat to the system, so we don't recommend-1— DellCares (@DellCares) November 22, 2015
The issue is just like Lenovo's February Superfish scandal in which the PC-slinger was caught loading its machines with a tool capable of intercepting SSL traffic and injecting adverts into pages. In fact, the Dell certificate was created months after the Superfish blowup – was no one at the Texas goliath paying attention? ®