Dell: How to kill that web security hole we put in your laptops, PCs

Promises to automatically remove root CA cert from machines from Nov 24


Dell has published a guide on how to remove the web security backdoor it installed in its Windows laptops and desktop PCs.

This confirms what we all know by now – that Dell was selling computers with a rather embarrassing hole it in their defenses.

New models from the XPS, Precision and Inspiron families include a powerful root CA certificate called eDellRoot, which puts the machines' owners at risk of identity theft and banking fraud.

The self-signed certificate is bundled with its private key, which is a boon for man-in-the-middle attackers: for example, if an affected Dell connects to a malicious Wi-Fi hotspot, whoever runs that hotspot can use Dell's cert and key to silently decrypt the victims' web traffic. This would reveal their usernames, passwords, session cookies and other sensitive details, when shopping or banking online, or connecting to any other HTTPS-protected website.

Stunningly, the certificate cannot be simply removed: a .DLL plugin included with the root certificate reinstalls the file if it is deleted. One has to delete the .DLL – Dell.Foundation.Agent.Plugins.eDell.dll – as well as the eDellRoot certificate.

Dell has posted information [.docx] on how to do this properly, and future machines will not include the dangerous root CA cert. A software update process will run from November 24 that will remove the certificate automatically from machines, we're told.

In a statement to the media, the Texas-based IT titan said:

The recent situation raised is related to an on-the-box support certificate intended to provide a better, faster and easier customer support experience. Unfortunately, the certificate introduced an unintended security vulnerability.

Dell said that it started including the root CA certificate with machines in August, although an Inspiron 15 series laptop we bought in July has an eDellRoot certificate on it.

"We deeply regret that this has happened and are taking steps to address it," added Laura Thomas, Dell's chief blogger.

"The certificate is not malware or adware. Rather, it was intended to provide the system service tag to Dell online support allowing us to quickly identify the computer model, making it easier and faster to service our customers. This certificate is not being used to collect personal customer information.

"It’s also important to note that the certificate will not reinstall itself once it is properly removed using the recommended Dell process."

If you've got a new Dell, you can check here to see if you the dodgy root CA cert installed. For everyone, we'll leave you with this nightmare fuel... ®

Similar topics


Other stories you might like

  • Schneider and Dell integrate UPS, HCI for graceful shutdown
    For when the outage lasts so long that your UPS runs out of charge

    Schneider Electric has teamed up with Dell Technologies on an automated shutdown system for hyperconverged infrastructure (HCI), based on the integration of its APC PowerChute with Dell's VxRail HCI platform.

    According to Schneider, this new capability was developed as part of a joint effort with Dell to try to reduce the complexity of the hybrid IT environment.

    The idea is to ensure a graceful shutdown of all the virtual machines and their workloads operating on a VxRail cluster in a situation where mains power has failed, but the uninterruptible power supply (UPS) has exhausted its battery runtime.

    Continue reading
  • Will Lenovo ever think beyond hardware?
    Then again, why develop your own software à la HPE GreenLake when you can use someone else's?

    Analysis Lenovo fancies its TruScale anything-as-a-service (XaaS) platform as a more flexible competitor to HPE GreenLake or Dell Apex. Unlike its rivals, Lenovo doesn't believe it needs to mimic all aspects of the cloud to be successful.

    While subscription services are nothing new for Lenovo, the company only recently consolidated its offerings into a unified XaaS service called TruScale.

    On the surface TruScale ticks most of the XaaS boxes — cloud-like consumption model, subscription pricing — and it works just like you'd expect. Sign up for a certain amount of compute capacity and a short time later a rack full of pre-plumbed compute, storage, and network boxes are delivered to your place of choosing, whether that's a private datacenter, colo, or edge location.

    Continue reading
  • Dell unveils new XPS 13 devices with Alder Lake CPUs
    Best hedge against a slowing PC market? Take some design tips from Apple

    Dell has pulled the lid off the latest pair of laptops in its XPS 13 line, in the hopes the new designs, refreshed internals, and an unmistakably Apple-like aesthetic of its 2-in-1 approach can give them a boost in a sputtering PC market. 

    Both new machines are total redesigns, which is in line with Dell's plans to revamp its XPS series. Dell users considering an upgrade will want to take note, especially those interested in the XPS 13 2-in-1: There is quite a bit of difference, for both enterprise and consumer folks. 

    The XPS 13 maintains its form factor – for the most part – but gets a new smooth aluminum chassis that makes it look more like a MacBook Air than ever. Not that that's necessarily a bad thing: the new design is reportedly lighter and thinner, too. 

    Continue reading
  • Dell's rugged Latitude 5430 laptop is quick and pretty – but also bulky and heavy
    Survives all manner of indiginities in Reg tests but may stuggle to cross over from boots to suits

    Desktop Tourism If you drop Dell's Latitude 5430 laptop from hip height onto vinyl flooring that covers a concrete slab, it lands with a sharp crack, bounces a little, then skitters to a halt. Drop it two meters onto sodden grass and it lands with a meaty squish on its long rear edge. The impact pushes a spray of water and flecks of mud through the crack between the screen and keyboard, with a spot or two of each making it onto the keyboard's ASDF row.

    I know this, because I did it. And more.

    If you put it in a domestic freezer after that drop onto wet grass, then pull it out after ten minutes, a couple of water and mud flecks freeze into little teardrops on the keyboard. The latch that holds the screen to the body of the laptop takes a little extra effort to open.

    Continue reading
  • Broadcom in talks to buy VMware: multiple reports
    Michael Dell could be the key to any deal

    Broadcom is in early talks to buy VMware, according to The New York Times, Bloomberg, and Reuters.

    VMware is not commenting on the matter.

    This one is interesting, because the three sources we've linked to above all say they've got the news from "a person familiar with the matter." All say the deal is nowhere near done, a price has not been discussed, and a transaction is far from certain to happen.

    Continue reading
  • (Our) hardware is still key in a multicloud world, Dell ISG chief insists
    IT giant may be shifting its focus to software and services, but systems remain the foundation

    Analysis At this month's Dell Technologies World show in Las Vegas, all the usual executives were prowling the keynote stages, from CEO Michael Dell to co-COOs Chuck Witten and Jeff Clark, all talking about the future of the company.

    Noticeably absent were the big servers or storage systems that for decades had joined them on stage, complete with all the speeds and feeds. Though a PC made an appearance, there was no reveal of big datacenter boxes.

    It's a continuing scenario that is likely to play out to various degrees at user events for other established IT hardware vendors, such as when Hewlett Packard Enterprise later next month convenes its Discover show, also in Las Vegas. It's having to adapt to the steady upward trend in multicloud adoption, the ongoing decentralization of IT and the understanding that in today's world, data is king, Hardware is still needed, but the outcomes they deliver are what is most important.

    Continue reading
  • Zero trust is more than just vendors and products – it requires process
    IT orgs need to adapt their procedures to make it all work, says Dell

    Dell Technologies World Zero-trust architectures have become a focus for enterprises trying to figure out how to secure an IT environment where data and applications are increasingly distributed outside of the traditional perimeter defenses of central datacenters.

    With the attack surface expanding and cyberthreats growing in number and complexity, many organizations are sorting through a cybersecurity space that has myriad vendors and products to choose from, according to Chad Dunn, vice president for product management for Dell's Apex as-a-service business.

    Zero trust – which essentially dictates that any person or device trying to access the network should not be trusted and needs to go through a strict authentication and verification process – will be foundational for companies moving forward, but it has to be more than simply buying and deploying products, Dunn told The Register in an interview here in Las Vegas at the Dell Technologies World show.

    Continue reading

Biting the hand that feeds IT © 1998–2022