You would think that a brand new computer would be secure, aside from requiring a few updates to software after being taken out of the box, but a Dell root certificate security flaw means even brand new Dell laptop computer could be compromised within seconds of being connected to the Internet. Understandably, corporate customers and consumers alike are in uproar over the eDellRoot certificate security flaw that was recently discovered.
The security flaw was revealed by Dell as part of the company’s remote assistance support service. In order for Dell to “streamline” support for users, the company installed a self-signed root certificate on at least two models of Dell laptop computers – the Inspiron 5000 series and the company’s XPS 15 laptop.
Unfortunately, the root certificate is installed in the Windows root store along with the certificate’s private key. Any individual with a modicum of technical skill could obtain the key and use it to sign fake SSL/TLS certificates. In fact, the key is publicly available on the internet so it is easy to obtain. This means that anyone using one of the aforementioned Dell laptops could visit a HTTPS-enabled website in the belief that the connection is secure, when in fact it may not be.
It would be possible for hackers to view data shared between the secure website and the Dell laptop. If the laptop is used to access a banking website via an open Wi-Fi network or the Internet is accessed via a hacked router, someone could listen in on that connection. Users could compromise their personal bank account information, passwords, or login credentials used to access their employer’s network.
Any company that has purchased either of the above Dell laptops could potentially be placing their entire network at risk. If a BYOD is in operation, personal Dell laptops are a huge risk to data security.
Not only could hackers eavesdrop on secure internet connections, it is possible that the Dell root certificate security flaw could be used to install malware on devices undetected. Since the certificate can be faked, it is possible that system drivers or software could be installed which fool the operating system into thinking they have come from a trusted developer. Even if a warning is issued, users may think it is safe to install a program because it appears to have been created by Dell.
Dell desktops, servers, and other laptops may contain the Dell root certificate security flaw
The extent of the problem is currently unclear, but the Dell root certificate security flaw may not be confined to two specific laptop models. All laptops, servers, and desktops sold by Dell could potentially be affected. The eDellRoot certificate is installed by Dell Foundation Services (DFS) and the application is not confined to the Inspiron 5000 and XPS 15 laptops. According to one source, the security flaw has also been found on the Dell Venue Pro. Dell says the root certificate was only installed on hardware since August 2015.
A few days after the discovery of the Dell root certificate flaw, another one was discovered by Duo Security. This certificate was only present on a small number of systems around the world, although that Dell root certificate was discovered on a SCADA (supervisory control and data acquisition) system.
It doesn’t end there. A third has been discovered. The DSDTestProvider certificate is installed by an application called Dell System Detect or DSD. This is not shipped with Dell hardware. Instead it is downloaded onto computers and laptops by users. If they visit the Dell support website they are asked to install the detection tool.
Dell Root Certificate Security Fix Released
Users are able to remove the eDellRoot certificate using a tool that has hastily been released by Dell. However, at the time of writing, there is no tool to remove the DSDTestProvider certificate. Any user of a Dell computer, server, or laptop should therefore keep up to date with eDellRoot and DSDTestProvider news and should check the Dell support website frequently for further information.
Extreme caution should be exercised when accessing apparently secure websites, and users should not access secure sites from open Wi-Fi networks until the Dell root certificate security flaw has been fixed.
According to ARS, security expert Kenn White was able to use the publicly available security key to create a secure HTTPS test site using the certificate. When he visited the site it flagged no warnings that the certificate could not be trusted when he used Internet Explorer, Microsoft Edge, and Google Chrome browsers. The only browser that recognized the certificate as being suspect was Firefox.