Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

12:00 PM
Connect Directly

Dell Hands Hackers Keys To Customer Systems

Dell installs root certificate with associated private keys to create its very own Superfish scenario.

Dell customers are scrambling today to deal with a root certificate debacle that some security experts are likening to the Lenovo Superfish issue that emerged earlier this year. Brought to light in a reddit post over the weekend, the issue is with a root Certificate Authority (CA) certificate called eDellRoot that includes a private key and has been installed on new Dell computers and those updated by Dell software.

"It's not a simple bug that needs to be fixed, it's a drop-everything and panic sort of bug," wrote Rob Graham, owner of Errata Security. "Dell needs to panic. Dell's corporate customers need to panic." 

According to the researchers with Duo Labs, the fact that eDellRoot is being shipped with an associated private key that is identical in all models is an epic fail. This information makes it trivial to impersonate websites, whether it be online banking sites, shopping sites, or Google.

"If a user was using their Dell laptop at a coffee shop, an attacker sitting on the shop’s wi-fi network could potentially sniff all of their web browsing traffic, including sensitive data like bank passwords (or) emails," wrote Duo Labs researchers Darren Kemp, Mikhail Davidov and Kyle Lady. "The attacker could also manipulate the user’s traffic, e.g., sending malware in response to requests to download legit software, or install automatic updates - and make it all appear to be signed by a trusted developer." 

According to Graham, if he were an attacker, he'd be out at the nearest big city airport by the international first class lounges and eavesdropping on encrypted communications in hopes of finding vulnerable Dell users. 

"I suggest 'international first class,' because if they can afford $10,000 for a ticket, they probably have something juicy on their computer worth hacking," Grahm says.

For its part, Dell acknowledged the issue yesterday and posted instructions on how to remove the certificate from its machines. As of today, Dell software updates will remove the certificate, the company says. Dell also says that unlike with Lenovo, the root certificate was not used to insert adware on customer machines. 

"The certificate is not malware or adware. Rather, it was intended to provide the system service tag to Dell online support allowing us to quickly identify the computer model, making it easier and faster to service our customers," Dell said in a statement. "This certificate is not being used to collect personal customer information."

This really doesn't matter to the security community, though. While the fact that Superfish was meant to power adware made things worse, Graham says that the big problem was a root cert shipping with private keys.

"In this respect, Dell's error is exactly as bad as the Superfish error," he says.

According to Andrew Lewman, vice president of data development at Norse, enterprises should automatically be reinstalling operating systems rather than trusting default factory installs. Nevertheless, they should take extra precautions.

“As for protection, all enterprises should block the Dell certificate authority both on the network and on their devices. Uninstalling the certificate authority from laptops and desktops should be a matter of a policy update.” 


Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
11/27/2015 | 11:27:07 AM
Well.. that sure woried me. I'm not sure I will buy Dell products before a looong time 
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/23/2020
Russian Military Officers Unmasked, Indicted for High-Profile Cyberattack Campaigns
Kelly Jackson Higgins, Executive Editor at Dark Reading,  10/19/2020
Modern Day Insider Threat: Network Bugs That Are Stealing Your Data
David Pearson, Principal Threat Researcher,  10/21/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-10-26
An issue was discovered in KDE Partition Manager 4.1.0 before 4.2.0. The kpmcore_externalcommand helper contains a logic flaw in which the service invoking D-Bus is not properly checked. An attacker on the local machine can replace /etc/fstab, and execute mount and other partitioning related command...
PUBLISHED: 2020-10-26
This affects the package systeminformation before 4.27.11. This package is vulnerable to Command Injection. The attacker can concatenate curl's parameters to overwrite Javascript files and then execute any OS commands.
PUBLISHED: 2020-10-26
A remote unauthenticated arbitrary code execution vulnerability was discovered in Aruba Airwave Software version(s): Prior to 1.3.2.
PUBLISHED: 2020-10-26
The HPE BlueData EPIC Software Platform version 4.0 and HPE Ezmeral Container Platform 5.0 use an insecure method of handling sensitive Kerberos passwords that is susceptible to unauthorized interception and/or retrieval. Specifically, they display the kdc_admin_password in the source file of the ur...
PUBLISHED: 2020-10-26
SSMC3.7.0.0 is vulnerable to remote authentication bypass. HPE StoreServ Management Console (SSMC) is an off node multiarray manager web application and remains isolated from data on the managed arrays. HPE has provided an update to HPE StoreServ Management Console (SSMC) software* U...