Earlier this year it was revealed that Lenovo was shipping computers preloaded with software called Superfish, which installed its own HTTPS root certificate on affected computers. That in and of itself wouldn't be so bad, except Superfish's certificates all used the same private key. That meant all the affected computers were vulnerable to a “man in the middle” attack in which an attacker could use that private key to eavesdrop on users' encrypted connections to websites, and even impersonate other websites.
Now it appears that Dell has done the same thing [PDF], shipping laptops pre-installed with an HTTPS root certificate issued by Dell, known as eDellRoot. The certificate could allow malicious software or an attacker to impersonate Google, your bank, or any other website. It could also allow an attacker to install malicious code that has a valid signature, bypassing Windows security controls. The security team for the Chrome browser appears to have already revoked the certificate. People can test if their computer is affected by the bogus certificate by following this link.
Ars Technica is reporting that at least two models of Dell laptop have been confirmed to contain the rogue certificate, but the actual number is possibly much higher.
The same certificate appears to be installed in every affected Dell machine, which would enable an attacker to compromise every affected Dell user if only they had the private key which Dell used to create the certificate. Fortunately for attackers (and unfortunately for Dell's customers), Dell included that key on all the affected laptops as well. The result is that anyone with an affected Dell laptop could use it to create a valid HTTPS certificate for any other affected Dell laptop owner. One security researcher made this test site signed with the Dell certificate to prove that this attack was possible. During the test, the researcher confirmed that Firefox, Chrome and Internet Explorer all established an encrypted connection to the site with no warnings at all on an affected Dell laptop. Notably the Dell root certificate was also discovered on at least one SCADA system (the type of computer systems used to control industrial equipment, including in power plants, water treatment centers, and factories).
Less than 24 hours after Ars Technica published the story, Dell issued an apology stating:
Customer security and privacy is a top concern and priority for Dell; we deeply regret that this has happened and are taking steps to address it.
The certificate is not malware or adware. Rather, it was intended to provide the system service tag to Dell online support allowing us to quickly identify the computer model, making it easier and faster to service our customers. This certificate is not being used to collect personal customer information. It’s also important to note that the certificate will not reinstall itself once it is properly removed using the recommended Dell process.
Dell has also released an application to uninstall the certificate [exe] and instructions for how to remove the root certificate manually.
While we applaud Dell for responding to this fiasco so quickly, the fact remains that it never should have happened in the first place. The rogue eDellRoot certificate is dated two months after the Superfish debacle happened. Furthermore, Dell used the Superfish debacle to their advantage, promoting the security of their own products. Since Dell clearly knew that installing a root certificate—à la Superfish—was a bad idea, why did they make the exact same blunder?
We hope that other computer manufactures will learn from this fiasco, if they didn't already learn from Lenovo and Superfish. Hardware manufacturers need to realize that installing their own root certificates on consumer machines is dangerous and irresponsible, since it compromises the security of the entire web. If they don't they're guaranteed to keep facing embarrassment and losing the trust of their customers.