If you’ve not heard, Dell has been in the news lately. Word has it that Dell is shipping out their PCs and laptops with a security vulnerability, making it possible for attackers to send malware and prompt automatic updates without leaving a trace. The underlying reason – a ‘trusted’ root certificate containing the same private key is stored across various Dell models.
In SSL public key infrastructure (PKI) technology, asymmetric and symmetric encryption is repeatedly mentioned, where asymmetric encryption uses both a public and private key. Holders of a private key can encrypt and decrypt messages, and in the case of a root certificate can issue certificates under, for example, eDellRoot. When placed in the wrong hands, one could issue ‘trusted’ certificates, sending updates under the Dell brand name.
Dell has acknowledged this security flaw and has released a public statement on this matter:
“Today we became aware that a certificate (eDellRoot), installed by our Dell Foundation Services application on our PCs, unintentionally introduced a security vulnerability. The certificate was implemented as part of a support tool and intended to make it faster and easier for our customers to service their system. Customer security and privacy is a top concern and priority for Dell; we deeply regret that this has happened and are taking steps to address it.”
Steps to Remove the Certificate
Dell has since published an instruction manual on 23 Nov 2015 to remove the certificate in two ways (1) automatic removal or by (2) manual steps.
In addition, Dell has also pushed for an automatic software update on 24 Nov 2015 to detect and remove certificates found in computers with eDellRoot.
Cyber Secure Asia (CSA) recommends all Dell users to run a check on their system to see if the eDellRoot certificate exist. If it does, follow the steps as outlined in the instruction manual to remove this vulnerability completely.
Other Discoveries found in Dell Systems
While Dell has publicly acknowledged the vulnerability in its systems for eDellRoot, researchers from Duo Lab security found another certificate – Atheros Authenticode Certificate shipped with its Bluetooth software. Though less prone to damage because the certificate expired on 31/3/2013, there is still a concern that anything signed before expiry date could still be valid.
We’ll just have to see if Dell releases anything on this one.