Maksim Samasiuk - Fotolia
Dell PCs were found to have the eDellRoot certificate and private key preinstalled, and worse, they were found to be the same across all of Dell's laptops.
Johannes Ullrich, dean of research for the SANS Technology Institute, said that because the eDellRoot certificate acted as a trusted root certificate authority (CA), and Dell included the secret key, it allowed anyone to create signed and verified certificates.
"I could create a certificate for Google.com, sign it using the Dell key, and then all affected Dell laptops would trust my certificate," Ullrich said. "This may also apply to signing software, as this CA was defined as usable for any purpose. Some CAs are only labeled as useable for specific purposes."
The eDellRoot certificate was even more dangerous, because unless users removed it in a specific way, the file would recreate itself after a system reboot.
Earlier this year, Lenovo PCs were found to have Superfish adware preinstalled. The Superfish certificate was signed and controlled by Superfish, so it could inject ads on Lenovo machines. However, Superfish would also install a self-signed root HTTPS certificate capable of intercepting encrypted traffic for every website a user visited.
According to Craig Young, security researcher for Tripwire Inc., based in Portland, Ore., root certificates, such as Superfish or eDellRoot, break the chain of trust established by certificate authorities.
"SSL relies on a web of trust, stemming from certificate authorities out to individual websites," Young explained. "Web browsers and other system software expect that a connection is private when a remote server provides a security certificate signed by a trusted certificate authority. If the public and private keys from a trusted CA are known to an attacker, it becomes possible for virtually all private communications to be intercepted."
Young said the man-in-the-middle attacks made possible by this root certificate could lead to big risks for users.
"If the victim computer has trust for that bogus CA, the attacker can steal passwords, cookies, credit card numbers and even replace downloaded software or updates with malware," Young said. "Normally, this type of attack will result in browser interstitials, like a red X warning the user of impending danger. The ability for an attacker to generate certificates that will go unquestioned by victim computers completely undermines the protections afforded by HTTPS and other SSL-based services."
Young even set up a test page to allow users to test if their systems were compromised. If a machine doesn't show a warning page when following the link, it means the system trusts the eDellRoot certificate.
Dell moved quickly to release instructions and an automated tool to help users remove the certificate, and also attempted to explain why such a certificate was preinstalled on devices.
"The certificate is not malware or adware. Rather, it was intended to provide the system service tag to Dell online support allowing us to quickly identify the computer model, making it easier and faster to service our customers," Dell spokeswoman Laura P. Thomas wrote in a blog post. "This certificate is not being used to collect personal customer information. It's also important to note that the certificate will not reinstall itself once it is properly removed using the recommended Dell process."
Steve McGregory, director of application and threat intelligence for Ixia, based in Calabasas, Calif., commended Dell on releasing a fix within 24 hours of the initial reports.
"They still have a lot of PR work to do, and they must provide their customers with information on how they vet and control preloaded applications to regain customer trust," McGregory said. "The main problem is that many people who bought a computer with this root CA installed will not know they have it and they will be vulnerable until it is rectified. I don't know how Dell will fully remediate this issue."
According to Ullrich, the statement from Dell "stops the bleeding," but this scenario never should have happened in the first place.
"Essentially, they added a huge backdoor that can be exploited by others. This is similar to adding a support administrator account with a default username and password. While Dell may not use it to download the users' secret document, others can," Ullrich said. "I have not seen any active reach out by Dell to affected customers. These certificates need to be removed as fast as possible to avoid additional damage any malware may cause that takes advantage of this problem."
Learn why you need root certificates.