In an attempt to streamline remote support, Dell installed a self-signed root certificate and corresponding private key on its customers' computers, apparently without realizing that this exposes users' encrypted communications to potential spying.
Even more surprising is that the company did this while being fully aware of a very similar security blunder by one of its competitors, Lenovo, that came to light in February.
In Lenovo's case it was an advertising program called Superfish that came preinstalled on some of the company's consumer laptops and which installed a self-signed root certificate. In Dell's case it was one of the company's own support tools, which is arguably even worse because Dell bears full responsibility for the decision.
Ironically, Dell actually took advantage of Lenovo's mishap to highlight its own commitment to privacy and to advertise its products. The product pages for Dell's Inspiron 20 and XPS 27 All-in-One desktops, Inspiron 14 5000 Series, Inspiron 15 7000 Series, Inspiron 17 7000 Series laptops and probably other products, read: "Worried about Superfish? Dell limits its pre-loaded software to a small number of high-value applications on all of our computers. Each application we pre-load undergoes security, privacy and usability testing to ensure that our customers experience the best possible computing performance, faster set-up and reduced privacy and security concerns."
Why should you care
The eDellRoot self-signed certificate is installed in the Windows certificate store under the "Trusted Root Certification Authorities." This means that any SSL/TLS or code-signing certificate that is signed with the eDellRoot certificate's private key will be trusted by browsers, desktop email clients and other applications that run on affected Dell systems.
For example, attackers can use the eDellRoot private key, which is now publicly available online, to generate certificates for any HTTPS-enabled websites. They can then use public wireless networks or hacked routers to decrypt traffic from affected Dell systems to those websites.
In these so-called Man-in-the-Middle (MitM) attacks, the attackers intercept users' HTTPS requests to a secure website -- bankofamerica.com for example. They then start acting as a proxy by establishing a legitimate connection to the real website from their own machine and passing the traffic back to the victims after re-encrypting it with a rogue bankofamerica.com certificate generated with the eDellRoot key.
The users will see a valid HTTPS-encrypted connection to Bank of America in their browsers, but the attackers will actually be able to read and modify their traffic.
Attackers could also use the eDellRoot private key to generate certificates that could be used to sign malware files. Those files would generate less scary User Account Control prompts on affected Dell systems when executed, because they would appear to the OS as if they were signed by a trusted software publisher. Malicious system drivers signed with such a rogue certificate would also bypass the driver signature verification in 64-bit versions of Windows.
Sign up for CIO Asia eNewsletters.