Dell PCs Ship with Huge Security Hole, à la Superfish


dell-security-alertFollowing close on the heels of the Lenovo “Superfish” debacle comes news of yet another major manufacturer embroiled in similar security controversy, this time it’s the US-based Dell.

As part of an enhanced support tool, Dell installed a self-signed root certificate (eDellRoot) and corresponding private key on its computers, apparently blissfully unaware that this exposes users’ encrypted communications to potential spying. Even more surprising is that the company did this with full knowledge of Lenovo’s very similar security blunder which came to light earlier this year.

In Lenovo’s case the goal was ad injection whereas Dell asserts that it was only trying to streamline remote support. Regardless of intention, this silly blunder creates a gaping security hole for those affected.

At this stage it remains unclear as to exactly what models may be affected. However, Dell PC owners can check for the vulnerability here: https://edell.tlsfun.de/

dell certificate check

(NOTE: Firefox is not vulnerable because it maintains its own certificate store – the test should be performed using Internet Explorer, Edge, or Chrome).

*A second rogue certificate (DSDTestProvider) has also been uncovered but it is not preloaded and only installed if/when a customer chooses to proactively download the Dell System Detect software. According to Dell…  “the impact from Dell System Detect is limited to customers who used the “detect product” functionality on our support site between October 20 and November 24, 2015″


Dell has confirmed the existence of the rogue certificates and provided instructions on how to permanently remove them:

NOTE: For those who may find Dell’s instructions a tad overwhelming, Major Geeks has provided a download to automatically remove the certificate here: eDellRoot Certificate Fix

*Dell also commenced  pushing a software update on November 24 that will check for the certificate, and remove it if detected.

lenovo-dell-next

 

About the Author

Jim Hillier

Jim is the resident freeware aficionado at DCT. A computer veteran with 30+ years experience who first started writing about computers and tech back in the days when freeware was actually free. His first computer was a TRS-80 in the 1980s, he progressed through the Commodore series of computers before moving to PCs in the 1990s. Now retired (aka an old geezer), Jim retains his passion for all things tech and still enjoys building and repairing computers for a select clientele... as well as writing for DCT, of course.

There are 4 comments

Your email address will not be published. Required fields are marked *