Got a Dell? Read This Now!

Category: Security

Every Dell computer running Windows has a gaping security hole that allows bad actors to eavesdrop on secure connections and bypass anti-malware defenses. Whether you have a Dell or not, here's what you need to know -- and do -- right away...

What is the eDellRoot Problem?

When I said “bad actors” in the opening paragraph, I wasn't talking about Charlie Sheen and Kim Kardashian. The bad actors I'm talking about are cyber-criminals intent on exploiting a security flaw in Dell computers. Please read on, take action, and help to spread the word to friends and family who may be affected.

This vulnerability makes it possible to intercept SSL encrypted communications. Yes, that means the "secure" HTTPS connection to your webmail, online banking and other sensitive information is open kimono to skilled hackers. It also allows for malware to be digitally signed so that it will be accepted as legitimate by Windows’ built-in defenses. The vulnerability has existed since August 15, 2015, when Dell itself created it with the intent of helping customers get tech support faster.

Dell pushed out an automatic update to all of its customers that includes a digital root certificate named “eDellRoot.” A root certificate is its own certificate authority; any other certificates it creates will be registered with the Microsoft certificate registry and treated as legit. The purpose of such “self-signing certificate authorities” is to allow in-house developers of corporate applications to sign the apps they create so they won’t be tagged as “suspicious” by browsers or security software.

Dell security certificate vulnerability

A private key is required to authenticate the root certificate and its created certificates. Such keys are closely guarded in corporate IT environments. But Dell just dumped the key to its root certificate on every customer’s computer. Worse, the same key has been discovered on multiple Dell computers, a practice as dumb as using the same password everywhere you go.

Worst of all, that key has found its way online, where anyone can get it. The key itself is protected by a password, but researchers have confirmed that Dell’s is easily cracked. So all the ingredients of a security catastrophe are out there in the wild.

Multiple Attack Vectors

Using eDellRoot, a bad actor can set up a “man in the middle” exploit that intercepts a user’s SSL-encrypted browser traffic and decrypts it, because the certificate enables him to impersonate the user. He can also create bogus websites that present fake certificates to browsers, so users can’t be sure they’re really connected to their banks, Google accounts, and so on.

Firefox is the only major browser that does not accept certificates registered with Microsoft’s self-signed certificate store. Firefox will tell you that a site presenting such a certificate is suspicious, and block it. Ironically, that’s one reason Firefox is banned in many corporate IT environments.

A hacker can use eDellRoot to digitally sign his own malware, self-certifying it as “safe.” Windows will warn you if an application is unsigned or if its certificate cannot be validated, indicating that the app should not be trusted. But eDellRoot lets malware slip past this defense.

Why did Dell do this incredibly dumb thing? To help customers, of course. In a statement emailed to inquiring journalists, the company said, "When a PC engages with Dell online support, the certificate provides the system service tag allowing Dell online support to immediately identify the PC model, drivers, OS, hard drive, etc. making it easier and faster to service."

That’s wonderful, Dell, but did you have to leave everyone open to eavesdroppers and malware in order to save your tech support staff a bit of time?

Eliminating the Problem

It’s easy to delete eDellRoot from a computer’s certificate store using the Microsoft Management Console. But eDellRoot will be reinstalled the next time the system reboots. So I won’t bother detailing that procedure.

Dell has posted instructions for removing the eDellRoot certificate permanently. The company is also rushing out a patch via its update system, but it may be December 1 before it reaches all vulnerable computers. A manual deletion process is described, but it involves a lot of clicking and navigation of obscure system utilities. The third option, and the one I recommend, is to download the patch and install it yourself instead of waiting for Dell Update to get around to your machine.

Dell’s blunder has been compared to Lenovo’s “Superfish” adware rootkit (see my article, Does Your Computer Have VD?). Superfish used self-signed digital certificates to eavesdrop on SSL-encrypted Web traffic in order to help marketers better target ads. But hackers could Superfish to steal passwords and other sensitive data. Like eDellRoot, Superfish reappeared after it was deleted. Like Dell, Lenovo rushed to scrape the egg off its face when Superfish was exposed.

Superfish was Lenovo’s cynical, calculated attempt to exploit its customers without regard for the financial damage they might suffer. The scary thing about eDellRoot is that Dell didn’t know what it was doing when it tried to “improve the customer experience.”

If you have a Dell computer, desktop or laptop, follow the link above to remove the dangerous eDellRoot certificate. And please, help to spread the word to friends and family who also have Dell computers.

Your thoughts on this topic are welcome. Post your comment or question below...

 
Ask Your Computer or Internet Question

  (Enter your question in the box above.)

It's Guaranteed to Make You Smarter...

AskBob Updates: Boost your Internet IQ & solve computer problems.
Get your FREE Subscription!


Email:

Check out other articles in this category:



Link to this article from your site or blog. Just copy and paste from this box:

This article was posted by on 25 Nov 2015


For Fun: Buy Bob a Snickers.

Prev Article:
Best Smartwatches of 2015

The Top Twenty
Next Article:
Geekly Update - 27 November 2015

Most recent comments on "Got a Dell? Read This Now!"

(See all 26 comments for this article.)

Posted by:

Barton Talbot
25 Nov 2015

Clicking the automatic correction link yields "Issue not found." and "Unable to delete the plugin." I have Dell Optiplexes 740 and 780 and a Dell Vostro. Perhaps they're so old Dell doesn't update them?

EDITOR'S NOTE: As far as I can tell the "issue not found" means you don't have the problem, or it's already been patched.


Posted by:

Butch
25 Nov 2015

Bob, when the initial notice appeared on-line, it referred to Dell _laptops_ only. I have a desktop but thought I might as well read through all the text. I downloaded the instructions but decided to use the Automatic correction. After it ran, the result was that no affected item was found. Thus, I am assuming that not all Dell computers are/were affected. I have received no notification whatsoever from Dell regarding this certificate problem. I will remain alert, however. Thanks for bringing this to _our_ attention.


Posted by:

Daniel
25 Nov 2015

Followed your link and automatically attempted to remove Dell root issue. A window came saying, 'issue not found". Can I assume my computer was somehow unaffected or is this wishful thinking?

EDITOR'S NOTE: My link should go to a PDF file with instructions: See https://dellupdater.dell.com/Downloads/APP009/eDellRootCertificateRemovalInstructions.pdf


Posted by:

Laraine
25 Nov 2015

"download" link doesn't seem to work. Clicked it 2 different times, each time brought up different websites. Weird. Scary.

EDITOR'S NOTE: The link should take you to a PDF with instructions. Try this: https://dellupdater.dell.com/Downloads/APP009/eDellRootCertificateRemovalInstructions.pdf


Posted by:

Carole
25 Nov 2015

This is very scary. I have a Windows 7 from Dell that is 4 years old. Thank goodness I don't use it very often. Bob, I'll try what you recommended about deleting the problem. Thanks for the information about eDellRoot.


Posted by:

Rick
25 Nov 2015

Bob - I think stating "Every Dell computer running Windows..." is an over statement and requires clarification. I've checked both of my Dell laptops running Windows 7 and I do not have the Dell Foundation Services service or the eDellRoot certificate. As a double check, I also ran the automatic tool and received "issue not found". Clearly this issue does NOT affect "Every Dell computer running Windows..."

EDITOR'S NOTE: Is it possible the fix had already been automatically applied by Dell? In any case, it's best to check for the problem, right?


Posted by:

Rick
25 Nov 2015

For more accurate information of speficially which Dell computers are affected see https://grahamcluley.com/2015/11/edellroot-huge-security-hole-shipped-dell-laptops-pcs-need-know/


Posted by:

Rick
25 Nov 2015

BTW - Are you sure your emails are still going out to all your subscribers? I've not received one since 11/02 (and I did NOT unsubscribe). The only reason I saw this article was because I came to your site looking for an article on Google+.


Posted by:

Ashland
25 Nov 2015

Bob, what do we do about this from ZDNet a couple of hours ago?

Dell customers have turned up a second root certificate installed on some Dell machines, which could make them easy prey for malicious attacks on public Wi-Fi networks.

The second problematic root certificate is called DSDTestProvider. Its discovery follows yesterday's removal by Dell of the dangerous eDellroot certificate from affected Dell PCs.


Posted by:

SamiamHis
25 Nov 2015

The most interesting thing that occurred within this article was: I clicked on the patch and it went to weird website "All Array Flash Solutions - Extreme IO Extreme EMC. I got out of there as it was too weird and returned to this page. The link in your article to the "patch" had disappeared. WOW! Upon further reading in the comments I did discover that this issue is non existent on my Dell. I still appreciate your research and that you warn of possibilities. I would check that link though!


Posted by:

John
25 Nov 2015

Just finished your article today on the Dell computer vulnerability and decided to take your advice about downloading the patch. I clicked on the link in the last sentence of the 2nd paragraph of the "Eliminating the Problem" section of your article and it brought me to a page I wasn't expecting to see - some kind of EMC page! I Xed out of that and went back to your article to try over, but the link I had just clicked earlier wasn't enabled anymore. I don't know much about computers, but this had me more perplexed than ever.


Posted by:

IanG
25 Nov 2015

If everybody were of the same mind as me, the internet would probably come crashing down. I HATE all advertising with a vengeance and 'targeted' advertising even more (this in response to Bob's mention of Lenovo's Superfish). Therefore I block all the ads I can. I pay my way and don't expect advertisers to pay for what I choose to look at.


Posted by:

Jim
25 Nov 2015

I would not use a Dell if you gave me one!!! Had bought two Dell desk tops and neither one lasted a Year! After Dell sent me parts to fix it it would run about a month and then the same parts went bad. They sent me a new, upgraded desktop, then charged me for it and it to quit in about 3 months. Will Never use a Dell computer again. ( GO ACER )


Posted by:

don
25 Nov 2015

Bob , you have to be one busy guy , but can you give us an update of any sort since you posted your newsletter. I am not the sharpest crayon in the box , but a lot of the posts above seem like they don't understand and that includes myself as well. the very first post from Ian. Phew !!!! am I glad I chose to stick with XP ? unless I woke up dead , what does that have to do with owning a Dell. I have read everything you have put in your newsletters since day 1 , but people are going to start throwing their pc's in the garbage. lots of people freaking out here !! can you save us ? don


Posted by:

MmeMoxie
25 Nov 2015

I have a Dell Optiplex 960 off lease and refurbished Desktop. I don't have a single thing, of Dell in the Service list or anywhere.

I got my Dell, not from Dell, but, from a place called Computer-Show. They do an excellent job, of refurbishing old or off lease Dells. I believe, they also, put new hard drives in all of the refurbished Dells or pulled, re-written over and over hard drives.

I have used Computer-Show for over 10 years. It was only 2 years ago, that I started using them for myself. I was always pleased with them and recommended them highly. I still do recommend them highly. I have new Windows Product Keys on the 3 that I brought. I also, still have the Service Tag number, so, when I need to replace parts, I can get easier access to the right ones. :) But, these are not the originals Dell products, they are refurbished. :)


Posted by:

Judy Redman
25 Nov 2015

I have a Dell laptop which is nearly 3 years old, running Win 8.1. I tried the automatic removal and got both the error messages noted above,("unable to stop windows service. Unable to delete plugin" and "issue not found") so tried the manual removal option and do not have a Dell Foundation Services Folder. I assume that that either it wasn't installed on all computers or that they have got their update out earlier than you expected and removed it, but thanks for the warning as it could have been a real problem for me.

FWIW, I have been using Dell computers since 1997 - both personal laptops and desk-tops at work - and have been very happy with them. And with their service - I had a problem with a cord while I was in the US (I live in Australia) and had absolutely no problem getting it replaced.


Posted by:

james
25 Nov 2015

Bob, great piece of information too bad it wasn't available earlier to eliminate all the problems it may have caused.

Bob, judging from all the replies you have received on this great article it does not take much to see most (if not all including me) of your subscribers are confused. I think at this point it will be well received by all, if you checked the links and write another article (simplistic) with the best working solution only.
Also please address the other certificates that are also apparently affecting Dell computers.

Now I understand why I got 2 calls from Dell customer service in Ca.stating they were receiving notifications from my Dell Laptop that my security was compromised. Unfortunately I dismissed them thinking they were just looking to generate additional income by making up problems.

I also asked for details and they would not provide them. Basically I asked why they were receiving these notices when my security software was informing I was fine. They had no answer. Obviously now I know (thanks to you) why because it was probably this problem.


Posted by:

james
26 Nov 2015

Here are detailed instructions from Dell to remove both CA's. It works I checked it.

http://www.dell.com/support/edellroot


Posted by:

Phil
26 Nov 2015

Thanks once again Bob. Very timely.


Posted by:

Glenda Oakley
27 Nov 2015

Hi, yes I went to the pdf where it had an automatic removal. I downloaded and then it said "issue not found", so I presume I don't have the problem. Thanks Bob


There's more reader feedback... See all 26 comments for this article.

Post your Comments, Questions or Suggestions

*     *     (* = Required field)

    (Your email address will not be published)
(you may use HTML tags for style)

YES... spelling, punctuation, grammar and proper use of UPPER/lower case are important! And please limit your remarks to 3-4 paragraphs. If you want to see your comment posted, pay attention to these items.

All comments are previewed, and may be edited before posting.

NOTE: Please, post comments on this article ONLY.
If you want to ask a question click here.

Free Tech Support -- Ask Bob Rankin
RSS   Add to My Yahoo!   Feedburner Feed
Subscribe to AskBobRankin Updates: Free Newsletter
Copyright © 2005 - Bob Rankin - All Rights Reserved
Privacy Policy -- See my profile on Google.


Article information: AskBobRankin -- Got a Dell? Read This Now! (Posted: 25 Nov 2015)
Source: http://askbobrankin.com/got_a_dell_read_this_now.html
Copyright © 2005 - Bob Rankin - All Rights Reserved