Got a Dell? Read This Now!
Every Dell computer running Windows has a gaping security hole that allows bad actors to eavesdrop on secure connections and bypass anti-malware defenses. Whether you have a Dell or not, here's what you need to know -- and do -- right away...
What is the eDellRoot Problem?
When I said “bad actors” in the opening paragraph, I wasn't talking about Charlie Sheen and Kim Kardashian. The bad actors I'm talking about are cyber-criminals intent on exploiting a security flaw in Dell computers. Please read on, take action, and help to spread the word to friends and family who may be affected.
This vulnerability makes it possible to intercept SSL encrypted communications. Yes, that means the "secure" HTTPS connection to your webmail, online banking and other sensitive information is open kimono to skilled hackers. It also allows for malware to be digitally signed so that it will be accepted as legitimate by Windows’ built-in defenses. The vulnerability has existed since August 15, 2015, when Dell itself created it with the intent of helping customers get tech support faster.
Dell pushed out an automatic update to all of its customers that includes a digital root certificate named “eDellRoot.” A root certificate is its own certificate authority; any other certificates it creates will be registered with the Microsoft certificate registry and treated as legit. The purpose of such “self-signing certificate authorities” is to allow in-house developers of corporate applications to sign the apps they create so they won’t be tagged as “suspicious” by browsers or security software.
A private key is required to authenticate the root certificate and its created certificates. Such keys are closely guarded in corporate IT environments. But Dell just dumped the key to its root certificate on every customer’s computer. Worse, the same key has been discovered on multiple Dell computers, a practice as dumb as using the same password everywhere you go.
Worst of all, that key has found its way online, where anyone can get it. The key itself is protected by a password, but researchers have confirmed that Dell’s is easily cracked. So all the ingredients of a security catastrophe are out there in the wild.
Multiple Attack Vectors
Using eDellRoot, a bad actor can set up a “man in the middle” exploit that intercepts a user’s SSL-encrypted browser traffic and decrypts it, because the certificate enables him to impersonate the user. He can also create bogus websites that present fake certificates to browsers, so users can’t be sure they’re really connected to their banks, Google accounts, and so on.
Firefox is the only major browser that does not accept certificates registered with Microsoft’s self-signed certificate store. Firefox will tell you that a site presenting such a certificate is suspicious, and block it. Ironically, that’s one reason Firefox is banned in many corporate IT environments.
A hacker can use eDellRoot to digitally sign his own malware, self-certifying it as “safe.” Windows will warn you if an application is unsigned or if its certificate cannot be validated, indicating that the app should not be trusted. But eDellRoot lets malware slip past this defense.
Why did Dell do this incredibly dumb thing? To help customers, of course. In a statement emailed to inquiring journalists, the company said, "When a PC engages with Dell online support, the certificate provides the system service tag allowing Dell online support to immediately identify the PC model, drivers, OS, hard drive, etc. making it easier and faster to service."
That’s wonderful, Dell, but did you have to leave everyone open to eavesdroppers and malware in order to save your tech support staff a bit of time?
Eliminating the Problem
It’s easy to delete eDellRoot from a computer’s certificate store using the Microsoft Management Console. But eDellRoot will be reinstalled the next time the system reboots. So I won’t bother detailing that procedure.
Dell has posted instructions for removing the eDellRoot certificate permanently. The company is also rushing out a patch via its update system, but it may be December 1 before it reaches all vulnerable computers. A manual deletion process is described, but it involves a lot of clicking and navigation of obscure system utilities. The third option, and the one I recommend, is to download the patch and install it yourself instead of waiting for Dell Update to get around to your machine.
Dell’s blunder has been compared to Lenovo’s “Superfish” adware rootkit (see my article, Does Your Computer Have VD?). Superfish used self-signed digital certificates to eavesdrop on SSL-encrypted Web traffic in order to help marketers better target ads. But hackers could Superfish to steal passwords and other sensitive data. Like eDellRoot, Superfish reappeared after it was deleted. Like Dell, Lenovo rushed to scrape the egg off its face when Superfish was exposed.
Superfish was Lenovo’s cynical, calculated attempt to exploit its customers without regard for the financial damage they might suffer. The scary thing about eDellRoot is that Dell didn’t know what it was doing when it tried to “improve the customer experience.”
If you have a Dell computer, desktop or laptop, follow the link above to remove the dangerous eDellRoot certificate. And please, help to spread the word to friends and family who also have Dell computers.
Your thoughts on this topic are welcome. Post your comment or question below...
This article was posted by Bob Rankin on 25 Nov 2015
|For Fun: Buy Bob a Snickers.
Best Smartwatches of 2015
The Top Twenty
Geekly Update - 27 November 2015
There's more reader feedback... See all 26 comments for this article.
Post your Comments, Questions or Suggestions
Free Tech Support -- Ask Bob Rankin
Subscribe to AskBobRankin Updates: Free Newsletter
Copyright © 2005 - Bob Rankin - All Rights Reserved
Article information: AskBobRankin -- Got a Dell? Read This Now! (Posted: 25 Nov 2015)
Copyright © 2005 - Bob Rankin - All Rights Reserved