Dell PC came with a pre-installed self-signed root certificate authority, called “eDellRoot”, and the private key associated with it. One user reported finding that their PC had a security hole that could allow attackers to access users’ personal data. The firm thanked customers for reporting the issue and invited others to come forward with further problems. Dell has admitted a “profound security flaw” and issued guidance on permanently removing the software that produced it.
In a statement released on Monday, Dell acknowledged that a certificate (eDellRoot), installed by Dell Foundation Services application on PCs, unintentionally introduced a security vulnerability which Dell deeply regretted.
It said: “We will also push a software update starting on November 24 that will check for the certificate and if detected remove it. Commercial customers who reimaged their systems without Dell Foundation Services are not affected by this issue. Additionally, the certificate will be removed from all Dell systems moving forward.”
Security experts said the software installed by Dell would allow traffic to be intercepted, potentially exposing sensitive information and the key could be used to make a user’s computer misidentify unsafe connections as safe.
Prof Alan Woodward, a cybersecurity expert at the University of Surrey, told the BBC that “the certificate could fool you into thinking you were looking at a site that normally uses a secure connection and would simply trust the fake site. Malicious hackers can eavesdrop on secure communications, passwords, usernames and other sensitive information.”
The certificates mean trust. If there is a breach, it harms the whole system. Some firms were now so suspicious that they were no longer allowing their browsers to trust the websites certified by the computers’ operating systems and, instead, were relying on their own. It is so fundamental to the trust and security needed to deal with people through your browser – you have to trust that the manufacturer has checked it all out.