As Scott mentioned yesterday, Dell refused to learn from Lenovo's lesson and repeated the exact same mistake with eDellRoot, a self-signed root CA cert with an unknown purpose. Unlike SuperFish which was to allow targeted ads to be displayed eDellRoot serves an unclear purpose apart from a mention of Microsoft-like "easier customer support" but it exposes you to the exact same security risks as SuperFish does. You could remove the cert manually, however as it resides in Dell.Foundation.Agent.Plugins.eDell.dll it will return on next boot and can return on fresh Windows installs via Dell driver updates, something which will be of great concern to their business customers.
Dell has finally responded to the issue, "The recent situation raised is related to an on-the-box support certificate intended to provide a better, faster and easier customer support experience. Unfortunately, the certificate introduced an unintended security vulnerability." and provided a process to remove the certificate from the machine permanently in this Word Document. You can check for the presence of the cert on your machine in those two links.
However the best was yet to come as researchers have found a second cert as well as an expired Atheros Authenticode cert for BlueTooth and private key on a limited amount of new Dell computers as well. As Dell made no mention of these additional certificates in their statement to the press it is hard to give them the benefit of the doubt. The Bluetooth cert will not make you vulnerable to a man in the middle attack however the second cert is as dangerous as eDellRoot and can be used to snoop on encrypted communications. The second cert was found on a SCADA machine which is, as they say, a bad thing.
We await Dell's response to the second discovery as well as further research to determine how widespread the new certs actually are. So far Dell XPS 15 laptops, M4800 workstations, and Inspiron desktops and laptops have been found to contain these security issues. The chances of you falling victim to a man in the middle attack thanks to these security vulnerabilities are slim but not zero so be aware of them and keep your eyes out for them on your systems. With Lenovo and Dell both being caught, it will be interesting to see if HP and other large vendors will learn this lesson or if it will take a third company being caught exposing their customers to unnecessary risks.
"A second root certificate and private key, similar to eDellRoot along with an expired Atheros Authenticode cert and private key used to sign Bluetooth drivers has been found on a Dell Inspiron laptop. The impact of these two certs is limited compared to the original eDellRoot cert."
Here is some more Tech News from around the web:
- Amazon is suffering a subtle data breach, lest it turn into another TalkTalk @ The Inquirer
- Windows 10: Microsoft flip flops 'as a service' as November update is pulled @ The Inquirer
- Hybrid carbon foams serve as good heat conductors @ Nanotechweb
- Pip Boys As A Service @ Hack a Day
- Intel hires Qualcomm's compute leader to lead new mobile push @ The Register
- Heterogeneous system architecture helps AMD and ARM deal with mammoth compute demands @ The Inquirer
- Windows 8.1 exams kept alive six more months, Win 7 tests immortal @ The Register