A day after security researchers revealed that new Dell computers were being shipped with unintentional security backdoors in them that made it possible for hackers to spy on users' internet activity and online banking transactions, the PC giant has released a guide on how to get rid of it.
On 23 November, security firm Duo Security unveiled research showing that it had discovered a rogue root certificate called eDellRoot within a new Dell Inspiron 14 series laptop that it had bought for another project. After seeing complaints on Reddit and Twitter, the researchers decided to reveal what they had discovered.
"There are two certificates found on Dell machines, including a trusted eDellRoot root certificate. Our research indicates that Dell is intentionally shipping identical private keys in other models. This means an attacker could sniff a Dell user's web browsing traffic and manipulate their traffic to deliver malware," Duo Security's researchers Darren Kemp, Mikhail Davidov and Kyle Lady wrote in a blog post.
The researchers explain that the root certificate comes bundled with its private key, which makes it easy for hackers to use man-in-the-middle attacks to decrypt users' traffic and do what they wish with it.
"If a user was using their Dell laptop at a coffee shop, an attacker sitting on the shop's Wi-Fi network could potentially sniff all of their TLS encrypted traffic, including sensitive data like bank passwords, emails etc," the researchers wrote.
"The attacker could also manipulate the user's traffic, e.g., sending malware in response to requests to download legit software, or install automatic updates – and make it all appear to be signed by a trusted developer."
Unfortunately, the rogue certificate can't just be deleted, as a .DLL plugin that came with eDellRoot certificate will reinstall it whenever the computer is restarted, so the plugin has to be carefully removed, and not all users would find this easy to do, plus it's never a good idea to dig around in a computer's root folders in case you accidently change something you shouldn't
Dell's rapid response
To give Dell credit, the PC giant responded to the complaints within a day and has published its own downloadable step-by-step guide to removing the .DLL plugin, together with a blog explaining why they included a tool that could potentially spy on its customers.
"Today we became aware that a certificate (eDellRoot), installed by our Dell Foundation Services application on our PCs, unintentionally introduced a security vulnerability. The certificate was implemented as part of a support tool and intended to make it faster and easier for our customers to service their system. Customer security and privacy is a top concern and priority for Dell; we deeply regret that this has happened and are taking steps to address it," Dell's chief corporate communications blogger Laura P Thomas wrote on the Dell corporate blog.
"The certificate is not malware or adware. Rather, it was intended to provide the system service tag to Dell online support allowing us to quickly identify the computer model, making it easier and faster to service our customers."
Dell claims that the eDellRoot has only be shipped in laptops sold since August, but the Register says it found the rogue certificate in an Inspiron 15 series laptop that the publication bought in July.
It's good that Dell has provided removal instructions, but it's a pretty big blooper for the PC giant to have made, and it's not even the first time that such a mistake has occurred – back in March, security expert Tom Forbes discovered that the Dell Service Tag Detector app created a backdoor into all the Dell machines it was installed on.
It's also ironic given that only on 15 November, Dell's CEO Michael Dell told the Telegraph that he thought security backdoors mandated by governments were a "horrible idea".