Superfish-Like Security Flaw Found On Dell Laptops

The certificate itself is eDellRoot, and was first discovered by Joe Nord, a programmer, who highlighted the fact that Dell’s permissions allow for the trust of any SSL certificate, which is certainly a problem in this case.

According to Reddit user rotorcowboy, the problem with the pre-installed SSL certificate exists because it uses “the exact same root certificate and private key” on affected units.

Dell in a statement told Reuters, “The recent situation raised is related to an on-the-box support certificate meant to provide a better, faster and easier customer support experience…Unfortunately, the certificate introduced an unintended security vulnerability”. To do this, the company installed a master key, called a certificate authority or CA, on the computer to verify its identity during support sessions.

On Monday, Duo Security published a report saying that it had also recently come across the eDellRoot issue while checking out a Dell Inspiron 14 laptop it recently bought.

It’s unknown how many computer may be affected. The company added it would provide customers with instructions to permanently remove the certificate by email and on its support website. Users have found the certificate key on both the Inspiron 5000 and XPS 15 and The Verge was able to detect it on an XPS 13, suggesting it may be present on a significant portion of the Dell laptops now on the market.

The scan would have potentially turned up spoof websites using the eDellRoot certificate in order to look legitimate. A Dell spokeswoman said the software began getting installed on laptops in August.

Just a refresher, Lenovo received tremendous backlash when it was discovered the company had been loading a similar rootkit certificate called superfish on select Lenovo devices. A few of its systems came preinstalled with a self-signed root certificate that makes it easy for attackers to exploit all affected systems. The objective of Dell’s certificate is unknown. Security experts have already generated proof-of-concept certificates for *.google.com and bankofamerica.com. Users are also reporting that it seems impossible to get rid of the digital certificate as even if you delete it, it pops-up right back after a reboot. If the website loads with no certificate error, it’s a sign that the computer has the eDellRoot certificate installed.

The flaw is very similar to the Lenovo Superfish flaw that injected ads into websites and opened up a computer to hackers.

Mr White said owners of the flawed computers can protect themselves when surfing the Web by using Mozilla Corp.’s Firefox browser, which uses its own software to vet the security of websites.