Dell is found to be shipping laptops having eDellRoot certificate installed by default. The certificate is through trusted but has all the permissions.
Shipping laptops with pre-installed stuff is nothing new; Lenovo has been shipping laptops having pre-installed bloatware.
Now, a user on twitter (Joe Nord) recently ordered a new Dell laptop and tweeted screenshot showing the presence of eDellRoot by default.
The user further defined eDellRoot in a blog post in these words:
“The eDellRoot certificate is a trusted root that expires in 2039 and is intended for “All” purposes. Notice that this is more powerful than the clearly legitimate DigiCert certificate just above it, which spikes more curiosity.”
https://twitter.com/jhnord/status/661173356570484736/photo/1?ref_src=twsrc%5Etfw
Though, eDellRoot is new in the market but experts believe it might be something that can be used for spying purposes. In past Lenovo laptops were pre-installed bloatware, which injected ads without any permission from the users.
Nord goes on to study the root certificate in depth and wrote:
“You have a private key that corresponds to this certificate”. This is getting very fishy! As a user computer, I should NEVER have a private key that corresponds to a root CA. Only the certificate issuing computer should have a private key and that computer should be … very well protected!”
Dell says they are sorry“This is the same action that existed with Superfish and in that case, Lenovo made the tremendously awful action of using the SAME private key on every computer. Has Dell done the same?”
Another user of Reddit (Rotorcowboy) also ordered a new Dell laptop and found the same certificate in his system he then researched thoroughly on the matter and in Reddit thread presented his study:
“I got a shiny new XPS 15 laptop from Dell, and while attempting to troubleshoot a problem, I discovered that it came pre-loaded with a self-signed root CA by the name of eDellRoot. With it came its private key, marked as non-exportable. However, it is still possible to obtain a raw copy of the private key by using several tools available (I used NCC Group’s Jailbreak tool). After briefly discussing this with someone else who had discovered this too, we determined that they are shipping every laptop they distribute with the exact same root certificate and private key, very similar to what Superfish did on Lenovo computers. For those that aren’t familiar, this is a major security vulnerability that endangers all recent Dell customers.
The reddit users contacted dell on Twitter and here’s their reply:
@DellCares This is a MAJOR security concern, especially because your customers all have the exact same CA on their machines. (1)
— Kevin Hicks (@rotorcowboy) November 22, 2015
Surely Dell had to have seen what kind of bad press Lenovo got when people discovered what Superfish was up to. Yet, they decided to do the same thing but worse. This isn’t even a third-party application that placed it there; it’s from Dell’s very own bloatware. To add insult to injury, it’s not even apparent what purpose the certificate serves. At least with Superfish we knew that their rogue root CA was needed to inject ads into your web pages; the reason Dell’s is there is unclear.
If you have recently bought a Dell computer and want to see if you are affected by this, go to Start -> type “certmgr.msc” -> (accept on UAC prompt) -> Trusted Root Certification Authorities -> Certificates and check if you have an entry with the name “eDellRoot”. If so, congratulations, you’ve been pwned by Dell, the very company you paid for your computer!
Here is a link to the certificate, private key, and PFX file for the certificate I found on my machine. The password for the PFX file is “dell”. (The certificate itself is in the eDellRoot.crt file. Do NOT import the PFX file unless you know what you’re doing. I just included it for convenience.) If yours came with the eDellRoot certificate, its thumbprint will probably be:
98:A0:4E:41:63:35:77:90:C4:A7:9E:6D:71:3F:F0:AF:51:FE:69:27
And its serial number:
6b:c5:7b:95:18:93:aa:97:4b:62:4a:c0:88:fc:3b:b6
It’s upsetting that Dell would do this despite the backlash Lenovo experienced from its customers and the US Department of Homeland Security, and I really hope they quickly do something to correct this. The more people that know and speak up, the faster it will happen.”
When the user reached out to Dell’s customer support on twitter they said the certificate is perfectly fine and will not cause any harm to the system. But, the user replied back and told the company that it’s a major security because all their machines are having exact same CA.
Soon after this sea of tweets and blog post, Dell provided instructions on how to remove this certificate and how to verify if it is removed properly.
* First download uninstaller pack and follow the steps below:
* Go to the start menu, type "MMC" and press Enter
* Go to File -> Add/Remove Snap-in
* Pick certificates and press Add
* Choose Computer account and press Next
* Choose Local computer & press Finish
* Press Ok
* Expand Certificates and Trusted Root Certification Authorities
* Pick the Certificates folder, and looks to see if the eDellRoot is present
Dell co-operation also thanked the users who brought forward all the issues relating to the certificate and asked the users for continuing support to make the company server better!