Recently it came to light that machines shipped by Dell using eDellroot, a self-signed pre-installed root certificate, have left users vulnerable to cyberattacks.
Essentially, users with eDellRoot installed are open to attackers impersonating legitimate, HTTPS-protected websites with sites that contain malware or that might steal sensitive information.
The discovery came in late November with Dell issuing an official response on their Corporate Blog on Monday November 23. The company has since stopped including the certificate in all of its systems.
It echoes a similar issue in Lenovo laptops earlier this year. Pre-installed software known as Superfish was used to alter search results to show fake ads possibly containing malware. It also allowed attackers to intrude and view users’ browser traffic.
The function of verifying whether websites are legitimate is a vital part of any computer’s infrastructure, and weaknesses like eDellRoot and Superfish can have very damaging consequences.
How do I know if my machine has eDellRoot?
There are a number of tools available for users to determine quickly if their machine has eDellRoot. The easiest way to check is to follow these steps;
- Open a command prompt window > Type “mmc” in the search bar > On the File Menu, click Add/Remove Snap In > Click Add > In the dialog box, select Certificates > Click Add > In the dialog box, select Computer account and click Next > Click Finish > Close the Add Standalone Snap-in dialog box > Click OK > In the Console Root window, click Certificates (Local Computer)
If there is an entry named eDellRoot, then your machine has the compromised cert installed.
My machine is affected, what now?
Dell has clarified that just removing eDellroot is not sufficient. Affected users should follow the official instructions from Dell to ensure that the cert is permanently removed;
- Manual Removal Instructions from Dell:
https://dellupdater.dell.com/Downloads/APP009/eDellRootCertRemovalInstructions.docx
- Automatic Removal Tool patch from Dell:
https://dellupdater.dell.com/Downloads/APP009/eDellRootCertFix.exe
I don’t have eDellRoot, or I’m not a Dell user, am I still at risk?
The nature of this security flaw means that it has the potential to affect non-Dell users. An attacker could manipulate a Dell user’s traffic to appear legitimate, causing other end users to download malware or other suspect applications. To the receiver, these would appear to be genuine downloads from a verified source.
The best course of action to protect yourself is to update any installed browsers on your computer with the latest version. It is expected that all browsers using a machine’s certificate store will block the eDellRoot certificate in the coming days.
This is particularly relevant for Google Chrome and Microsoft Edge users, which use cert stores. Mozilla Firefox uses its own store.
Further reading on eDellRoot issue:
- CSO Online – Dell support tool responsible for eDellRoot problems
- Ars Technica – Dell does a Superfish, ships PCs with easily cloneable root certificates
- Duo Security – Dude, You Got Dell’d: Publishing Your Privates
By Orla Faughnan, Ward Solutions
If you have any concerns regarding eDellRoot or other potential weaknesses in your IT security, talk to the experts. Call Ward Solutions today and a member of our experienced team will help.