The discovery of potentially two vulnerable security certificates being shipped on Dell PCs has reignited the debate on pre-installed software.
The debate was raised in February 2015 when Lenovo was found to be shipping the Superfish pre-installed adware that made customers vulnerable to HTTPS man-in-the-middle attacks through its use of self-signed root HTTPS certificates.
Dell has also been using self-signed root certificates as part of a support tool, to provide information to make it faster and easier for their customers to service their system, but like Superfish, the eDellRoot certificates introduced a significant security vulnerability.
But Dell emphasised in a blog post that the eDellRoot certificate is not malware or adware, and is not being used to collect personal customer information.
Security experts have warned that attackers could easily clone these certificates by using hacker tools to extract the private key contained by the certificates to impersonate any HTTPS-protected website or to impersonate Dell, which would enable attackers to steal personal data, install data-stealing malware, or hijack the PC as part of a botnet.
Dell responded quickly by publishing a guide on how to remove the vulnerability once the issue was flagged up by Kevin Hicks, aka rotorcowboy, on Reddit. The company also said it would issue a software update to remove the certificate.
However, LaptopMag claims to have discovered a second self-signed certificate called DSDTestProvider that also contained a private key on recently made Dell XPS 13.
According to the publication, the removal guide does not address the DSDTestProvider self-signed certificate and Dell is yet to respond to a notification about the second certificate.
“The news that some Dell laptops are shipping with at least one, and now likely two, rogue root certificates represents a potential security breakdown in the process of laying down the factory operating system image on new laptops for consumer use,” said Tod Beardsley, security engineering manager at security firm Rapid7.
He urged users to contact their support representatives for instructions on how to remove these rogue certificates.
“Users rely on factory images of operating systems to be reasonably secure by default; the act of re-installing an operating system from original sources is often beyond the technical capabilities of the average end user,” said Beardsley.
David Kennerley, senior manager for threat research at cyber security firm Webroot, said that pre-installing self-signed certificates is common practice despite the Lenovo Superfish scandal.
“Some manufacturers give the option of not having these installed, but you have to know about such software before you can opt out.
“Whether is it is unwanted adware or a self-signed root certificate authority, consumers should take precautions to know who is watching them on their own device and take the necessary security actions,” he said.
According to Andrew Lewman, vice-president of data development at security intelligence firm Norse, any enterprise should be reloading their operating systems on delivery and not simply using what comes from the factory by default.
“As for protection, all enterprises should block the Dell certificate authority both on the network and on their devices. Uninstalling the certificate authority from laptops and desktops should be a matter of a policy update,” he said.
Dell has confirmed that commercial customers who re-imaged their systems without Dell Foundation Services are not affected by this issue. Researchers at security firm Tripwire have published a free tool to enable Dell users to test for the eDellRoot certificate.