Dell does a Superfish, ships PCs with easily cloneable root certificates

In a move eerily similar to the Superfish debacle that visited Lenovo in February, Dell is shipping computers that come preinstalled with a digital certificate that makes it easy for attackers to cryptographically impersonate Google, Bank of America, and any other HTTPS-protected website.

The self-signed transport layer security credential, which was issued by an entity calling itself eDellRoot, was preinstalled as a root certificate on at least two Dell laptops, one an Inspiron 5000 series notebook and the other an XPS 15 model. Both are signed with the same private cryptographic key. That means anyone with moderate technical skills can extract the key and use it to sign fraudulent TLS certificates for any HTTPS-protected website on the Internet. Depending on the browser used, any Dell computer that ships with the root certificate described above will then accept the encrypted Web sessions with no warnings whatsoever.

Seeing is believing

Joe Nord, a self-described programmer, told Ars that he visited this HTTPS test site, which was created by security expert Kenn White using the private key contained in the Dell certificates. Nord said the Google Chrome and Microsoft Edge and Internet Explorer browsers established an encrypted Web session with no warnings, even though the certificate was clearly fraudulent. Fortunately, Firefox generated an alert warning that the certificate was not trusted. Kevin Hicks, the other Dell customer known to be affected, reported the same findings.

Read the complete article on Ars Technica web site here.

Advertisements