Dell: How to kill that web security hole we put in your laptops, PCs
Promises to automatically remove root CA cert from machines from Nov 24
Dell has published a guide on how to remove the web security backdoor it installed in its Windows laptops and desktop PCs.
This confirms what we all know by now – that Dell was selling computers with a rather embarrassing hole it in their defenses.
New models from the XPS, Precision and Inspiron families include a powerful root CA certificate called eDellRoot, which puts the machines' owners at risk of identity theft and banking fraud.
The self-signed certificate is bundled with its private key, which is a boon for man-in-the-middle attackers: for example, if an affected Dell connects to a malicious Wi-Fi hotspot, whoever runs that hotspot can use Dell's cert and key to silently decrypt the victims' web traffic. This would reveal their usernames, passwords, session cookies and other sensitive details, when shopping or banking online, or connecting to any other HTTPS-protected website.
Stunningly, the certificate cannot be simply removed: a .DLL plugin included with the root certificate reinstalls the file if it is deleted. One has to delete the .DLL –
Dell.Foundation.Agent.Plugins.eDell.dll – as well as the eDellRoot certificate.
Dell has posted information [.docx] on how to do this properly, and future machines will not include the dangerous root CA cert. A software update process will run from November 24 that will remove the certificate automatically from machines, we're told.
In a statement to the media, the Texas-based IT titan said:
The recent situation raised is related to an on-the-box support certificate intended to provide a better, faster and easier customer support experience. Unfortunately, the certificate introduced an unintended security vulnerability.
Dell said that it started including the root CA certificate with machines in August, although an Inspiron 15 series laptop we bought in July has an eDellRoot certificate on it.
"We deeply regret that this has happened and are taking steps to address it," added Laura Thomas, Dell's chief blogger.
"The certificate is not malware or adware. Rather, it was intended to provide the system service tag to Dell online support allowing us to quickly identify the computer model, making it easier and faster to service our customers. This certificate is not being used to collect personal customer information.
"It’s also important to note that the certificate will not reinstall itself once it is properly removed using the recommended Dell process."
If you've got a new Dell, you can check here to see if you the dodgy root CA cert installed. For everyone, we'll leave you with this nightmare fuel... ®