New Dell Computers Have SuperFish Style Fake Certificate

Lenovo’s Superfish scandal earlier this year was arguably the worst security flaw since the Sony rootkit malware from ten years ago. Laptops with Superfish installed couldn’t actually verify if the banking sites or e-commerce destinations they connected to were actually the sites they claimed to be. There was no simple way to remove the software, and users were forced to jump through multiple hoops to resecure a system. Now, Dell appears to have done something similar, though the investigation is still ongoing.

Dell is shipping a self-signed certificate called eDellRoot on XPS13 and XPS 15 9550 laptops, as well as others. It expires in 2039 and is intended to be used for All purposes. Further poking revealed that the user has a private key that corresponds to the certificate. It has been found on laptops, desktop, and Home and Pro versions of Windows 10.

This is a serious problem. In order for cryptography to work, there must be two keys a public key and a private key. The public key is used to encrypt messages transmitted to the server, while the private key is used by the server to decrypt those messages. The entire concept of public-key cryptography relies on the private key remaining private. Because it’s computationally impractical to derive the private key from analyzing public keys, public keys can be distributed everywhere, while the private keys used to decrypt the information remain under lock and key.

Shipping a computer with a private key already installed means that the key can be extracted and used to sign fraudulent websites. Dell computers with the eDellRoot certificate installed will not recognize that these websites are fraudulent, because the key that they rely on to do so has told the system that they aren’t.

What’s missing from this picture is any sense of why the eDellRoot key is installed on Dell laptops in the first place. In Lenovo’s case, it compromised user security and broke the entire HTTPS model to ship a lousy bit of adware that supposedly enabled Visual search. Lenovo later claimed that the revenue it earned from Superfish was tiny, which made sense, but didn’t explain why the company had broken HTTPS security in order to earn a trifling bit of cash.

Dell’s eDellRoot certificate doesn’t seem tied to any specific service or capability. It’s not linked to malware or customer complaints the way Superfish was, and it’s not clear how many systems have shipped with the certificate installed. So far, we’ve seen reports that at least some Inspiron 5000 models are affected. These are Windows 10 machines shipping nine months after Superfish.

It’s not clear yet how large the problem is, but testing has shown that systems with the eDellRoot certificate installed will establish connections to clearly fraudulent sites. An https site has even been setup that can test if Dell’s eDellRoot self-signed certificate is installed, with the certificate’s private key extracted from the certificate.

This story is still developing. Some users are reporting that removing the certificate from the certificate management console has resulted in the certificate being re-installed on the next reboot. Also it has been reported that the certificate is installed by downloading updates through Dell’s update program.