Various Dell laptops and desktops are shipping with a pre-installed root certificate:
The US IT titan installs a powerful root CA certificate, including its private key, on its Windows notebooks and desktops. These can be abused by eavesdropping miscreants to silently decrypt encrypted web browser traffic without victims noticing.
If you try to remove the dodgy certificate, the file is automatically reinstalled during or after the next boot up. The root CA cert appears to have been created in early April this year, and expires in the year 2039.
How can this certificate be abused? Well, an attacker could, for example, set up a malicious Wi-Fi hotspot in a cafe or hospital, intercept connections from Dell machines, and then automatically strip away the encryption – a classic man-in-the-middle attack, all enabled by Dell's security blunder. The decrypted traffic will include usernames, passwords, session cookies, and other sensitive information. The root CA certificate – eDellRoot – can even be used to sign programs, allowing scumbags to dress up malware as legit apps.
The problem was spotted by Joe Nord (Reddit). Reaching this page without a privacy error means your machine is affected, and this page includes a test for the certificate. Mozilla Firefox ignores (does not trust) the Dell certificate, and thus should be safe to use. To remove:
According to an analysis [PDF] by Duo Security, a bundled plugin reinstalls the root CA file if it is removed. First, you must delete Dell.Foundation.Agent.Plugins.eDell.dll from your system (search for it) and then remove the eDellRoot root CA certificate.
Dell has admitted the mistake and will provide its own guide to fixing it soon (the above information):
The recent situation raised is related to an on-the-box support certificate intended to provide a better, faster and easier customer support experience. Unfortunately, the certificate introduced an unintended security vulnerability.
How about a little comedy courtesy of Reuters?
Dell said it would provide customers with instructions to permanently remove the certificate by email and on its support website, a process that will likely be highly technical.
(Score: 2) by q.kontinuum on Tuesday November 24 2015, @05:24AM
Why wouldn't they simply provide an update which removes the dodgy certificate? That wouldn't be so highly technical for the end user.
--
Written on my DELL laptop - Windows free, hopefully backdoor free.
Registered IRC nick on chat.soylentnews.org: qkontinuum
(Score: 5, Informative) by tibman on Tuesday November 24 2015, @05:37AM
Looks like they are currently doing the opposite: https://www.reddit.com/r/technology/comments/3twmfv/dell_ships_laptops_with_rogue_root_ca_exactly/cxa8oyk [reddit.com]
SN won't survive on lurkers alone. Write comments.
(Score: 1, Funny) by Anonymous Coward on Tuesday November 24 2015, @05:39AM
Because it would be useless for those running Linux.
(Score: 0) by Anonymous Coward on Tuesday November 24 2015, @08:12AM
Are you implying the said dll was in any way useful for those running Linux?