It is not a good news for Dell laptop lovers. According to a programmer named Joe Nord, some Dell laptops come with a preinstalled certificate eDellRoot, which allows a system to trust any SSL certificate that it signs.
The main issue regarding eDellRoot certificate is that it is locally stored, which allows malicious users to forge the versions of signing keys and expose unaware users to any type of SSL attacks. Upon observing a certificate, you can see that a certificate states: “You have a private key that corresponds to this certificate”.
Why is it so alarming? Well, for obvious security reasons a private key that corresponds to the root certificate should belong to an issuing computer and not a user, as in this case. Sadly this case is very similar to Lenovo’s infamous Superfish adware scandal that broke up in February earlier this year. FYI Lenovo was shipping computers with similar self-signed certificates. The only difference is that as we are currently aware Dell does not use it for ads, the certificate just resides as a bomb waiting for a tech-savvy cyber attacker.
According to Joe Nord:
Anyone possessing the private key which is on my computer is capable of minting certificates for any site, for any purpose and the computer will programmatically and falsely conclude the issued certificate to be valid.
Since the private key is stored locally a cyber attacker could reverse-engineer the key to certify the flow of malicious traffic into a Dell laptop. This kind of attack would be very useful for hacking via public Wi-Fi, which would allow hackers to gain access to private information of unaware users. To resolve this vulnerability, users will have to manually revoke permissions to this certificate.
The not-friendly certificate can be found in Trusted Root Certificates located in Microsoft Management Console. Currently known affected devices are XPS 15, XPS 13 and Inspiron 5000. Since these models are one of the most popular among Dell customers, it may be considered that eDellRoot will be discovered in other devices too.