For years Dell Inc. has been a source of desktops and laptops for organizations who like the company’s pricing and quality. But it has suddenly become a concern for CISOs after acknowledging that a root digital certificate that has come with many of its devices since August has a security vulnerability.
The company issued a statement late Monday after several sites carried reports about the problem with the eDellRoot certificate for remote support that includes a private key, a raw copy of which could be obtained using several tools. A hacker could then set up a public Wi-Fi hotspot and intercept communications by creating a phony Web site. The bug reportedly doesn’t work on Firefox browsers.
“We deeply regret that this has happened and are taking steps to address it,” Dell spokesperson Laura P. Thomas said. Security teams can download instructions here on how to remove the certificate. Commercial customers who re-imaged their systems without Dell Foundation Services are not affected by this issue.
As for employees and partners who have Dell devices, sometime today manufacturer will push a software update that will check for the certificate, and if detected remove it. In the meantime owners of Dell laptops can go to this site (https://edell.tlsfun.de) to check if their device has the bad certificate.
The certificate is not malware or adware, Thomas said, but was intended to provide the system service tag allowing Dell online support staff to identify the computer model for faster service.
One of the earliest reports about the vulnerability came from Joe Nord, who wondered why his new Dell Inspiration 5000-series laptop included would come with a root certificate linked to a private key. His blog was quickly picked up by others who investigated and confirmed the existence of the certificate.