Dell issued an apology late Monday after news that the company shipped laptops with pre-installed root certificates made waves in the security community and beyond. Dell provided instructions for removing the certificate from several laptop models.
The eDellRoot certificate was installed on laptops by the Dell Foundation Services application, along with the certificate key, leaving customers open to key forgery, and ultimately to SSL attacks.
The certificate is meant to facilitate customer service, rather than serve advertising like Lenovo’s Superfish software, but while Dell may come off as less intrusive than Lenovo, the company’s reputation will be harmed by being the second laptop maker to ship with an SSL vulnerability this year. The vulnerability was discovered by programmer Joe Nord.
“The certificate is not malware or adware,” said a Dell spokesperson. “Rather, it was intended to provide the system service tag to Dell online support allowing us to quickly identify the computer model, making it easier and faster to service our customers. This certificate is not being used to collect personal customer information. It’s also important to note that the certificate will not reinstall itself once it is properly removed using the recommended Dell process.”
The reason the latter point is there is that the certificate is reinstalled by eDell plugin if it is not fully removed, as pointed out by Duo Security in a post which also identifies an additional certificate vulnerability on the Dell laptop it tested, this one “an Atheros Authenticode signing certificate also shipped with the Bluetooth software.”
Certificate vulnerabilities are hardly confined to manufacturers, as a “high severity” flaw was found in OpenSSL this past summer. While there is some danger to Dell of damage to its public relations, the real harm may be in the persistent mistrust of SSL certificates by enterprises, which was identified as a significant security issue in a March study.