Dell Inc., which was leading the laptops and PC market till last year is said to be supplying systems with self-signed preloaded digital certificates that lets hackers spy on traffic to any secure website.
According to few reports which first surfaced on Reddit, the company is offering PCs with root certificate which has the power of a certificated authority and comes with a bundled corresponding private key, making the situation worse.
With the private key, which is now available online, anyone can generate a certificate for any website that will be trusted by browsers such as Internet Explorer and Google Chrome that use the Windows certificate store on affected laptops.
The certificate called eDellRoot was added to Dell Consumer and commercial devices starting in August with the intention of providing better customer support. Thus, the laptops which were purchased in and after August have a preloaded certificate loaded on them. When a PC engages with the online support services of Dell, the certificate provides the system service tag allowing Dell Online support to immediately identify the PC model, drivers, OS, hard drive, RAM capacity and such making it easier and faster for supporting customer service agent to provide service.
Although, Dell offered the certification with a positive attitude, hackers are making merry with this service. To exploit this issue, attackers must be in a position to intercept traffic from an affected Dell Laptop and an Https enabled website. Then the hackers can act as proxy between the laptop and the website by re-encrypting the traffic with a rogue certificate that is signed with the eDellRoot private key.
The other highlight of this vulnerability is that hackers can use the eDellRoot privcate key to sign malware.
In a similar incident this year, Lenovo was accused by its users that it is preloading an adware program called “Superfish” on some of its laptops. The said adware was installing a self-signed root certificate on the laptops purchased in between January and August this year and was allowing hackers-as-middlemen attacks.
Dell has immediately reacted to this outcry from the social media and is now providing customers with removal instructions and has agreed not to add the said feature in future production. It is also making talks with Microsoft, which has the power to send an update to nullify this feature on a single go on Win 8 and Win 10 PCs.
Presently, news is out that Dell XPS15 and Dell XPS 13 models along with some latitude and Inspiron 5000 series models are affected.
Users who believe they might be affected can just log-on to a test website and see if the website loads with a “no-certificate error”. If it does, then that points out that the PC has the eDellRoot Certificate installed.
Note- If we go to this test website, even laptops purchased before 2009 are showing the same error. May be contacting the customer support will do the trick.
Otherwise a hard curve ahead!