Dell was thrust into the spotlight yesterday when researchers first broke word of eDellRoot, a rogue certificate authority quietly installed on Windows machines that can be exploited by man-in-the-middle attackers to decrypt people's encrypted web traffic.The Texas PC-slinger said the issue was merely a mishap related to its user support tools. Dell bristled at suggestions the flaw should be considered malware or adware, but nonetheless it has provided users with a removal tool.The American biz has also pushed a software update that will automatically remove the vulnerable root CA cert from its machines. Dell has published a guide on how to remove the web security backdoor it installed in its Windows laptops and desktop PCs.This confirms what we all know by now – that Dell was selling computers with a rather embarrassing hole it in their defenses.New models from the XPS, Precision and Inspiron families include a powerful root CA certificate called eDellRoot, which puts the machines' owners at risk of identity theft and banking fraud.The self-signed certificate is bundled with its private key, which is a boon for man-in-the-middle attackers: for example, if an affected Dell connects to a malicious Wi-Fi hotspot, whoever runs that hotspot can use Dell's cert and key to silently decrypt the victims' web traffic. This would reveal their usernames, passwords, session cookies and other sensitive details, when shopping or banking online, or connecting to any other HTTPS-protected website.Stunningly, the certificate cannot be simply removed: a .DLL plugin included with the root certificate reinstalls the file if it is deleted. One has to delete the .DLL – Dell.Foundation.Agent.Plugins.eDell.dll – as well as the eDellRoot certificate.

Dell has posted information [.docx] on how to do this properly, and future machines will not include the dangerous root CA cert. A software update process will run from November 24 that will remove the certificate automatically from machines, we're told.The recent situation raised is related to an on-the-box support certificate intended to provide a better, faster and easier customer support experience. Unfortunately, the certificate introduced an unintended security vulnerability.
Dell said that it started including the root CA certificate with machines in August, although an Inspiron 15 series laptop we bought in July has an eDellRoot certificate on it.We deeply regret that this has happened and are taking steps to address it, added Laura Thomas, Dell's chief blogger.The certificate is not malware or adware. Rather, it was intended to provide the system service tag to Dell online support allowing us to quickly identify the computer model, making it easier and faster to service our customers. This certificate is not being used to collect personal customer information.

• Battery for HP ProBook 6475b


• Battery for HP ProBook 4540s


• Battery for HP Probook 4535s


• Battery for HP Probook 4530s


• Battery for HP ProBook 4525s


• Battery for HP ProBook 4515s


• Battery for HP Probook 4431s


• Battery for HP Probook 4430s


• Battery for HP Probook 4331s


• Battery for HP Probook 4330s

It’s also important to note that the certificate will not reinstall itself once it is properly removed using the recommended Dell process.If you've got a new Dell, you can check here to see if you the dodgy root CA cert installed. For everyone, we'll leave you with this nightmare fuel... Updated The rogue root certificate in new Dell computers – a certificate that allows people to be spied on when banking and shopping online – will magically reinstall itself even when deleted.El Reg can confirm that the eDellRoot root CA cert, discovered over the weekend, automatically reappears when removed from the Windows operating system. We tried this on a Windows 8 Inspiron 15 series laptop that was bought in July this year for our San Francisco office.You can find the dangerous certificate by opening up the Start menu, select Run, type in certmgr.msc into the box and hit Enter. Then open up the Trusted Root Certification Authority folder on the left, then Certificates, and in the window should appear eDellRoot. That's the SOB you're looking for. Right-click over it, hit Remove, click through the warning box. And it's gone.

Then reboot, reopen certmgr.msc – the Windows certificate manager – and search for the certificate eDellRoot. Bingo, it's back. Visiting one of the websites that test whether you have a vulnerable certificate installed reveals that, yes, the removed root CA cert was put back during or after the reboot.Lenovo had a similar party trick with its bloatware earlier this year, using Microsoft's Windows Platform Binary Table. How Dell reinstates the missing certificate is not clear at this stage.
But the cat came back the very next day, er, reboot ... the Dell eDellRoot cert that just won't die (click to enlarge)
This means that the recommended procedure to get rid of the vulnerable root CA file on Windows will not work, as the component reappears upon restart. The certificate, issued by Dell in April and expires in 2039, contains a private key that can be extracted and used to pull off man-in-the-middle attacks on Dell owners – like Lenovo's Superfish cluster-fsck.For example, usernames, passwords, session cookies and other sensitive information can be silently siphoned from affected Dell machines when they connect to the web through malicious Wi-Fi hotspots in cafes, hospitals, airports, and so on.People with recent XPS, Precision and Inspiron models should use Mozilla's Firefox to browse the web as this software has its own set of trusted certification authorities, and ignores the dangerous eDellRoot cert.

Dell's support line tells people the certificate doesn't cause any threat to the system. On Twitter, the IT giant said: Customer security and privacy is a top concern for Dell. We are investigating the issue and will have further updates soon.According to an analysis [PDF] by Duo Security, a bundled plugin reinstalls the root CA file if it is removed. First, you must delete Dell.Foundation.Agent.Plugins.eDell.dll from your system (search for it) and then remove the eDellRoot root CA certificate.The cert, we're told, is used with the plugin for receiving cryptographically signed telemetry requests; said telemetry includes things like the machine's service tag, a seven-character serial number that identifies the computer model, if not the individual machine.This highlights a disturbing trend among original equipment manufacturer (OEM) hardware vendors. Tampering with certificate stores exposes users to unnecessary, increased risk, the Duo team – Darren Kemp, Mikhail Davidov, and Kyle Lady – wrote in their report.Tampering with the certificate store is a questionable practice, and OEM’s need to be careful when adding new trusted certificates, especially root certificates. Sadly, OEM manufacturers seem to not be learning from historical mistakes and keep making them over and over.

• Battery for HP PR08


• Battery for HP PR06


• Battery for HP Pavilion N6100


• Battery for HP Pavilion G7


• Battery for HP Pavilion G6


• Battery for HP Pavilion G4


• Battery for HP Pavilion DV7


• Battery for HP Pavilion DV6


• Battery for HP Pavilion DV4


• Battery for HP Pavilion dm1


• www.all-laptopbattery.com

Dell ships computers with all the tools necessary for crooks to spy on the owners' online banking, shopping, webmail, and more.The US IT titan installs a powerful root CA certificate, including its private key, on its Windows notebooks and desktops. These can be abused by eavesdropping miscreants to silently decrypt encrypted web browser traffic without victims noticing.If you try to remove the dodgy certificate, the file is automatically reinstalled during or after the next boot up. The self-signed root CA cert appears to have been created in early April this year, and expires in the year 2039.How can this certificate be abused? Well, an attacker could, for example, set up a malicious Wi-Fi hotspot in a cafe or hospital, intercept connections from Dell machines, and then automatically strip away the encryption – a classic man-in-the-middle attack, all enabled by Dell's security blunder.The decrypted traffic will include usernames, passwords, session cookies, and other sensitive information. The root CA certificate – eDellRoot – can even be used to sign programs, allowing scumbags to dress up malware as legit apps.Web browsers, and other software, running on the affected Dell hardware will trust any certificates issued by eDellRoot. When the browser tries to connect to, say, your bank's HTTPS-protected website, it could in fact be connecting to a malicious system on your network, such as the aforementioned evil wireless hotspot. This system can pretend to be your bank's website, using an eDellRoot-signed SSL certificate, and you would be none the wiser as you type in your username and password. The intercepting system can even log into the bank on your behalf and pass the webpages back to your browser so you're none the wiser of what's going on.

Dell customers reported over the weekend finding the root CA certificate on newer Dell XPS, Precision and Inspiron desktops and notebooks.So far, we've seen reports on Twitter and Reddit of the following affected gear: the XPS 15, Latitude E7450, Inspirion 5548, Inspirion 5000, Inspiron 3647, and the Precision M4800.Information security expert Kenn White has created a webpage that demonstrates how vulnerable Dell computers will happily accept HTTPS connections signed with the eDellRoot key.Crucially, White also said Firefox is not affected by the rogue certificate because it uses its own set of trusted certs.Another site to test whether your Dell is vulnerable to man-in-the-middle attacks can be found here.Dell computer owner Joe Nord, who blogged details of the certificate installed in his Inspirion machine, noted the obvious security flaw with eDellRoot.Root certificates are always self-signed, so all I really know is that eDellRoot says eDellRoot is legit, he explained. Where it breaks down is that the private key IS PRESENT on my computer and that means ... bad.Dell has yet to respond to a request for comment on the matter, although the Dell Cares support account on Twitter is downplaying the risk of attack for users:The issue is just like Lenovo's February Superfish scandal in which the PC-slinger was caught loading its machines with a tool capable of intercepting SSL traffic and injecting adverts into pages. In fact, the Dell certificate was created months after the Superfish blowup – was no one at the Texas goliath paying attention?

To add a comment please login by clicking here