Earlier this year, several cases came to light where brand new Lenovo laptops came preinstalled with a strain of adware that was being used by hackers to steal sensitive data. This adware was known as ‘Superfish’ and it affected thousands of PC users around the world. The Superfish adware effectively exposed these new Lenovo laptops to man-in-the-middle (MITM) attacks and led to a drastic vulnerability in online security and privacy.
Over the last few days, it has been discovered that Lenovo is not the only PC manufacturer that has to deal with such issues. Dell, the world’s 3rd largest PC manufacturer behind Lenovo, is now facing flak because a similar malware has been discovered on some new Dell machines as well. This security flaw was discovered a few days back and it has been termed eDellRoot.
What is eDellRoot and what does it do?
The issue garnered attention because eDellRoot is a rogue SSL certificate that came preinstalled in several brand new Dell desktops and laptops. What this rogue certificate allows attackers to do is stage highly efficient and foolproof MITM attacks. So when a user is browsing the web or carrying out some online banking transactions, eDellRoot enables an attacker to impersonate the seemingly secure HTTPS page at any stage. This can lead to dangerous phishing attacks and the loss of highly confidential information.
Another highlight of eDellRoot is that it can reinstall itself even when it is spotted and deleted from a machine. While eDellRoot is not malicious in nature itself, it can easily be extracted and used by an attacker for nefarious purposes. Ultimately, this can lead to a loss of login IDs, passwords, browsing information, cookies and other crucial information.
How to check if your Dell machine has eDellRoot
If you have recently purchased a Dell machine, then you need to carry out the following steps to see if eDellRoot is present:
- Open the Start menu and type certmgr.msc into the search box
- Click on Trusted Root Certification Authority in the left panel
- Click on Certificates in the right panel and see if you can find eDellRoot
- If you see eDellRoot there, right-click on it and delete it
However, it has been reported that even after doing this, the eDellRoot certificate reappears when the machine is rebooted. It has also been reported that Mozilla Firefox informs users about the un-trustworthy nature of this certificate. So users of new Dells are advised to use Mozilla Firefox as their web browser.
Several sources have claimed that in order to successfully delete the eDellRoot certificate completely from a system, it is necessary to remove the Dell.Foundation.Agent.Plugins.eDell.dll module from the system. We are working on gathering more information about these steps and whether it works and will be sharing an update on them soon. So stay tuned for more instructions on how to remove eDellRoot from your Dell system. You can also read more about this security vulnerability here.
The trend of preinstalling new laptops with unsafe security certificate seems certain to continue and highlights growing negligence by OEMs to ensure that their machines are completely secure. Whether OEMs actually take these incidents in their stride and consciously alter their certificate strategies in the future remains to be seen.
The Hacker News