Dell To Kill Attack-Prone Certificate After Criticism
Dell said it will remove a customer support certificate that inadvertently compromised users' security and give customers instructions to permanently remove it from their systems.
The Round Rock, Texas, company's response comes a day after Reddit users criticized Dell for installing the eDellRoot root certificate on new machines, potentially opening the door to so-called man-in-the-middle attacks similar to Superfish bloatware installed on Lenovo PCs early this year.
In a statement, Dell said the certificate was intended to provide better, faster customer support but "introduced an unintended security vulnerability."
[Related: Dell 'Has A Team Investigating' Superfish-Like Bloatware Concerns]
The company said it would give customers instructions to permanently remove the certificate from their systems and that it would remove the certificate from all Dell systems moving forward.
The certificate will not reinstall itself once it is removed using Dell's instructions, the company said.
The eDellRoot was installed on PCs, as well as enterprise servers, and drew the ire of users because machines were being shipped with identical root certificates and private keys. The move opened the door to man-in-the-middle attacks in which attackers using the root certificate and private key can pose as nearly any website and gather information such as bank account details, account credentials and webmail messages from users' machines, cybersecurity experts told CRN.
Dell partners said the bloatware was not much of a concern for their customers. Often, solution providers customize systems for users and remove bloatware as part of that process.
"It's not a big deal," said Stephen Monteros, vice president of business development and strategy at Ontario, Calif.-based Dell partner Sigmanet. "It just means we may have to take it off when we rework the images."
Dell said commercial customers that image their own systems will not be affected by the situation.
PUBLISHED NOV. 24, 2015