Dell Putting Security at Risk with Rogue Root Certificates

By   ISBuzz Team
Writer , Information Security Buzz | Nov 26, 2015 09:00 pm PST

A second security issue has been found in Dell devices. The new problem – similar to the first – could leave users’ personal information vulnerable, researchers backed by the US government said.

Dell said it had again released a fix, after doing the same for the first problem earlier this week. In response to this news security experts from Rapid7, Certivox and Tripwire have the following comments.

[su_note note_color=”#ffffcc” text_color=”#00000″]Craig Young, Security Researcher at Tripwire :

Craig Young has come up with a simple test for eDellRoot certificate. When clicking on the following link, if your system is secure you will get a browser warning.[/su_note]

[su_note note_color=”#ffffcc” text_color=”#00000″]Brian Spector, CEO of Certivox :

“The commercial digital certificate industry in general, is broken, and it needs to be replaced. This latest incident is just one of many whereby the commercial certificate authority’s position as a single point of trust is causing serious problems.

In the short term, Dell should immediately stop delivering devices with this root certificate. In the long term, the tech industry must realise that PKI isn’t fit for purpose since the entity holding the root key can have such an adverse impact on the trust relationship with end users.

The best thing to do is start over. A new distributed trust paradigm needs to be established that replaces the single points of failure model.

We are currently working with a small group of impactful partners to bring that future forward and would welcome others into our collective effort.

For more information, please see this recent white paper by Dr. Michael Scott, Chief Cryptographer at MIRACL Labs”.[/su_note]

[su_note note_color=”#ffffcc” text_color=”#00000″]Tod Beardsley, Security Engineering Manager, Rapid7 :

“The news that some Dell laptops are shipping with at least one, and now likely two, rogue root certificates represents a potential security breakdown in the process of laying down the factory operating system image on new laptops for consumer use. Users are urged to contact their support representatives for instructions on how to remove these rogue certificates.

End users rely on factory images of operating systems to be reasonably secure by default; the act of reinstalling an operating system from original sources is often beyond the technical capabilities of the average end user. Dell has the opportunity today to move quickly and decisively to repair the damage, revoke the rogue certificates, and avoid a replay of the Superfish scandal from earlier this year. Responding quickly will be especially important ahead of the Christmas shopping season, as people take advantage of special end of year pricing on new laptops for themselves and their families.”[/su_note]