Dell admits preinstalling root certificate and pledges to remove it

A root certificate preinstalled in its computers has introduced an "unintended security vulnerability", according to Dell.

Dell said commercial customers who image their own systems will not be affected by this issue, and reaffirmed the company does not preinstall any adware or malware on their machines.

"Customer security and privacy is a top concern and priority for Dell," a spokesperson said. "We are also removing the certificate from all Dell systems moving forward.

"To address this, we are providing our customers with instructions to permanently remove the certificate from their systems via direct email, on our support site, and technical support."

According to German security blogger and journalist Hanno Böck, the root certificate is installed in the system's certificate store under the name "eDellRoot", and is inserted by software called Dell Foundation Services, which is still available for download on Dell's website.

The description for the Dell-owned package says it provides foundational services facilitating customer serviceability, messaging, and support functions.

"Every attacker can use this root certificate to create valid certificates for arbitrary web pages," he said. "Even HTTP Public Key Pinning (HPKP) does not protect against such attacks, because browser vendors allow locally installed certificates to override the key pinning protection. This is a compromise in the implementation that allows the operation of so-called TLS interception proxies."

Dell said the certificate will not reinstall itself once it is properly removed using the recommended Dell process.