​How to remove Dell's 'Superfish 2.0' root certificate - permanently

Dell's eDellroot certificate blunder exposes users to a range of malicious attacks but guidance is now available for its permanent removal.
Written by Liam Tung, Contributing Writer

Dell has been slammed by security experts for blatantly disregarding user security, by including a digital certificate on its PCs that allows an attacker to install malware on the system.

Dell on Monday vowed to remove the offending certificate following an outcry by users that the computer giant had repeated the same security blunder made by rival Lenovo less than a year ago, putting its customers at risk of malicious attacks.

The company plans to remove the certificate in a rolling software update, starting today.

For Dell hardware owners who don't want to wait for Dell to eliminate the offending eDellRoot certificate, security firm Duo Security has provided instructions on how to remove it immediately.

Its researchers note in a new paper that the private key shipped with the certificate -- a serious cryptographic blunder on Dell's part -- in the hands of an attacker would allow them to sign malicious code as safe and legitimate, or dupe targets into unknowingly visiting a malicious web page.

Duo Security stressed that simply removing the eDellRoot certificates from the root and personal certificate stores is not enough to protect users. Some users had indeed reported that the certificate reappeared after rebooting.

According to Dell, the root certificate eDellRoot is inserted by software called Dell Foundation Services, and was purely there to provide support and service to end users.

To remove it permanently and prevent it being reinstalled, users need to remove the eDell plugin.

"This can be accomplished by deleting the Dell.Foundation.Agent.Plugins.eDell.dll module from the system. Failure to do so may result in continued exposure to this security flaw," Duo Security said.

"Note that if you ever perform a factory reset on your Dell system, this certificate and the eDell plugin will be restored to the system and you will have to manually remove it again," it added.

Duo Security researchers Darren Kemp, Michail Davidov and Kyle Lady said the company had been analysing the eDellRoot issue before it came to public attention on the weekend.

Using the Censys IPv4 internet scanning project, it discovered a second eDellroot certificate at 24 IP addresses scattered across North America, Europe and Asia. It said this discovery suggests Dell has made the same error -- distributing identical keys on multiple models -- previously.

"This seems to be a blatant disregard for basic cryptographic security, when the goal of having a cryptographic certificate for Dell software to use could have accomplished by, eg, shipping a program that generates a unique certificate the first time you boot the computer up," the company said.

It also discovered that one of the 24 IP address using the certificate for providing web services over an encrypted connection was a supervisory control and data acquisition (SCADA) system, which are used in large industrial plants.

"How this particular misconfiguration happened is unclear, but what is clear is that this certificate is showing up in some extremely unusual and frankly concerning places," Duo Security noted.

Additional instructions from Dell on how to remove the eDellroot certificate can be found here.

Read more about Dell security

Editorial standards