Carter Yagemann

Assistant Professor of Computer Science and Engineering at the Ohio State University with interests in automated vulnerability discovery, root cause analysis, exploit prevention, and cyber-physical security.

Understanding Dell’s Root Certificate Problem


Originally written for the Syracuse University College of Engineering blog.

A recent discovery in the security community has researchers concerned about Dell devices. Some of these devices have been found to contain something known as a self signed root certificate. Installed by the manufacturer for advertising purposes, these certificates pose a risk to users. This is not the first time this has happened, there was an early case involving Lenovo devices known as Superfish. In this article I will try to explain the problem in an approachable manner as well as point readers towards actions they can take to protect themselves. What are these self signed root certificates the security experts talk about and why are they dangerous? Understanding the problem requires understanding some of the characteristics of something known as the public key infrastructure. PKI is complex in practice, but we can use a simplified model to understand the problem at hand. All we need to know is that there are keys and certificates. By using a key, one can create certificates. If we trust the party who holds a particular key, then we can trust the certificates made from that key. Trust, in this case implies two fundamental trusts. First, that the party that holds the key will keep that key secret. Second, that party will only make certificates for other trustworthy parties. This is the network of trust upon which we perform our sensitive internet tasks such as banking, shopping, and communicating. The problem with the Dell root certificate and Superfish is that the manufacturer has created a "trusted" key which sits on every user's device. The same key. Steal this key from any one device and now that thief can create certificates that will be trusted by all devices. Google, Facebook, Bank of America, Amazon, all of these parties can be impersonated by creating new certificates. Exposing users to such a risk is a severe oversight. Thankfully, the concerns of the security community have been heard and users can now take actions to remove these self signed root certificates. If you use a Dell or Lenovo device, I encourage you to consult your manufacturer's website for more details:

About The Author

Carter Yagemann ’15 is a master’s student studying computer science in Syracuse University’s College of Engineering and Computer Science. A research assistant in Professor Kevin Du‘s Android security lab, his interests include mobile security and security education. He explores problems such as how to ensure security and privacy in Android inter-component communication. Yagemann is a student member of ACM and IEEE and competes in cybersecurity competitions with the Information Security Club in Syracuse University’s School of Information Studies (iSchool).