Dell moves to fix built-in security flaw
The ghost in this machine is unfriendly, downright dangerous even.
Dell announced a fix Monday for the "eDellRoot" certificate it installed on laptops and PCs that “unintentionally introduced a security vulnerability risk” to its customers.
Dell continued, “The certificate is not malware or adware. Rather, it was intended to provide the system service tag to Dell online support allowing us to quickly identify the computer model, making it easier and faster to service our customers. This certificate is not being used to collect personal customer information.”
Related: Lenovo now dealing with Superfish lawsuits, posts removal tool
The security flaw, which gained popularity as the news spread on Reddit, leaves things such as users’ communications, passwords, usernames and other sensitive information potentially open to “man-in-the-middle” hackers. Meanwhile, users are unaware that their connections and information lack security.
Security experts told the BBC that the software had two flaws: “It would allow traffic to be intercepted, potentially exposing sensitive information; secondly, the key could be used to make a user's computer misidentify unsafe connections as safe.”
One scenario computer security expert Graham Cluley outlined on his website involves hackers “[hanging] out in hotel lobbies, coffee shops and airport lounges, and [exploiting] the flaw through a silent man-in-the-middle attack, decrypting Wi-Fi communications without the knowledge of the victim.”
Dell addressed the issue by including instructions for the certificate’s removal and added that it will be removed from all of its new systems moving forward. Dell said that it will release an update that will check for the certificate and remove it if detected, starting Nov. 24.
Earlier in the year, rival Lenovo made headlines after adware called Superfish came pre-installed on its computers. The program was intended to aid users in their online shopping although experts warned that it was insecure. Superfish installed unwanted ads onto web pages and Google searches in addition to a certificate that left personal information unprotected.