Dell has admitted that a pre-installed digital certificate on some of its recently shipped laptops, makes them vulnerable to cyber-attacks.
Dell in a statement told Reuters, “The recent situation raised is related to an on-the-box support certificate intended to provide a better, faster and easier customer support experience…Unfortunately, the certificate introduced an unintended security vulnerability.”
While consumers can manually remove the pre-installed certificate, it compromises the root security of a system and can allow cyber-criminals to read private messages, carry out phishing attacks and steal private data.
A report on Ars Technica website says that the Dell computers are shipping with a “digital certificate that makes it easy for attackers to cryptographically impersonate Google, Bank of America, and any other HTTPS-protected website.” The report adds that the Inspiron 5000 series notebook and one XPS 15 model are shipping with this faulty root certificate.
Meanwhile Dell has not confirmed the models or computers that are shipping with the system. For now it’s going to provide users with instructions on removing the certificate by email and on its support website, adds Reuters.
A Dell user named Kevin Hicks also took to Twitter to point out the security concerns with the root certificate. Initially Dell responded saying that it was not a threat to the system, but later said they were investigating the issue.
@rotorcowboy We understand your situation. We will reach out to our product group team and let you know as to why eDellroot is present. ^TM
— DellCares (@DellCares) November 22, 2015
Hicks also put out a detailed report on Reddit showing how the eDellRoot certificate can actually be used by a network attacker to create fake certificates for use on real websites. He adds that the computer would have no issues trusting the fake certificate because it would be relying the eDellRoot certificate.
While Dell is now promising a fix for the issue, the scenario is being compared to Lenovo’s ‘Superfish’ gaffe in February this year.
Lenovo had installed Superfish on its consumer laptops and it was revealed that the software compromised security of encrypted connections, paving the way for hackers to also to eavesdrop and carry out ‘man-in-the-middle’ style attacks.
Now it seems Dell has also pulled a Lenovo with its own pre-installed software.
With Reuters inputs