Dell is coming under fire after admitting that a support tool pre-installed on many of its consumer PCs contains a serious security flaw that experts say leaves users vulnerable to hacking and security threats.
If exploited, the flaw could allow hackers to spy on a user’s encrypted online activity, including intercepting emails and spying on online banking activity.
In a statement issued late Monday, the company acknowledged it had been made aware of the security flaw and said it would provide customers with instructions to permanently remove the software.
“Today we became aware that a certificate (eDellRoot), installed by our Dell Foundation Services application on our PCs, unintentionally introduced a security vulnerability,” read a statement issued by Dell.
“The certificate was implemented as part of a support tool and intended to make it faster and easier for our customers to service their system. Customer security and privacy is a top concern and priority for Dell; we deeply regret that this has happened and are taking steps to address it.”
The company has not revealed how many computers or which specific models are affected; however, according to reports, the company began pre-installing the software in August.
What is the “eDellRoot” flaw and what are the risks?
According to Dell, the “eDellRoot” certificate which contains the security flaw is not malware or adware. The software was designed as a “system service tag,” which would allow Dell’s online support team to quickly identify the model of the computer should customers need service help.
However, the flaw in that certificate can intercept HTTPS encrypted traffic – an encryption technology marked by the small, closed padlock and “https:” on Web browsers to show that traffic is secure – allowing hackers to hijack the connection in a man-in-the-middle style attack.
“Criminally-minded hackers could hang out in hotel lobbies, coffee shops and airport lounges, and exploit the flaw through a silent man-in-the-middle attack, decrypting Wi-Fi communications without the knowledge of the victim,” wrote security expert Graham Cluley on his blog.
In layman’s terms – if a hacker exploited the flaw, they would be able to spy on your online activities without your knowledge.
This means they would be able to read your email along with you, or check out your online banking details when you log on.
“Superfish 2.0”
Many experts have likened this flaw to the so-called Superfish Scandal that plagued PC maker Lenovo earlier this year.
Lenovo used pre-installed adware on consumer laptops called Superfish, which was designed to provide users with a “visual search” experience by showing users third-party ads in Google search results. But security experts found that Superfish intercepted encrypted connections, leaving them open.
READ MORE: Lenovo under fire for pre-installing ‘malicious’ adware on laptops
The company came under fire for the way in which it handled the scandal – initially denying that the adware posed any threat to users. Weeks later Lenovo was slapped with a proposed class action lawsuit over the potentially malicious adware.
Dell had a section on some of its product pages reassuring customers that it takes privacy and security seriously, noting, “Each application we pre-load undergoes security, privacy and usability testing to ensure that our customers experience the best possible computing performance, faster set-up and reduced privacy and security concerns.”
What Dell models are affected?
Dell has not commented on how many or what models are affected by the security flaw. However, according to customer reports on Reddit, models including the XPS 15, Latitude E7450, Inspirion 5548, Inspirion 5000, Inspiron 3647, and the Precision M4800 are affected.
How to protect yourself
If you think your computer might be affected by the flaw, Dell has provided step-by-step instructions on how to remove the certificate from your system on its support page.
The company added it will push a software update to users sometime Tuesday that will check for the certificate and remove it if it’s detected.
“Additionally, the certificate will be removed from all Dell systems moving forward,” read the company’s statement.
Comments