Dell Ships PCs With Massive Security Risk

John Lister's picture

Dell has confirmed it shipped computers with a major built-in security flaw. The unintentional move could expose users to a significant risk of hackers accessing their personal data.

The issue at hand deals with an exploit in the secure sockets layer (SSL). Specifically, Dell has inadvertently shipped PCs and laptops with both a trusted root certificate and key, when only the trusted certificate should have been allowed.

The idea behind the mishap was to help identify Dell computers when they were connected to Dell's online support service. In this case, the computer's model number could be checked, and the support system would have then provided tailored advice and run automated fixes.

In addition to creating tailored support, however, the inadvertent exploit has now made it possible for hackers to eavesdrop on all SSL connections made to secure websites (including online banking, for example).

Hackers Could Pose as Any Legitimate Website

In order for the attack to work, the a hacker would need to be on the same network as the victim - most likely through a public WiFi hotspot. Once a connection is made, the hacker could then sniff data the user was sending to any secure website (due to both the private key and root certificate being available).

The result is a recipe for an attack that would be challenging to pull off, but extremely devastating. For example, any user with an exploited machine could have any of the following sniffed: banking details, user names and passwords, social security numbers, credit card information, and the like.

All data sent to and from affected computers would be in an unencrypted form, but the victim would never know the connection was compromised. Furthermore, the connection would still be listed as a secure connection in the web browser, making it appear to be a secure connection, when the opposite is true.

It would also be possible for hackers to generate bogus web certificates and redirect users to malicious websites in order to phish for sensitive information.

The only way to know if something was amiss is if users view the SSL certificate in the web browser for each SSL connection made, and then manually validate that the site they are connected to matches the web and IP address of the certificate.

How to Remove Rogue 'eDell Root' Certificate Exploit

Dell has published details of how to remove the certificate on its website. It will also be sending out an automatic update to permanently remove the certificate in the coming days. (Source: dell.com)

Exactly which models are affected isn't confirmed by Dell yet, but one report lists the Inspiron 3647, Inspiron 5000, Inspiron 5547, Latitude E7450, Precision M4800 and XPS 15. There's also an independently run website at tlsfun.de which will check for the presence of the rogue certificate. (Source: grahamcluley.com)

A similar security risk happened recently with Lenovo systems in February of this year. In that case, Lenovo notebook computers contained unwanted adware, called Superfish. The adware not only had the potential to spy on users, but could alter web pages using a similar exploit described in this article.

What's Your Opinion?

Do you have one of the affected models? Had you heard anything from Dell before reading this article? Has Dell done enough to explain how the problem occurred and reassure customers it will never happen again?

Rate this article: 
Average: 5 (5 votes)

Comments

Dennis Faas's picture

This is probably the worst of the worst exploits you can have, and would go completely unnoticed as it would not be detected through antivirus or antimalware software. If you own a Dell, please visit the tlsfun.de site to see if your system is exploitable. If it is, remove the root security certificate immediately (visit Dell's site to read how). Both links are in the above article.