Dell hit by fresh Superfish scandal that leaves PCs open to attack

24 Nov 2015

Computer giant injected its own PCs with software that makes the computers vulnerable to cyber attacks.

Almost a year after Lenovo had to apologise for shipping PCs with Superfish adware that potentially exposed consumers to cyberattacks, US tech giant Dell has been hit with a similar problem.

Dell is understood to have been shipping PCs that come preinstalled with a digital certificate that hackers can use to cryptographically impersonate HTTPS-protected websites.

The issue is eerily reminiscent of the debacle that hit Lenovo when adware installed on PCs left consumers vulnerable to cyber attack.

Dell is understood to have installed the transport layer security (TLS) credential eDellRoot itself as a root certificate on two computers – the Inspiron 5000 series notebook and the XPS 15.

Dell Superfish opens up consumers to attacks

Potential hackers can extract the key and use it to sign fraudulent TLS certificates for any HTTPS-protected websites.

The problem was discovered by security researcher Joe Nord.

What this means is any of the computers with the root certificate will fail to warn users that the encrypted pages they may visit have been compromised.

‘A malicious hacker could exploit this flaw on open, public networks (think Wi-Fi hotspots, coffee shops, airports) to impersonate any website to a Dell user, and to quietly intercept, read and modify all of a vulnerable Dell system’s web traffic’
– BRIAN KREBS, KREBS OF SECURITY

This means hackers could direct consumers to what they think are legitimate websites but which could leave them open to attack.

“A malicious hacker could exploit this flaw on open, public networks (think Wi-Fi hotspots, coffee shops, airports) to impersonate any website to a Dell user, and to quietly intercept, read and modify all of a vulnerable Dell system’s web traffic,” warned Brian Krebs of Krebs on Security.

It is understood that the eDellRoot certificate was installed on desktops and laptops shipped from August 2015 to today.

The idea was Dell customer support would be able to assist customers in troubleshooting technical issues.

“Unfortunately, the certificate introduced an unintended security vulnerability,” Dell stated.

“To address this, we are providing our customers with instructions to permanently remove the certificate from their systems via direct email, on our support site and Technical Support.”

Security researcher Graham Cluley said the vulnerability makes it easy for online criminals to spy on your online activity, including intercepting your email, online purchases and online banking.

“Yes. It is bad. The issue, which first became well known via a Reddit post, [revealed that] affected Dell computers are being shipped with a pre-installed trusted root certificate – called eDellRoot – that can intercept HTTPS-encrypted traffic for each and every website you visit,” Cluley said.

In this way, supposedly secure communications can be eavesdropped upon, and passwords, usernames, session cookies and other sensitive information could fall into the hands of malicious hackers.

Phishing attack image via Shutterstock

John Kennedy is a journalist who served as editor of Silicon Republic for 17 years

editorial@siliconrepublic.com