Who could forget Lenovo’s “Superfish/” scandal when the company was found to have been shipping their PCs with adware that led to security vulnerabilities. It seems that Dell is now suffering the same fate after users found pre-installed software that compromised the security of their Dell laptops.
The issue first came to light on Reddit where users noted that their Inspiron 5000 and XPS 15 devices had a self-signed root certificate called eDellRoot. Thanks to the vendor’s pre-installed permissions, computers that are affected are set to trust any SSL certificate eDellRoot signs. Hackers can bypass HTTPS protection protocols by forging certificates that mimic eDellRoot. They can then imitate any legitimate website and users would be none the wiser.
This certificate is on every Dell PC so it can be assumed the vulnerability affects more than just the Inspiron 5000 and XPS 15 laptop models in question.
We reached out to Dell Australia for comment but did not receive a response at the time of publication. Over in the US, Dell did give Engadget the following statement:
“Customer security and privacy is a top concern for Dell. We have a strict policy of minimizing the number of pre-load applications and assessing all applications for their security and usability. Dell has an extensive end-user security practice that develops capabilities and best practices to best protect our customers. We have a team investigating the current situation and will update you as soon as we have more information.”
More to follow.
Update – 24/11/15 10.30am: Dell Australia has provided a statement to Lifehacker Australia:
“The recent situation raised is related to an on-the-box support certificate intended to provide a better, faster and easier customer support experience. Unfortunately, the certificate introduced an unintended security vulnerability. To address this, we are providing our customers with instructions to permanently remove the certificate from their systems via direct email, on our support site and Technical Support. We are also removing the certificate from all Dell systems moving forward. Note, commercial customers who image their own systems will not be affected by this issue. Dell does not pre-install any adware or malware. The certificate will not reinstall itself once it is properly removed using the recommended Dell process.