Dell acknowledges security hole in new laptops

25 Nov 2015 | Author: | No comments yet »

And then there were two: Another dangerous Dell root certificate discovered.

Dell has released an apology and is preparing a fix after its laptops were shipped containing a security certificate flaw that hackers could use to intercept web traffic. Computer company Dell said a security hole exists in some of its recently shipped laptops that could make it easy for hackers to access users’ private data.As part of the promotion of its flagship XPS 15, Dell touts the laptop’s security. “Worried about Superfish?” the product page asks, invoking a now-infamous Lenovo lapse from earlier this year. “Each application we pre-load undergoes security, privacy and usability testing to ensure that our customers experience … reduced privacy and security concerns.” That messaging remains, even after Dell has experienced a security lapse of its own—one remarkably similar to Superfish.Dell announced a fix Monday for the “eDellRoot” certificate it installed on laptops and PCs that “unintentionally introduced a security vulnerability risk” to its customers.

The plot thickens: After Dell confirmed that one of its support tools installed a dangerous self-signed root certificate and private key on computers, users discovered a similar certificate deployed by a different Dell tool. The company specifically marketed their computers as being free of such flaws. “Customer security and privacy is a top concern and priority for Dell; we deeply regret that this has happened and are taking steps to address it,” a company representative said in a statement posted on Monday night, only a few days after the issue was discovered. Rather, it was intended to provide the system service tag to Dell online support allowing us to quickly identify the computer model, making it easier and faster to service our customers.

Normally these cryptographic credentials are signed by trusted third parties and bolster security by verifying the identity of parties that a user would want to safely connect to, like a bank’s website. This certificate is not being used to collect personal customer information.” The security flaw, which gained popularity as the news spread on Reddit, leaves things such as users’ communications, passwords, usernames and other sensitive information potentially open to “man-in-the-middle” hackers. Dell said it would provide customers with instructions to permanently remove the certificate by email and on its support website, a process that will likely be highly technical.

This means that an attacker could easily take the key and use it to fraudulently verify a website that would normally register as malicious when using a third-party-signed certificate. Dell tells WIRED that the latter could take about to a week to reach all affected models, and the manual method takes a little know-how and a lot of clicking, so your best bet is likely the patch. Security experts told the BBC that the software had two flaws: “It would allow traffic to be intercepted, potentially exposing sensitive information; secondly, the key could be used to make a user’s computer misidentify unsafe connections as safe.” One scenario computer security expert Graham Cluley outlined on his website involves hackers “[hanging] out in hotel lobbies, coffee shops and airport lounges, and [exploiting] the flaw through a silent man-in-the-middle attack, decrypting Wi-Fi communications without the knowledge of the victim.” Dell addressed the issue by including instructions for the certificate’s removal and added that it will be removed from all of its new systems moving forward. In April, a security researcher disclosed a vulnerability that could have allowed a remote attacker to install malware on a computer with the DSD application running. Tests performed inside a Windows 10 virtual machine revealed that the DSDTestProvider certificate gets left behind on the system when the Dell System Detect tool is uninstalled.

It turns out that any commercial or consumer Dell PC that received a software update that began in August 15 has been saddled with something called eDellRoot, a pre-installed SSL certificate with a locally stored private key. An SSL vulnerability is the core problem in both cases, but in Lenovo’s case the offending party was Superfish, pre-installed adware that turned out to be toxic bloat. And over the last two months, Google has publicly shamed Symantec, the world’s largest cybersecurity company, over a bevy of misissued security certificates. There is some demonstrable good in that. “I’m glad vendors talk about the degree of their security,” says Moorhead, “because it puts everyone at the company on notice that they need to be vigilant about it.” The flip side, though, is that these companies may be advertising something that’s increasingly difficult to deliver.

Here you can write a commentary on the recording "Dell acknowledges security hole in new laptops".

* Required fields
Twitter-news
Our partners
Follow us
Contact us
Our contacts

dima911@gmail.com

ICQ: 423360519

About this site