Dell installs self-signed root certificate on laptops, endangers users’ privacy

24 Nov 2015 | Author: | No comments yet »

Dell Plans Fix for Security Flaw That Could Let Hackers Snoop on Traffic.

Major U.S. computer company Dell Inc [DI.UL] said on Monday a security hole exists in some of its recently shipped laptops that could make it easy for hackers to access users’ private data.The flaw, discovered by a private security researcher and announced Sunday, highlights the difficulty of implementing encryption schemes to protect computer users.New models from the XPS, Precision and Inspiron families include a powerful root CA certificate called eDellRoot, which puts the machines’ owners at risk of identity theft and banking fraud. A pre-installed program on some newly purchased Dell laptops that can only be removed manually by consumers makes them vulnerable to cyber intrusions that may allow hackers to read encrypted messages and redirect browser traffic to spoofs of real websites such as Google or those belonging to a bank, among other attacks. “The recent situation raised is related to an on-the-box support certificate intended to provide a better, faster and easier customer support experience,” Dell said in a statement to Reuters. “Unfortunately, the certificate introduced an unintended security vulnerability.” Dell declined to say how many computers or which specific models are affected.

The certificate is bundled with its private key, which is a boon for man-in-the-middle attackers: for example, if an affected Dell connects to a malicious Wi-Fi hotspot, whoever runs that hotspot can use Dell’s cert and key to silently decrypt the victims’ web traffic. This would reveal their usernames, passwords, session cookies and other sensitive details, when shopping or banking online, or connecting to any other HTTPS-protected website. Dell said it would provide customers with instructions to permanently remove the certificate by email and on its support website, a process that will likely be highly technical. He said certificate authorities are not necessarily problematic, “but they become a problem when a manufacturer like Dell misconfigures them to trust anything on the web with a universal key that works across Dell computers, and root access.” Mr. And if you can’t wait for the official advice, you can try deleting the .DLL from the filesystem, and the cert from the Windows certificate manager – or use Mozilla’s Firefox because that web browser has its own set of trusted certificates, and ignores the rogue eDellRoot. ®

White said owners of the flawed computers can protect themselves when surfing the Web by using Mozilla Corp.’s Firefox browser, which uses its own software to vet the security of websites. Joe Nord, a computer programmer and blogger, detailed how eDellRoot works and how easy it is to gain access to the security key in a blog post earlier Sunday.

More from WSJ.D: And make sure to visit WSJ.D for all of our news, personal tech coverage, analysis and more, and add our XML feed to your favorite reader.

Here you can write a commentary on the recording "Dell installs self-signed root certificate on laptops, endangers users’ privacy".

* Required fields
All the reviews are moderated.
Our partners
Follow us
Contact us
Our contacts

ICQ: 423360519

About this site