Dell Compromises Customers’ Security with Pre-Installed Vulnerability

AP Photo/Elise Amendola
AP Photo/Elise Amendola

Dell has compromised their customers’ security by installing a vulnerability in their own computers.

The alarm was sounded first — as usual — on Reddit. Soon Twitter and various blogs by users and security experts chimed in to support the findings. Apparently, Dell has been shipping computers loaded with a self-signed root digital certificate.

In layman’s terms, Dell taped an extra car key to the front fender and left it there without telling anyone who bought it. In fact, this security certificate isn’t even unique for each computer. That means that any nominally motivated attacker can gain access to a digital “signature” that would allow them to perfectly impersonate, say, Google. They can then open an encrypted channel directly to your data with not so much as a twinge from any installed security measures.

“eDellRoot” has been spotted on models from the Inspiron, Precision, and Latitude lines of Dell PCs. It’s not totally clear how widespread the implementation has been, but the evidence is already overwhelming. Duo, an online security service, published a report on their findings related to the scandal.

In response, Dell has issued a statement in which they assert, “Customer security and privacy is a top concern and priority for Dell; we deeply regret that this has happened and are taking steps to address it.”

Earlier this year, Lenovo ran into the same trouble over pre-installed Superfish adware that opened similar vulnerabilties. While they claimed not to have found “any evidence to substantiate security concerns,” they very quickly stomped the brakes on its usage.

Dell says they will be providing consumers with instructions for how to remove this vulnerability, but tinkering with digital licenses is beyond the savvy of the average consumer. With a universal key to private data lying out there for any would-be invaders, the response could be too little, too late.

(A previous version of this story’s headline contained the term rootkit. It has been corrected.)

Nate Church is @Get2Church on Twitter, and he can’t become a wildly overhyped internet celebrity without your help. Follow, retweet, and favorite everything he says. It’s the Right Thing To Do™!


Please let us know if you're having issues with commenting.