Tuesday, 24 November 2015

Some Dell Laptops Shipping With Big Security Flaw Pre-Installed

(Renata Prazeres)

There are millions of Dell laptops out there in the world; businesses by them by the tens of thousands and plenty of home consumers use them too. And unfortunately, that means there are millions of laptops out there with a big fat security hole that could allow mischief-makers and would-be-thieves a way to access users’ private, theoretically secure data.

At least three different lines of laptop models — the Inspiron 5000, XPS 15, and XPS 13 — are affected by this particular security flaw, The Verge reports.

It is not unlike the “Superfish” security hole identified in Lenovo laptops earlier this year. In Lenovo’s case, the weakness was deliberately introduced (before it was corrected) in order to allow for highly targeted advertising to appear on your system. Dell’s error is inadvertent, but no less troubling.

In Dell’s case, their laptops ship with an SSL certificate called eDellRoot on them. Dell computers are set by default to trust any SSL certificate eDellRoot signs off on. That key is signed locally, which means anyone with the know-how who wants to make trouble could create a fake version and then use it to carry out SSL attacks.

Now in English: as we explained when Lenovo had their trouble, this kind of flaw interferes at the level where your computer and a secure website are showing each other their metaphorical ID. Instead of a secure site and your PC comparing notes with each other directly, a hole like this allows a third party to interfere.

That means instead of something like an online banking site saying directly to your computer, “I am me, here is my ID, please trust me now,” and your computer having something useful to compare that against, the SSL flaw functionally allows something else to pop in and say to your computer, “Oh, the bank? Yeah, that’s, uh, real. Totally real. Yup. Reality-real. Don’t worry about it. Here, trust me!” during the connection… even if the site you are visiting is fake.

The good news is, only about 24 hours elapsed between the security flaw going public yesterday and Dell issuing an apology and announcing a fix today.

As the Verge points out, Dell has somewhat ironically marketed itself on the back of not having security flaws like Superfish. Unlike Lenovo’s advertising malware, the point of Dell’s certificate is to allow remote, online support to be able to report back the system model and specifications, for ease service.

But intent isn’t magic, and a flaw is still a flaw. So Dell is pushing an update today that should scan their computers for the certificate and remove it if present.

Dell apologizes for laptop security scare, will remove vulnerability today [The Verge]


by Kate Cox via Consumerist

No comments:

Post a Comment