What the Dell? Laptops shipped with exact security flaw which was advertised as absent

© Brendan McDermid
Dell has released an apology and is preparing a fix after its laptops were shipped containing a security certificate flaw that hackers could use to intercept web traffic. The company specifically marketed their computers as being free of such flaws.

“Customer security and privacy is a top concern and priority for Dell; we deeply regret that this has happened and are taking steps to address it,” a company representative said in a statement posted on Monday night, only a few days after the issue was discovered.

READ MORE: D’oh! Router maker D-Link accidentally publishes private cryptography keys

The security hole comes in the form of a digital certificate that came pre-installed on some Dell laptops. Normally these cryptographic credentials are signed by trusted third parties and bolster security by verifying the identity of parties that a user would want to safely connect to, like a bank’s website. In the case of at least two Dell laptop models, however, the security certificate was self-signed and issued by an entity called eDellRoot.

This means that an attacker could easily take the key and use it to fraudulently verify a website that would normally register as malicious when using a third-party-signed certificate. For example, an attacker could create a lookalike of the aforementioned bank’s website and steal the information that users entered.

To add insult to injury, Dell used February’s similar “Superfish” certificate vulnerability in Lenovo computers as a specific example of what consumers do not need to be afraid of thanks to the company’s commitment to privacy and security.

© dell.com

While Superfish was implemented to access user data for advertising purposes, Dell said that their certificate was just to help with technical support.

“[I]t was intended to provide the system service tag to Dell online support allowing us to quickly identify the computer model, making it easier and faster to service our customers,” Dell’s statement said. “This certificate is not being used to collect personal customer information.”

Dell goes on to note that it has posted instructions to remove the certificate from its systems, and pushed out a software update on Tuesday that will check for and remove the flawed certificate. Additionally, systems will no longer ship with the certificate, the company said.

The flaw was first discovered by customers Hanno Böck, Kevin Hicks and Joe Nord. Dell thanked them for bringing the issue to the company’s attention.