NEWS
NEWS
NEWS
Superfish 2.0: Bogus certificate found lurking in Dell machines
Dell Inc. customers should think twice about using the preinstalled software on their computers from now on. The diagnostics toolkit that the consumer electronics giant ships with its most popular Windows machines to help troubleshoot problems has been found to use an unsafe root certificate that poses a major security threat on the same scale as the Superfish exploit that was found in hardware sold by rival Lenovo Group Ltd earlier this year.
Both vulnerabilities stem from the fact that the encryption key used to verify websites is attached directly to the certificate in an unprotected format that can be easily extracted with the right software. All of the affected machines use the exact same cryptographic sequence, which can enable hackers to intercept traffic even without direct access to the targeted machine. All they’d have to do is compromise the unprotected network of, say, a popular coffee shop, redirect packets destined for a major website to a mirror under their control and wait.
Any unsuspecting Dell users who happen to drop by and quickly check their bank account or do a little online shopping while sipping their coffee will thus unknowingly end up sharing personal details with the attackers, potentially opening the door to identity theft. The vulnerability affects all XPS, Inspiron, Vostro, and Precision laptops that have shipped since August as well as OptiPlex and Precision Tower desks. The company warns that customers who have bought their machines earlier but downloaded updates for the Dell Foundation Services packages in the last three months are exposed as well, which puts the tally of affected users in the high seven figures if not more.
Fortunately, an investigation carried out by authentication provider Duo Security Inc. in the wake of the revelation suggests that hackers haven’t set up any phishing sites to take advantage of the exploit yet. Dell is not taking any chances, however, and is currently rolling out an update that promises to automatically delete the unsafe certification on vulnerable machines. Users can also carry out the removal on their own by following the step-by-step guide (download link) that the electronics giant released in conjunction.
Image via JavadR
Since you’re here …
… We’d like to tell you about our mission and how you can help us fulfill it. SiliconANGLE Media Inc.’s business model is based on the intrinsic value of the content, not advertising. Unlike many online publications, we don’t have a paywall or run banner advertising, because we want to keep our journalism open, without influence or the need to chase traffic.The journalism, reporting and commentary on SiliconANGLE — along with live, unscripted video from our Silicon Valley studio and globe-trotting video teams at theCUBE — take a lot of hard work, time and money. Keeping the quality high requires the support of sponsors who are aligned with our vision of ad-free journalism content.
If you like the reporting, video interviews and other ad-free content here, please take a moment to check out a sample of the video content supported by our sponsors, tweet your support, and keep coming back to SiliconANGLE.
