UPDATED 11:54 EDT / NOVEMBER 24 2015

NEWS

Superfish 2.0: Bogus certificate found lurking in Dell machines

Dell Inc. customers should think twice about using the preinstalled software on their computers from now on. The diagnostics toolkit that the consumer electronics giant ships with its most popular Windows machines to help troubleshoot problems has been found to use an unsafe root certificate that poses a major security threat on the same scale as the Superfish exploit that was found in hardware sold by rival Lenovo Group Ltd earlier this year.

Both vulnerabilities stem from the fact that the encryption key used to verify websites is attached directly to the certificate in an unprotected format that can be easily extracted with the right software. All of the affected machines use the exact same cryptographic sequence, which can enable hackers to intercept traffic even without direct access to the targeted machine. All they’d have to do is compromise the unprotected network of, say, a popular coffee shop, redirect packets destined for a major website to a mirror under their control and wait.

Any unsuspecting Dell users who happen to drop by and quickly check their bank account or do a little online shopping while sipping their coffee will thus unknowingly end up sharing personal details with the attackers, potentially opening the door to identity theft. The vulnerability affects all XPS, Inspiron, Vostro, and Precision laptops that have shipped since August as well as OptiPlex and Precision Tower desks. The company warns that customers who have bought their machines earlier but downloaded updates for the Dell Foundation Services packages in the last three months are exposed as well, which puts the tally of affected users in the high seven figures if not more.

Fortunately, an investigation carried out by authentication provider Duo Security Inc. in the wake of the revelation suggests that hackers haven’t set up any phishing sites to take advantage of the exploit yet. Dell  is not taking any chances, however, and is currently rolling out an update that promises to automatically delete the unsafe certification on vulnerable machines.  Users can also carry out the removal on their own by following the step-by-step guide (download link) that the electronics giant released in conjunction.

Image via JavadR

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU