NEWS
NEWS
NEWS
Superfish 2.0: Bogus certificate found lurking in Dell machines
Dell Inc. customers should think twice about using the preinstalled software on their computers from now on. The diagnostics toolkit that the consumer electronics giant ships with its most popular Windows machines to help troubleshoot problems has been found to use an unsafe root certificate that poses a major security threat on the same scale as the Superfish exploit that was found in hardware sold by rival Lenovo Group Ltd earlier this year.
Both vulnerabilities stem from the fact that the encryption key used to verify websites is attached directly to the certificate in an unprotected format that can be easily extracted with the right software. All of the affected machines use the exact same cryptographic sequence, which can enable hackers to intercept traffic even without direct access to the targeted machine. All they’d have to do is compromise the unprotected network of, say, a popular coffee shop, redirect packets destined for a major website to a mirror under their control and wait.
Any unsuspecting Dell users who happen to drop by and quickly check their bank account or do a little online shopping while sipping their coffee will thus unknowingly end up sharing personal details with the attackers, potentially opening the door to identity theft. The vulnerability affects all XPS, Inspiron, Vostro, and Precision laptops that have shipped since August as well as OptiPlex and Precision Tower desks. The company warns that customers who have bought their machines earlier but downloaded updates for the Dell Foundation Services packages in the last three months are exposed as well, which puts the tally of affected users in the high seven figures if not more.
Fortunately, an investigation carried out by authentication provider Duo Security Inc. in the wake of the revelation suggests that hackers haven’t set up any phishing sites to take advantage of the exploit yet. Dell is not taking any chances, however, and is currently rolling out an update that promises to automatically delete the unsafe certification on vulnerable machines. Users can also carry out the removal on their own by following the step-by-step guide (download link) that the electronics giant released in conjunction.
Image via JavadR
A message from John Furrier, co-founder of SiliconANGLE:
Support our mission to keep content open and free by engaging with theCUBE community. Join theCUBE’s Alumni Trust Network, where technology leaders connect, share intelligence and create opportunities.
- 15M+ viewers of theCUBE videos, powering conversations across AI, cloud, cybersecurity and more
- 11.4k+ theCUBE alumni — Connect with more than 11,400 tech and business leaders shaping the future through a unique trusted-based network.
About SiliconANGLE Media
SiliconANGLE Media is a recognized leader in digital media innovation, uniting breakthrough technology, strategic insights and real-time audience engagement. As the parent company of SiliconANGLE, theCUBE Network, theCUBE Research, CUBE365, theCUBE AI and theCUBE SuperStudios — with flagship locations in Silicon Valley and the New York Stock Exchange — SiliconANGLE Media operates at the intersection of media, technology and AI.
Founded by tech visionaries John Furrier and Dave Vellante, SiliconANGLE Media has built a dynamic ecosystem of industry-leading digital media brands that reach 15+ million elite tech professionals. Our new proprietary theCUBE AI Video Cloud is breaking ground in audience interaction, leveraging theCUBEai.com neural network to help technology companies make data-driven decisions and stay at the forefront of industry conversations.
