Dell laptop owners beware: reports of a security flaw in some self-signed digital certificates mean your laptop may be wide open for a hacker.
According to a discovery of some odd digital certificates by a reddit user (who then posted the discovery), Dell laptops–believed for now to be limited to some Inspiron and XPS series machines–could contain a security flaw that would allow hackers to manipulate a website, make it read as though it belongs to Dell, and then use the customer service features to “take over” your computer and install malicious software. These digital certificates, the ones that let your computer know that “http://amazon.com” really is Amazon, for example, and can therefore be trusted, can be altered to make your computer recognize any website as belonging to someone else. Basically, a hacker can pretend to be Dell and get to work on your machine.
You might be having a flashback to Lenovo’s Superfish scandal, but this one appears to be a simple error designed to make customer service and tech support more streamlined for users. The key difference is Lenovo actually profited off of pre-installing the consumer tracking software when they gave the info to advertisers; in this case, Dell not only doesn’t benefit by accidentally redirecting you to a malicious website or hacker, it could actually create security and PR problems for the company.
Dell has stated that they’re working on a solution and will be sending the info directly to their customers; they’re also posting instructions on their website, and other news outlets have also setup step-by-step instructions for removing the faulty certificates.
According to Paul Wagenseil, SecurityNewsDaily Managing Editor for LaptopMag.com, “IT personnel are trained to uninstall digital certificates, but it’s not so difficult to do it yourself. If you have administrative rights on a Windows PC, go to the Start menu, type in ‘certmgr.msc,’ click ‘Trusted Root Certification Authorities,’ then click ‘Certificates.’ If you have a certificate named ‘eDellRoot’ or ‘DSDTestProvider,’ right-click it, delete it, and restart the computer.”
The problem is that this error happened because Dell was trying to build a smooth support process for customers who may not be very tech savvy. If you actually need this level of customer service, you probably don’t have the skills required to remove the certificates. One expert has already weighed in and said this can be fully addressed through a basic software update, if the company releases one.