Dell Malware Flaw Exposes Eavesdropping Risk

Some people go to great lengths to secure their digital identities, spending hundreds of dollars on anti-spyware software and avoiding any site that might look the least bit suspicious. However, even the most careful users of Dell computers are learning that all their caution against hackers has been for naught.

Krebs On Security reported that customers who bought a new Dell laptop or desktop since August 2015 were unwittingly purchasing a machine with an SSL certificate (eDellRoot) that could potentially allow hackers to easily monitor users’ Web traffic and personal details. The security flaw was a result of Dell’s decision to include a specific application – Dell Foundation Services – on all new products shipped to consumers.

“The certificate is not malware or adware,” Laura Thomas, a spokeswoman for Dell, said in a statement. “Rather, it was intended to provide the system service tag to Dell online support allowing us to quickly identify the computer model, making it easier and faster to service our customers. This certificate is not being used to collect personal customer information. It’s also important to note that the certificate will not reinstall itself once it is properly removed using the recommended Dell process.”

While the security flaw could potentially allow illicit eyes to track website history and credit card information, Ars Technica explained that the more egregious issue is that hackers could use the certificate to fool computers’ functioning malware software to misidentify spoof or phishing sites as legitimate pages. Customers could be surfing the Web, hopping from page to page without realizing that they’ve inadvertently entered their personal information into a site that only looks like their bank or their favorite retailer.

Dell explained that they would be disseminating a tool to help users remove the flaw from their computers, though Krebs On Security noted that most browsers should also be rolling out their own patches just in case.