The Independent's journalism is supported by our readers. When you purchase through links on our site, we may earn commission.
New Dell laptops affected by Superfish-style security issue that could leave users vulnerable to hackers
Dell has said the problem software will be removed in an upcoming update
Your support helps us to tell the story
From reproductive rights to climate change to Big Tech, The Independent is on the ground when the story is developing. Whether it's investigating the financials of Elon Musk's pro-Trump PAC or producing our latest documentary, 'The A Word', which shines a light on the American women fighting for reproductive rights, we know how important it is to parse out the facts from the messaging.
At such a critical moment in US history, we need reporters on the ground. Your donation allows us to keep sending journalists to speak to both sides of the story.
The Independent is trusted by Americans across the entire political spectrum. And unlike many other quality news outlets, we choose not to lock Americans out of our reporting and analysis with paywalls. We believe quality journalism should be available to everyone, paid for by those who can afford it.
Your support makes all the difference.Some new laptops released by Dell have been affected a major security weakness, due to a piece of problem software that could leave users vulnerable to malicious hacking.
The problem lies with a root certificate called eDellRoot, which could potentially be exploited by hackers to steal users' data.
The bad certficate has so far been found on the Inspiron 5000 and XPS 15 laptops, but it could affect a larger number of Dell products.
The root certificate is a small file which is used to encrypt connections, making them secure.
When you see that padlock sign in your browser bar when using online banking or some social media sites, the certificate has kicked in - your browser has spoken to the web server, has verified that the service is legitimate, and has established a secure connection through which your data is encrypted, making it very difficult for malicious hackers to access it.
The problem exists because the key, which the certificate uses to encrypt the information, is stored locally on the computer. This makes it possible for a hacker who has one of the affected computers to reverse engineer the key and reveal its encryption methods.
This would allow them to interrupt the connection between browser and server and pose as a legitimate, secure website - potentially letting them access things like passwords and credit card information.
A security expert named Kenn White was able to illustrate this problem by creating a website that establishes a connection to a website that appears to be a secure link to the Bank of America page, but is in fact a bogus site of his own creation (featuring a criminal Doge in a ski mask).
White managed to show how users affected by this security flaw can be tricked into accessing seemingly-secure sites that are actually capable of stealing information by interrupting the connection.
Browsers like Firefox and Chrome use their own certificates, and will warn users when they connect with the bad certificate and not allow them to access it - but people using less secure browsers wouldn't have the same protection.
The issue is reminscent of the Lenovo 'Superfish' problem - in which a program that was meant to help deliver advertising to webpages but could actually be used to intercept data.
Lenovo was heavily criticised for making users vulnerable at the time, and Dell has received the same treatment from the security community.
Dell quickly released a statement on the issue through their website.
Speaking about the bad certificate, they said: "The certificate was implemented as part of a support tool and intended to make it faster and easier for our customers to service their system."
They have also released instructions for a fairly technical process that allows affected users to remove eDellRoot from their computers themselves.
Dell also added that a software update will be pushed out to users on Tuesday 24 November, which will check for the certificate and remove it if it's present.
The certificate will also be removed from all Dell products and systems in the future.
Join our commenting forum
Join thought-provoking conversations, follow other Independent readers and see their replies
Comments