Dell hit by second security breach in one day; criticised for lax security

Flaw allows hackers to launch man-in-the-middle attacks
By on
RTXSJ64
Dell founder and CEO Michael Dell delivers his keynote address at Oracle Open World in San Francisco, California September 22, 2010. REUTERS/ File

Researchers supported by the U.S. government claim a new problem at Dell similar to an earlier security breach admitted to by the company could leave users' personal information vulnerable.

Earlier this week, Dell said it had released a fix for the new vulnerability after doing the same for the first problem. One expert told the BBC these repeated problems are raising concerns about the company's approach towards security.

Dell admitted it had unintentionally opened a security hole in its computers that seems to have occurred when it loaded pre-installed software. The problem began when Dell implemented a self-signed root Certificate Authority (CA) as part of a support tool that was "intended to make it faster and easier for our customers to service their system to identify trustworthy websites".

Security researchers claim the CA Dell installed, which is called "eDellRoot", permitted hackers to intercept a Dell user's internet traffic, while the private key installed with it could be used to trick the computer into thinking that unsafe websites are safe.

Dell said users that downloaded its Dell System Detect product between October 20 and November 24 were facing the second problem. Unlike the first issue, the CAin the second one wasn't pre-installed on computers, said the company. And upon detecting the issue, Dell said it removed the product from its site and a replacement application was made available.

In their subsequent report, researchers wrote that an attacker can generate certificates signed by the DSDTestProvider CA. They said systems that trust the DSDTestProvider CA will trust any certificate issued by the CA.

"An attacker can impersonate web sites and other services, sign software and email messages, and decrypt network traffic and other data. Common attack scenarios include impersonating a web site, performing a [man-in-the-middle] attack to decrypt HTTPS traffic, and installing malicious software", according to Dell. 

An attack like this allows a hacker to intercept internet traffic between the user's browser and the site a user is accessing.

"To paraphrase Oscar Wilde, to have one self-signing certificate installed could be a mistake; to have two looks like carelessness. The fact that there appears to be a second self-signing certificate does make you wonder what else might be lurking on the machine", said Prof. Alan Woodward, a security expert of Surrey University.

A Dell spokesperson said that when the company became aware of eDellRoot earlier this week, it immediately examined all its applications loaded on Dell PCs. He said Dell can confirm it's found no other root certificates on the factory-installed PC image.

Dell did, however, discover the Dell System Detect application and its DSDTestProvider root certificate had similar characteristics to eDellRoot. It said it immediately removed the app from the Dell support site and made availablr a replacement application without the certificate.

Contact the writer at feedback@ibtimes.com.au or tell us what you think below.