Gadgets for humans

Dell PCs have not 1, but 2 dangerous security flaws that could let hackers spy on you

Barely a day after Dell announced it was fixing a major security flaw on its recently shipped PCs, a second one has been discovered in the form of a self-signed root certificate.

Nearly identical to the previous issue, the DSDTestProvider certificate comes preinstalled along with its own private key on some Dell Inspiron and XPS models.

The DSDTestProvider certificate is installed through the Dell System Detect toll into the Trusted Root Certificate Store on newer systems. Since it includes its own private key, it can be used by attackers to generate false certificates for malicious websites and trick affected Dell systems into trusting their HTTPS connection.

This could be exploited by hackers to intercept users’ Web traffic to capture their credit card details and passwords or install malware on their computers.

In addition to being injected into users’ systems without their knowledge, a major problem with such manufacturer-installed certificates is that they might be tied to the computer’s BIOS and therefore pose a bit of a challenge to remove completely.

While Dell has acknowledged the existence of the eDellRoot certificate that was discovered earlier and issued a fix, it has yet to do so for the DSDTestProvider certificate. It’s unclear as to why the company didn’t release instructions and a software update to remove both potentially dangerous certificates the first chance it got.

Update: Dell has released a downloadable tool that removes both root certificates that you can grab here.

A second dangerous Dell root certificate discovered [Computerworld]

For more gear, gadget, and hardware news and reviews, follow Plugged on Twitter and Flipboard.

Published November 25, 2015 — 09:11 UTC

Celebrate Pride 2020 with us this month!

Why is queer representation so important? What's it like being trans in tech? How do I participate virtually? You can find all our Pride 2020 coverage here.