When you sell as many computers as Dell does, all it takes is one small screw-up to create a security catastrophe. In this case, computers sold as far back as August of this year may have shipped with a compromised security certificate that could lead to a complete breach through a trivial exploitation of that certificate. So far, Dell has refused to disclose exactly which products are affected, but reports are confirming their Inspiron, XPS, Precision and Latitude lines are shipping with this problem. They are admitting that the problem exists, have published instructions on how to manually remove the compromised certificate, and will be releasing a software update to remove the certificate altogether. If you’ve purchased a Dell since Spring of this year, you should probably read on.
What this means for (some of) you:
In case the above didn’t contain enough technical jargon to convince you of how serious this is, let me unload on you: Dell shipped a slew of computers with a self-signed security certificate installed as a root trusted authority, and left the private encrpytion key on the devices. Even if you only understood part of that sentence, I’m betting you can intuit what publishing a private key does to the certificate. Yes, that’s right, it’s like sending everyone keys to your front door with your address printed on the key. Why this is a big deal is also fairly simple to explain. Because this key is essentially available for anyone to use, any reasonably proficient hacker could set up a fake hotspot at your local coffee shop, wait for a Dell computer to walk in, and then pretend to be Dell while unencrypting all of your network traffic. If that sounds bad, then you are picking up what I’m putting down. What do you do if you have an affected computer? Here are the instructions on manually removing the bad certificate, or wait for Dell to release a fix, which is schedule to arrive as of the time of this writing.
Full Disclosure: C2 Technology Partners, Inc. is a Dell Partner, meaning we sell Dell equipment and services, though after this particular goof, perhaps not as much as we had in the past.
Want to know more about security certificates? Here’s a reasonably straight-forward explanation of what they are and how they work.