Dell 'Has A Team Investigating' Superfish-Like Bloatware Concerns

Dell is taking some criticism from PC buyers who have found bloatware on their machines that they say is a significant security risk, but partners say it should be of little concern to their customers.

New Dell PCs, as well as enterprise servers, are shipping with a Dell-created root-level certificate called eDellRoot, which, according to industry experts, is similar to how Lenovo PCs were shipped with Superfish bloatware earlier this year, causing a security firestorm.

Dell machines are all shipped with identical root certificates and private keys, similar to how Superfish was deployed, raising concerns that users' private information could be compromised.

[Related: Dell Teams Up With Cylance For Next-Generation Endpoint Security]

Reddit users argued Monday that Dell "is shipping every laptop they distribute with the exact same root certificate and private key, very similar to what Superfish did on Lenovo computers. This is a major security vulnerability that endangers all recent Dell customers."

The bloatware provides opportunities for so-called man-in-the-middle attacks in which attackers using the root certificate and private key pose as nearly any website and gather information like bank account details, account credentials and Web mail messages from users' machines, Joseph Pizzo, a field engineer with cybersecurity intelligence firm Norse, told CRN.

"It works very much the same way Superfish did," Pizzo said.

Dell channel partners say the bloatware is nothing for business users to get too excited about. Every new piece of equipment, regardless of vendor, comes with bloatware installed, said David Wrenn, vice president at Branford, Conn.-based Dell partner Advanced Office Systems.

Many solution providers work with customers to customize their products, and often the first order of business is removing unwanted or unnecessary bloatware, Wrenn said.

"It's just junk," Wrenn said. "Whether it's a sample anti-virus product [or] a 30-day trial that we take off because we've got our own antivirus solution, part of our prep is to get rid of all that crap. Then we make sure it's got the latest patches and security software, then we start putting stuff on, like [Microsoft] Office, and other stuff the client needs."

Pizzo agreed. "It wouldn't surprise me if [eDellRoot] was across all Dell builds," he said, "but these things are all being wiped. It's rare to go right from the shelf to the end user in [a] corporate environment. You don't need half the junk they install on there."

Unbeknownst to users, browser add-on Superfish dumped adware onto Lenovo PCs shipped early this year, and at the time, security researchers said it could be used to view encrypted communications, including bank account information, account credentials and Web mail messages. Lenovo eventually stopped installing Superfish on its PCs.

A Dell spokesperson told CRN that the company "has a team investigating the current situation."

In a statement to CRN, Dell said: "Customer security and privacy is a top concern for Dell. We have a strict policy of minimizing the number of pre-load applications and assessing all applications for their security and usability. Dell has an extensive end-user security practice that develops capabilities and best practices to best protect our customers."


Sponsored post