New Dell laptops affected by Superfish-style security issue that could leave users vulnerable to hackers

Sign up to our free weekly IndyTech newsletter delivered straight to your inbox

Sign up to our free IndyTech newsletter

Please enter a valid email address

Please enter a valid email address

SIGN UP

I would like to be emailed about offers, events and updates from The Independent. Read our privacy notice

Some new laptops released by Dell have been affected a major security weakness, due to a piece of problem software that could leave users vulnerable to malicious hacking.

The problem lies with a root certificate called eDellRoot, which could potentially be exploited by hackers to steal users' data.

The bad certficate has so far been found on the Inspiron 5000 and XPS 15 laptops, but it could affect a larger number of Dell products.

The root certificate is a small file which is used to encrypt connections, making them secure.

When you see that padlock sign in your browser bar when using online banking or some social media sites, the certificate has kicked in - your browser has spoken to the web server, has verified that the service is legitimate, and has established a secure connection through which your data is encrypted, making it very difficult for malicious hackers to access it.

The problem exists because the key, which the certificate uses to encrypt the information, is stored locally on the computer. This makes it possible for a hacker who has one of the affected computers to reverse engineer the key and reveal its encryption methods.

This would allow them to interrupt the connection between browser and server and pose as a legitimate, secure website - potentially letting them access things like passwords and credit card information.

A security expert named Kenn White was able to illustrate this problem by creating a website that establishes a connection to a website that appears to be a secure link to the Bank of America page, but is in fact a bogus site of his own creation (featuring a criminal Doge in a ski mask).

White managed to show how users affected by this security flaw can be tricked into accessing seemingly-secure sites that are actually capable of stealing information by interrupting the connection.

Browsers like Firefox and Chrome use their own certificates, and will warn users when they connect with the bad certificate and not allow them to access it - but people using less secure browsers wouldn't have the same protection.

The issue is reminscent of the Lenovo 'Superfish' problem - in which a program that was meant to help deliver advertising to webpages but could actually be used to intercept data.

Lenovo was heavily criticised for making users vulnerable at the time, and Dell has received the same treatment from the security community.

Dell quickly released a statement on the issue through their website.

Speaking about the bad certificate, they said: "The certificate was implemented as part of a support tool and intended to make it faster and easier for our customers to service their system."

They have also released instructions for a fairly technical process that allows affected users to remove eDellRoot from their computers themselves.

Dell also added that a software update will be pushed out to users on Tuesday 24 November, which will check for the certificate and remove it if it's present.

The certificate will also be removed from all Dell products and systems in the future.