Dell reportedly shipping some laptops with Superfish-like root certificates

XPS 15
XPS 15

Some owners of laptops from Dell have reportedly discovered they contain pre-installed root certificates that are the same on every system. The programs have the same kind of security issue as the Superfish software that was found to be pre-installed on some Lenovo laptops earlier this year.

Engadget reports that one of the laptops that had the root certificate was the Dell XPS 15. It points out that if hackers got their hands on the certificate's key, they could, in theory, break into every single one of the laptops that had the program installed. Unlike Lenovo's Superfish program, which was created by a third-party, Dell's root certificate seems to have been made by the PC maker itself.

Dell has now issued its own statement on this issue:

"Customer security and privacy is a top concern for Dell. We have a strict policy of minimizing the number of pre-load applications and assessing all applications for their security and usability. Dell has an extensive end-user security practice that develops capabilities and best practices to best protect our customers. We have a team investigating the current situation and will update you as soon as we have more information."

Source: Engadget

  • Yayyyyy...
  • This is why I always load a fresh os - I only want msft to gobble up all my data!!!
    Come on OEMs.
  • I could be wrong, but I'm not certain that installing a fresh copy of the OS will remove root certificates. Aren't root certificates tied to the motherboard? Anybody?
  • They can be tied to the bios. If you reinstall from the restore partition you could also reinstall the dud cert. I'm talking about dumping the original ssd and going fresh. I'm in the middle of checking all our devices at home - 2 xps15s, an xps13 and two insprron 7000s. Nothing so far, all fresh Samsung ssd/pciessds with fresh windows 10 Enterprise.
    That's just my experience.
    Just finished. Everything clean. Great piece on arstechnia for checking, and a website to test presence of certificate makes the checking painless.
  • Um, you do realise that the problem is in your first line? 'They can be tied to the bios' The BIOS has nothing to do with your SSD or any other storage device you use, it is the loading program built within the motherboard so they only solution would be to flash the BIOS with a clean version.
  • I was talking generally. In this case it's not in the bios - thankfully - but I was trying to give a complete answer to the other chap.
  • OK, but I think you miss my point as you don't need to 'dump' the SSD (if that is even the hard drive the system has). You could just delete the partitions and format the drive using a bootable Windows install ISO which would clear it completely and then reinstall using the original serial key.
  • I said it with Lenovo and I will say it again. If you think your OEM is not gathering data on you, think again. Now, what type of data is collected is the question...
  • Yeah true this will always happen to a certain degree. And I can say build your own but laptops are a little harder haha. But no brand is perfect or best.
  • I'm betting $50 that its so they can build the best porn network ever from all the files on users C:/temp folder.
  • @NokiaWP I have to disagree with this statement. As without my stash it won't be the best, and mines all in D:\temp
  • Never heard of cd burners? 700mb yo!!! Make a stack!!!!!!
  • Yo, never heard of external hard drives? Besides, where you keep your files long term has nothing to do with what and where your OS stores temp files.
  • Yeah - that os isn't getting into my shed :P
  • Lol I kind of want some company to admit to this, even if it's just the first of April. I guarantee that they would get all kinds of press for that lol Posted via the Windows Central App for Android
  • I'd be cool with that. Especially if MS did that, The Verge would lose it's mind, lol.
  • Microsoft is preventing OEMs gathering data on Windows Phone. That's why they all promote Android.
  • PLA behind this?
  • Meh, clean install makes things much more transparent hence the clean part. Keep it clean folks
  • True. It's an old habit but I tend to install a fresh os everytime I get a device - installing a new ssd if I'm able. I can totally understand that being completely unreasonable and an egregious cost - I can afford it so I do it. One shouldn't have to though.
  • Yea I agree but I also find myself not doing that as often as I should in this forced circumstances.and forced they are. Also 99%of the user's won't even know about this or have the skills to undo this, which os my main point end-users should not have to do this.
  • Agreed.
  • Yeah it would help Microsoft if the OEMs just delivered windows as is you know.
  • I like it dirty
  • Oops
  • Checked and not on my xps 15 luckily. I did a clean install so that probably attributed to that
  • Having Windows 10 updating drivers by a system update pc makers should stop preinstalling all their bloatware. Hope eventually all of them will take the Alienware path...
  • Not quite familiar with this path, can you elaborate?
  • Last I checked, Alienware was owned by Dell.
  • Maybe he is talking about before it was owned by Dell
  • Nooooo, why you go spoil it all Dell! I always loved Dell through thick and thin, but this I won't stand. I have friends still suffering from the effects of the Lenovo fiasco. What money won't do to the world. :-(
  • It's why I have only Microsoft pcs, or ones I've built myself
  • Microsoft builds PCs ?
  • Yes, they are called Surface.  Maybe you have heard of them?
  • Yea yea okay I was thinking of desktop computers my bad.but you what I meant I hope? Since the OP said ms or build them him/her self.
  • Surface 3, Surface Pro, and Surface Book. 
  • Surface and Lumia.
  • Yup. Or buy a fresh copy of windows and install the drivers yourself. A pain but there it is. Take the opportunity to install a new pciessd (on the del xps) to boot!
  • Again I agree but regular users might not:(
  • Would a signature PC bought at Microsoft store be safe from this?
  • Most would be like installing a clean version but by Microsoft.
  • This is root level software meaning installed at a level lower than the OS. This can mean in the BIOS or in the firmware, so no it wouldn't necessarily be safe from it. Posted via the Windows Central App for Android
  • Got my XPS 15, turned it on... Turned it off, installed sm951 ssd, did fresh install.... Posted via the Windows Central App for Android
  • Same here - I've just finished checking my xps15s - all clean. All my dells are. But then I installed everything fresh.
  • Oh dear....
  • Yeah. I buy a lot of Dell products. I also install the os fresh when I can. Still, this sucks. Reaffirms my belief nothing is to be trusted lol
  • Surface or nothing.
  • They need to build a surface desktop just because...
  • I'll buy that. Posted via the Windows Central App for Android
  • Alright! Bring more in idiot Dell.
  • Surely this, combined with Superfish and Samsung's Windows Update disabling software, should pressure MS to tighten up the rules on what can be bundled with an OEM Windows installation.
  • +1
  • Like nothing except for the eventually optimized driver.
  • Tighten too much, they look for alternate like Android where it's more open lol.
  • This is true but I don't think MS should just sit back and do nothing. We all know where the openness of Android has gotten us.
  • Exactly where Windows is now... Except with ROMs available. Honestly of Microsoft tightens control too much, Ubuntu will suddenly find a new flash of hardware shipping its distro,since they'd be the most open for OEMs. Posted via the Windows Central App for Android
  • Not quite where Windows is now. At least Windows still gets updates direct from MS without having to go through OEM/carrier approval.
  • Lenovo and Dell is creating bad image for Windows brand. Microsoft should limit what OEM can do
  • The thing with clean install's is that getting the disc or iso isn't as convenient as before..when the disc came in the box... Plus when you get a new machine just want have fun and not do counter surveillance...
  • Ya, it's a shame. I just factor in the period of a brand new install disc and a ssd. Not cool.
  • Is it just me or do most of the people commenting here not understand the difference between data mining programs and root certificates? Not once did the article talk about Dell collecting data from users but about their use of a single code across ranges of devices that could potentially gain hackers access to large numbers of devices.
  • I think most people are just making a joke, referring to the Lenovo problem. I think the statement and arstech article are pretty clear this isn't some adware, rather it's over enthusiastic customer support - that Dell foundation service.
  • "We have a team investigating" how we can weasel out of this. Hmm. Now we have two manufactures to avoid.
  • They've issued a fix. And an apology.