Wed 25 Nov 2015
Laptop manufacturer Dell is having a bad week in terms of PR. In the wake of the discovery that Dell laptops contain a self-signed root certificate which makes them vulnerable to a man-in-the-middle (MiTM) attack in much the same manner as the Lenovo Superfish fiasco earlier this year, a security researcher has discovered that the company’s computers will disclose a great deal of information about themselves to any website that knows how to ask for the information.
The machine characteristics are revealed by access to its 7-character service tag, intended for Dell’s own diagnostic technicians.
Security researcher ‘Slipstream’ has created a dedicated website where Dell users can watch their machines confessing to the page in real time (whilst taking in some absolutely terrible background music). Dell users are reported to have successfully revealed the information in question to the site.
This vulnerability is unrelated to this week’s controversy about the eDellRoot self-signed certificate which the company has been installing on its machines, once again with the intention of streamlining support-related matters, but nonetheless an attack vector for MiTM attacks.