Dell denies 'insecure autoupdate app' flings open PC backdoor

Gov software implant? Not us - never, says hardware giant


Dell has denied building backdoors into its kit following a security researcher's discovery of an insecure update assistant app.

Tom Forbes alleges that the Dell Service Tag Detector app* is so insecure that it creates a backdoor on machines it is installed upon.

More specifically, Forbes alleges that the app caries a Remote Code Execution (RCE) risk which, if true, would create a means for hackers and cyberspies to smuggle malware onto vulnerable systems.

An attacker could trigger the program to download and execute an arbitrary file without any user interaction, according to Forbes.

"The little 'Dell Service Tag Detector' program that they push people to download on the Dell.com website does a lot more than just detect service tags - it gives Dell access to your entire machine, allowing them to download and install software and collect system information without you knowing," Forbes told El Reg.

The issue was reported to Dell in November, fixed two months later in January. Forbes only went public about it this week.

Forbes' detailed technical write up of the issue can be found here.

In response to queries from El Reg Dell issued a statement denying that it ever installed backdoors on PCs it supplies.

Dell has a long-standing commitment to design, build and ship secure products and quickly address instances when issues are discovered. A key Dell priority is the protection of customer data and information, which is reflected in our robust and comprehensive privacy and information security program and policies. We take very seriously any issues that may impact the integrity of our products or customer security and privacy.

Should we become aware of a possible vulnerability in any of Dell’s products we will communicate with our customers in a transparent manner as we have done in the past.

Dell does not work with any government to compromise our products to make them vulnerable for exploit, including through ‘software implants’ or so-called ‘backdoors.

The statement does not address the specify security concerns that Forbes raises about Dell Service Tag Detector. We've requested clarification.

Forbes' concerns remain credible, though a long way from proven. Other security researchers are taking his findings seriously.

This is "one more reason why I typically uninstall persistent background software like this," Sean Sullivan, a security advisor at F-Secure told El Reg. "A remaining question I have… how many other vendors use similar software and what controls do they have in place?"

Rootnote

*Dell Service Tag Detector is used to auto fill the service tag input and show punters the relevant drivers for their machine. It seems that the app is pre-installed but we're double checking on this point.

Similar topics


Other stories you might like

  • OpenID-based security features added to GitHub Actions as usage doubles

    Single-use tokens and reusable workflows explained at Universe event

    GitHub Universe GitHub Actions have new security based on OpenID, along with the ability to create reusable workflows, while usage has nearly doubled year on year, according to presentations at the Universe event.

    The Actions service was previewed three years ago at Universe 2018, and made generally available a year later. It was a huge feature, building automation into the GitHub platform for the first time (though rival GitLab already offered DevOps automation).

    It require compute resources, called runners, which can be GitHub-hosted or self-hosted. Actions are commands that execute on runners. Jobs are a sequence of steps that can be Actions or shell commands. Workflows are a set of jobs which can run in parallel or sequentially, with dependencies. For example, that deployment cannot take place unless build and test is successful. Actions make it relatively easy to set up continuous integration or continuous delivery, particularly since they are cloud-hosted and even a free plan offers 2,000 automation minutes per month, and more than that for public repositories.

    Continue reading
  • REvil gang member identified living luxury lifestyle in Russia, says German media

    Die Zeit: He's got a Beemer, a Bitcoin watch and a swimming pool

    German news outlets claim to have identified a member of the infamous REvil ransomware gang – who reportedly lives the life of Riley off his ill-gotten gains.

    The gang member, nicknamed Nikolay K by Die Zeit newspaper and the Bayerische Rundfunk radio station, reportedly owns a €70,000 watch with a Bitcoin address engraved on its face and rents yachts for €1,300 a day whenever he goes on holiday.

    "He seems to prefer T-shirts from Gucci, luxurious BMW sportscars and large sunglasses," reported Die Zeit, which partly identified him through social media videos posted by his wife.

    Continue reading
  • A Windows 11 tsunami? No, more of a ripple as Microsoft's latest OS hits 5% PC market

    Next version of Windows 10 looms around the corner

    Microsoft's Windows 11 OS has notched up a respectable near 5 per cent of PCs surveyed by AdDuplex, as another Dev Channel build was unleashed with new features for the favoured few.

    With less than a month of General Availability under its belt, Windows 11 now accounts for 4.8 per cent of "modern" PCs (Windows Insiders running the OS account for 0.3 per cent) according to the ad platform. The figure is up from the 1.3 per cent in September, which was Insider-only and points to some migration to the production version of the software.

    The figure is both an indicator of Microsoft's cautious approach to releasing its wares and the limited amount of hardware that can actually run the round-cornered OS.

    Continue reading

Biting the hand that feeds IT © 1998–2021