Dell's 'apology' for eDellRoot fails to say sorry for putting your security at risk

Dell Maybe it's just me, but I think it's important to actually say "sorry" sometimes.

In its "Response to Concerns Regarding eDellroot Certificate", Dell says that it "deeply regrets" introducing a huge security hole on customers' computers that could see criminals eavesdrop on your private communications - but it falls short of an apology.

Of course it regrets that customers might think twice before buying Dell PCs and laptops in future, and that its users' trust has been shaken by the company's Superfish-style antics, but it doesn't saying anything as simple as "We owe you an apology. We're sorry. We were wrong. We let you down."

If I upset my wife, trust me the correct response is not to say "I deeply regret" whatever happened.

Here is what Dell had to say to its customers:

Dell response

Today we became aware that a certificate (eDellRoot), installed by our Dell Foundation Services application on our PCs, unintentionally introduced a security vulnerability. The certificate was implemented as part of a support tool and intended to make it faster and easier for our customers to service their system. Customer security and privacy is a top concern and priority for Dell; we deeply regret that this has happened and are taking steps to address it.

The certificate is not malware or adware. Rather, it was intended to provide the system service tag to Dell online support allowing us to quickly identify the computer model, making it easier and faster to service our customers. This certificate is not being used to collect personal customer information. It’s also important to note that the certificate will not reinstall itself once it is properly removed using the recommended Dell process.

We have posted instructions to permanently remove the certificate from your system here. We will also push a software update starting on November 24 that will check for the certificate, and if detected remove it. Commercial customers who reimaged their systems without Dell Foundation Services are not affected by this issue. Additionally, the certificate will be removed from all Dell systems moving forward.

Your trust is important to us and we are actively working to address this issue. We thank customers such as Hanno Böck, Joe Nord and Kevin Hicks, aka rotorcowboy, who brought this to our attention. If you ever find a potential security vulnerability in any Dell product or software, we encourage you to visit this site to contact us immediately.

Yes, I'm pleased that Dell says it will start rolling out a fix, but it would still have been nice if it had said sorry to customers.

I have to assume that Dell isn't sorry because the company has passed up a great opportunity to apologise to the home and business customers who may find it disturbing that their privacy and security was put at risk because of software that Dell put on their computers.

You won't find any "sorry" on Dell's official Twitter support account, @DellCares, either where they just drily point concerned customers to the above statement.

Dell tweet

It's almost like Dell's support team have been told not to say sorry.

Maybe it's the lawyers who are stopping companies from putting their hands up and admitting they did wrong after virtually every security snafu and data breach. But I don't think it's a good way to rebuild a relationship with customers who were put at unnecessary risk.

Tags: , , , , , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, , , , , ,

6 Responses

  1. Isma'il

    November 24, 2015 at 8:28 pm #

    When I worked as a tech support rep at Dell a few years back, we were instructed NEVER to admit fault on anything. I see nothing's changed.

  2. Support staff

    November 25, 2015 at 12:27 am #

    In a corporate environment you are forbidden from saying "sorry" or admitting fault. To do otherwise is to invite lawsuits and decrease shareholder value. You must mouth platitudes and regret that people find themselves inconvenienced, moving forward, at the end of the day, with worlds best practice.

  3. Chris

    November 25, 2015 at 12:05 pm #

    I regret that I will now avoid purchasing any Dell kit in the future. I appreciate that this behaviour may fall below the standards that their shareholders expect.

  4. Paula

    November 25, 2015 at 3:06 pm #

    This is like something out of Only Fools and Horses with Dell in the role of, well, Del Boy, but who's playing Rodney?

    • Graham Cluley in reply to Paula.

      November 25, 2015 at 3:11 pm #

      Rodney is played by every customer who ever trusted Dell.

  5. New Mexico Mark

    November 26, 2015 at 5:01 pm #

    In my opinion it is foolish to buy any Windows-based computer and just start using it. It should be standard practice to DBAN the drive and do a clean OS install first. And of course, avoid Lenovo and their malicious BIOS like the plague for the next 100 years or so. Frankly, given most users' needs, Linux is more relevant today than ever, and that should be a first consideration for anyone who cares about security. If someone is technically naive, OS-X is a decent alternative — expensive hardware notwithstanding. Microsoft's "partnerships" with companies like Lenovo and Dell that allow this kind of customer/security abuse with zero consequences makes them guilty of aiding and abetting at the very least.

Leave a Reply