Dell has denied building backdoors into its kit following a security researcher's discovery of an insecure update assistant app.
Tom Forbes alleges that the Dell Service Tag Detector app* is so insecure that it creates a backdoor on machines it is installed upon.
More ReadingIsraeli boffins hack air gap, fire missiles on compromised kitFavicons used to update world's 'most dangerous' malwareNoobs can pwn world's most popular BIOSes in two minutesMicrosoft RE-BORKS Windows 7 patch after reboot loop horrorKaspersky claims to have found NSA's 'space station malware'
More specifically, Forbes alleges that the app caries a Remote Code Execution (RCE) risk which, if true, would create a means for hackers and cyberspies to smuggle malware onto vulnerable systems.
An attacker could trigger the program to download and execute an arbitrary file without any user interaction, according to Forbes.
"The little 'Dell Service Tag Detector' program that they push people to download on the Dell.com website does a lot more than just detect service tags - it gives Dell access to your entire machine, allowing them to download and install software and collect system information without you knowing," Forbes told El Reg.
The issue was reported to Dell in November, fixed two months later in January. Forbes only went public about it this week.
Forbes' detailed technical write up of the issue can be found here.
In response to queries from El Reg Dell issued a statement denying that it ever installed backdoors on PCs it supplies.
Dell has a long-standing commitment to design, build and ship secure products and quickly address instances when issues are discovered. A key Dell priority is the protection of customer data and information, which is reflected in our robust and comprehensive privacy and information security program and policies. We take very seriously any issues that may impact the integrity of our products or customer security and privacy.
Should we become aware of a possible vulnerability in any of Dell’s products we will communicate with our customers in a transparent manner as we have done in the past.
Dell does not work with any government to compromise our products to make them vulnerable for exploit, including through ‘software implants’ or so-called ‘backdoors.
The statement does not address the specify security concerns that Forbes raises about Dell Service Tag Detector. We've requested clarification.
Forbes' concerns remain credible, though a long way from proven. Other security researchers are taking his findings seriously.
This is "one more reason why I typically uninstall persistent background software like this," Sean Sullivan, a security advisor at F-Secure told El Reg. "A remaining question I have… how many other vendors use similar software and what controls do they have in place?"
*Dell Service Tag Detector is used to auto fill the service tag input and show punters the relevant drivers for their machine. It seems that the app is pre-installed but we're double checking on this point.