Dell’s ‘apology’ for eDellRoot fails to say sorry for putting your security at risk

Graham Cluley
Graham Cluley
@[email protected]

Dell Maybe it’s just me, but I think it’s important to actually say “sorry” sometimes.

In its “Response to Concerns Regarding eDellroot Certificate”, Dell says that it “deeply regrets” introducing a huge security hole on customers’ computers that could see criminals eavesdrop on your private communications – but it falls short of an apology.

Of course it regrets that customers might think twice before buying Dell PCs and laptops in future, and that its users’ trust has been shaken by the company’s Superfish-style antics, but it doesn’t saying anything as simple as “We owe you an apology. We’re sorry. We were wrong. We let you down.”

If I upset my wife, trust me the correct response is not to say “I deeply regret” whatever happened.

Sign up to our free newsletter.
Security news, advice, and tips.

Here is what Dell had to say to its customers:

Dell response

Today we became aware that a certificate (eDellRoot), installed by our Dell Foundation Services application on our PCs, unintentionally introduced a security vulnerability. The certificate was implemented as part of a support tool and intended to make it faster and easier for our customers to service their system. Customer security and privacy is a top concern and priority for Dell; we deeply regret that this has happened and are taking steps to address it.

The certificate is not malware or adware. Rather, it was intended to provide the system service tag to Dell online support allowing us to quickly identify the computer model, making it easier and faster to service our customers. This certificate is not being used to collect personal customer information. It’s also important to note that the certificate will not reinstall itself once it is properly removed using the recommended Dell process.

We have posted instructions to permanently remove the certificate from your system here. We will also push a software update starting on November 24 that will check for the certificate, and if detected remove it. Commercial customers who reimaged their systems without Dell Foundation Services are not affected by this issue. Additionally, the certificate will be removed from all Dell systems moving forward.

Your trust is important to us and we are actively working to address this issue. We thank customers such as Hanno Böck, Joe Nord and Kevin Hicks, aka rotorcowboy, who brought this to our attention. If you ever find a potential security vulnerability in any Dell product or software, we encourage you to visit this site to contact us immediately.

Yes, I’m pleased that Dell says it will start rolling out a fix, but it would still have been nice if it had said sorry to customers.

I have to assume that Dell isn’t sorry because the company has passed up a great opportunity to apologise to the home and business customers who may find it disturbing that their privacy and security was put at risk because of software that Dell put on their computers.

You won’t find any “sorry” on Dell’s official Twitter support account, @DellCares, either where they just drily point concerned customers to the above statement.

Dell tweet

It’s almost like Dell’s support team have been told not to say sorry.

Maybe it’s the lawyers who are stopping companies from putting their hands up and admitting they did wrong after virtually every security snafu and data breach. But I don’t think it’s a good way to rebuild a relationship with customers who were put at unnecessary risk.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

6 comments on “Dell’s ‘apology’ for eDellRoot fails to say sorry for putting your security at risk”

  1. Isma'il

    When I worked as a tech support rep at Dell a few years back, we were instructed NEVER to admit fault on anything. I see nothing's changed.

  2. Support staff

    In a corporate environment you are forbidden from saying "sorry" or admitting fault. To do otherwise is to invite lawsuits and decrease shareholder value. You must mouth platitudes and regret that people find themselves inconvenienced, moving forward, at the end of the day, with worlds best practice.

  3. Chris

    I regret that I will now avoid purchasing any Dell kit in the future. I appreciate that this behaviour may fall below the standards that their shareholders expect.

  4. Paula

    This is like something out of Only Fools and Horses with Dell in the role of, well, Del Boy, but who's playing Rodney?

    1. Graham CluleyGraham Cluley · in reply to Paula

      Rodney is played by every customer who ever trusted Dell.

  5. New Mexico Mark

    In my opinion it is foolish to buy any Windows-based computer and just start using it. It should be standard practice to DBAN the drive and do a clean OS install first. And of course, avoid Lenovo and their malicious BIOS like the plague for the next 100 years or so. Frankly, given most users' needs, Linux is more relevant today than ever, and that should be a first consideration for anyone who cares about security. If someone is technically naive, OS-X is a decent alternative — expensive hardware notwithstanding. Microsoft's "partnerships" with companies like Lenovo and Dell that allow this kind of customer/security abuse with zero consequences makes them guilty of aiding and abetting at the very least.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.