Top notebook manufacturer, Lenovo, has recently become the subject of national spotlight after it was discovered that they were shipping laptops with pre-installed software that made it possible for hackers to monitor user activity and steal sensitive data.
The software, produced by Palo Alto based advertising company, Superfish, is a shopping tool designed to “aid users” by recommending products based on users browsing habits. In order to do this, the Superfish software intercepts data going in and out of a user’s system. While Lenovo originally described Superfish software as harmless, cyber security experts quickly debunked the notion. Because Superfish sits between a user and the internet, it exposes a user to potential man in the middle attacks, and because it includes a universal self signed SSL security certificate, it could expose users to potential man in the middle attack even on secure websites. Furthermore, because the SSL certificate’s private key was the same across all infected laptops, it was also possible for a hacker to extract the key and use it to monitor encrypted communications between other infected systems.
After severe backlash among the technology and cyber-security communities, Lenovo CTO Peter Hortensius publicly apologized in an interview with Bloomberg, saying “We made a mistake. Our guys missed it. We’re not trying to hide from the issue — we’re owning it.” Furthermore, Lenovo sent out a press release confirming that it was indeed possible for Superfish to expose systems to vulnerabilities, recommending users with affected systems to remove the Superfish software immediately. Lenovo has provided instructions for doing so and has marked the Superfish security vulnerability with a severity level of high.
Affected laptops include Lenovo’s entire notebook lineup (E-Series, Flex-Series, G-Series, MIIX-Series, S-Series, U-Series, Y-Series, Yoga-Series, and Z-Series) that were shipped between September 2014 and January 2015. Lenovo claims that Superfish was no longer being pre-installed on systems in January because of negative user reviews. Lenovo claims that they will no longer preload this software in the future.
This is quite possibly the greatest screw up we’ve ever seen from a major computer manufacturer, infecting hundreds of thousands of systems without users knowledge. Lenovo will definitely lose reputation over this one, but I’m encouraged by the fact that Lenovo is taking action to mitigate the problem rather than try to cover it up.
I hope the biggest takeaway for Lenovo and the rest of the big box system builders is that nobody wants all this pre-installed trash. Stop installing Superfish and while you’re at it, stop installing all the other crap. Not only does it create a negative user experience, you also get problems like Superfish.