Lenovo saw a strong 2014, ranking as the #1 PC vendor in the world ahead of HP, Dell, and Acer. A recent discovery, however, puts their 2015 prospects in question.
A user on Lenovo’s forums revealed that he did some investigating and found that Lenovo was caught installing a piece of software on all new machines called Superfish, which is essentially a spyware program that injects third-party ads into Google search results and websites without a user’s knowledge or permission. The same forum user asks a question in the post that many consumers are now wondering:
“Lenovo, why are you adding adware to your Y50 that hijacks search results on any browser? Is it not enough that customers buy a laptop from you?”
Welcome to the web in 2015, where even billion-dollar companies feel the need to mine your personal data to make a quick buck on advertising.
Apology for Superfish Sypware?
Lenovo’s response was, I’m sure, meant to sound conciliatory. If I had to guess, though, I’d say that it will do little to salvage the permanent erosion of trust in Lenovo’s brand that this discovery has caused. Lenovo community administrator Mark Hopkins wrote the following in late January, several months after the aforementioned forum message was posted:
“We have temporarily removed Superfish from our consumer systems until such time as Superfish is able to provide a software build that addresses these issues. As for units already in market, we have requested that Superfish auto-update a fix that addresses these issues.”
Underwhelming, to say the least. Unsurprisingly, Lenovo’s “apology” featured an excuse that involved Superfish’s alleged “benefits.” According to Hopkins, Superfish “helps users find and discover products visually” and “instantly analyzes images on the web and presents identical and similar product offers that may have lower prices.” That sounds nice in theory, but the issue is that Superfish’s presence is not made clear by any stretch of the imagination.
Windows users have often complained about the tendency of PC hardware manufacturers to include unwelcome and unnecessary bloatware on new computers. At worst, these have been minor to moderate inconveniences. Superfish, however, is well beyond the pale.
The Security Risks of Self-Signed Certificate Authority
In an ideal world, computer users would have full knowledge of, and control over, any software that purports to “improve” the user experience. There have been numerous legal battles that have attempted to remedy this issue, but as of right now there hasn’t been much progress, resulting in manufacturers continuing to discreetly embed spyware that benefits their bottom line and throws their customers under the Capitalist bus.
One of the most alarming allegations against Lenovo is a claim that Superfish installs its own self-signed certificate authority. The forum thread concerning this allegation can be found here. An analysis of Superfish’s database file looks fishy, that’s for sure.
One of the scariest aspects of a self-signing certificate authority is the prospect of Superfish (and other spyware like it) having the ability to peer into secure connections such as banking websites. There’s absolutely no need for Lenovo—or any computer manufacturer—to have access to that type of information. The process is reminiscent of a man-in-the-middle attack, where the self-signing certificate permits the software to decrypt requests that should be secure. Additionally, Superfish’s classification as “adware” by trusted antivirus products raises a big red flag.
What’s Next for Affected Lenovo Devices?
Due to this public outcry—with news regarding Superfish topping the technology sub-reddit—it’s expected that Lenovo will issue another statement at some point. For now, Lenovo has made public efforts to stop installing the adware on computers. Still, many consumers will question these efforts. As a result, if you own a Lenovo computer, it’s recommended that you follow the video tutorial here to remove Superfish as soon as possible. For everyone else? I’d think very carefully before buying another product from Lenovo.
In the meantime, I’ll direct you to Apple CEO Tim Cook’s recent affirmation that Apple customers are customers—not products. You can say whatever you like about Apple and their wares, but their commitment to customer privacy is second-to-none in the mainstream tech world.
Image Credit: Flickr (via Creative Commons License)