Lenovo Laptops Sold with Pre-Installed Adware that Poses Security RiskFeb 26, 2015
Computer security experts discovered a security vulnerability in pre-installed software on some Lenovo products that puts the user’s sensitive data at risk.
Superfish, installed on some Lenovo machines, breaks HTTPS, the secure version of hypertext transfer protocol to better scour for ads and view data on connections that normally would not allow it, Mashable reports. But experts say Superfish also intercepts encrypted connections in a way that potentially allows hackers to steal private data, such as banking information.
Lenovo explained that Superfish "is a technology that helps users find and discover products visually. The technology instantly analyzes images on the web and presents identical and similar product offers that may have lower prices," according to Mashable. But the adware installs its own root certificate on Windows systems. Then, when the user visits a website it appears that Superfish is allowed to be there, observing the user’s actions, according to Mashable. This can include sites such banking web sites, where the connection is meant to be private. Security expert Marc Rogers says, "If this software or any of its control infrastructure is compromised, an attacker would have complete and unrestricted access to affected customers banking sites, personal data and private messages."
In a statement, Lenovo said Superfish was included with its products "in a short window between October and December to help customers potentially discover interesting products while shopping." Peter Hortensius, Lenovo's chief technology officer, told The Wall Street Journal that the company is working on "a tool that removes all traces of the app from people’s laptops; this goes further than simply uninstalling the app.”