The Schwartz Report

Blog archive

Lenovo Betrayed Customer Trust by Installing Insecure Adware

Lenovo's decision to install the adware program Superfish on some of its PCs, notably the Yoga 2 models and Edge 15, was the latest inexcusable action by a company that we should be able to trust to provide a secure computing environment. It's hard to understand how Lenovo could let a system that was able to bypass the antimalware software it bundled from McAfee (as well as others) into the market.

While Microsoft swiftly updated its Windows Defender to remove the certificate for Superfish and Lenovo on Friday released its own downloadable removal tools including source code, this wasn't just another typical bug or system flaw.

Unbeknownst to customers, Lenovo apparently installed the Superfish software, designed to track users' online sessions including all SSL traffic, making their systems vulnerable to theft from hackers of passwords and other sensitive information. Adding insult to injury, Lenovo took the rather unscrupulous move of installing it at the BIOS level, making it impervious to antimalware and AV protection software.

Justifying the move, Lenovo said it had knowingly installed the adware under the guise that it would "enhance the shopping experience." The only thing it enhanced was the level of suspicion users have that whoever Lenovo does business with are putting their information at risk to further their own objectives.

Just in the past few weeks, we learned that hackers stole user information from Anthem, the nation's second largest health insurer. Some 80 million customers' private information (myself included) were victims of this attack.  Also last week, the latest leak by Edward Snowden to The Intercept accused the National Security Agency (NSA) and the British government of hacking into SIM cards from Gemalto, a company whose chips are used to store personal information in smartphones such as passports and identity information. And the list goes on.

What's galling about the Lenovo incident is that the company only put a stop to it when Peter Horne, the person who discovered it, raised the issue (the company argued it was due to negative user feedback). Horne, a veteran IT professional in the financial services industry, came across the installation of Superfish in the Lenovo Yoga 2 Notepad he bought. Horne told The New York Times that not only did the bundled McAfee software not discover it but Superfish also got past the Trend Micro AV software he installed. Looking to see how widespread the problem was, he visited Best Buy stores in New York, Boston and retailers in Sydney and Perth and the adware was installed on all the PCs he tested.

Yet upon fessing up, Lenovo argued that it was only installed on consumer systems, not ThinkPad, ThinkCentre, Lenovo Desktop, ThinkStation, ThinkServer and System x servers. Horne had a rather pointed suspicion about Lenovo's decision to install the adware in the first place. "Lenovo is either extraordinarily stupid or covering up," he told The Times. "Either one is an offense to me."

But he noted an even bigger issue. "The problem is," he said, "what can we trust?"

Posted by Jeffrey Schwartz on 02/23/2015 at 2:50 PM


comments powered by Disqus

Subscribe on YouTube