The Schwartz Report

Blog archive

Lenovo Betrayed Customer Trust by Installing Insecure Adware

Lenovo's decision to install the adware program Superfish on some of its PCs, notably the Yoga 2 models and Edge 15, was the latest inexcusable action by a company that we should be able to trust to provide a secure computing environment. It's hard to understand how Lenovo could let a system that was able to bypass the antimalware software it bundled from McAfee (as well as others) into the market.

While Microsoft swiftly updated its Windows Defender to remove the certificate for Superfish and Lenovo on Friday released its own downloadable removal tools including source code, this wasn't just another typical bug or system flaw.

Unbeknownst to customers, Lenovo apparently installed the Superfish software, designed to track users' online sessions including all SSL traffic, making their systems vulnerable to theft from hackers of passwords and other sensitive information. Adding insult to injury, Lenovo took the rather unscrupulous move of installing it at the BIOS level, making it impervious to antimalware and AV protection software.

Justifying the move, Lenovo said it had knowingly installed the adware under the guise that it would "enhance the shopping experience." The only thing it enhanced was the level of suspicion users have that whoever Lenovo does business with are putting their information at risk to further their own objectives.

Just in the past few weeks, we learned that hackers stole user information from Anthem, the nation's second largest health insurer. Some 80 million customers' private information (myself included) were victims of this attack.  Also last week, the latest leak by Edward Snowden to The Intercept accused the National Security Agency (NSA) and the British government of hacking into SIM cards from Gemalto, a company whose chips are used to store personal information in smartphones such as passports and identity information. And the list goes on.

What's galling about the Lenovo incident is that the company only put a stop to it when Peter Horne, the person who discovered it, raised the issue (the company argued it was due to negative user feedback). Horne, a veteran IT professional in the financial services industry, came across the installation of Superfish in the Lenovo Yoga 2 Notepad he bought. Horne told The New York Times that not only did the bundled McAfee software not discover it but Superfish also got past the Trend Micro AV software he installed. Looking to see how widespread the problem was, he visited Best Buy stores in New York, Boston and retailers in Sydney and Perth and the adware was installed on all the PCs he tested.

Yet upon fessing up, Lenovo argued that it was only installed on consumer systems, not ThinkPad, ThinkCentre, Lenovo Desktop, ThinkStation, ThinkServer and System x servers. Horne had a rather pointed suspicion about Lenovo's decision to install the adware in the first place. "Lenovo is either extraordinarily stupid or covering up," he told The Times. "Either one is an offense to me."

But he noted an even bigger issue. "The problem is," he said, "what can we trust?"

Posted by Jeffrey Schwartz on 02/23/2015 at 2:50 PM


  • Microsoft Starting To Roll Out New Excel Connected Data Types

    Microsoft on Thursday announced some Excel and Power BI enhancements that add "connected data types" on top of the standard strings and numbers options.

  • Windows 10 Users Getting New Process for Finding Optional Driver Updates

    Accessing Windows 10 drivers classified as "optional updates" will be more of a manual seek-and-install type of experience, starting on Nov. 5, 2020, Microsoft explained in a Wednesday announcement.

  • Microsoft Changes Privacy Platform Name to SmartNoise

    Microsoft Research has changed the name of its "differential privacy" platform from "WhiteNoise" to "SmartNoise," according to a Wednesday announcement.

  • Why Restarting a Failed SCVMM Job Might Be a Bad Idea

    Occasionally, restarting a failed System Center Virtual Machine Manager job can leave your virtualization infrastructure in an unknown state. Here's how to avoid that.

comments powered by Disqus