Computer maker Lenovo is in full damage control mode amid revelations that for the last few months, it has sold laptops that are preloaded with some particularly malicious adware. It’s so malicious, in fact, that it gives hackers a wide-open door to your computer.
Late Wednesday, word got out that since at least September, a number of Lenovo laptops have come preloaded with adware from Superfish, which Lenovo originally intended to “enhance our users’ shopping experience.” It does so by injecting its own ads into search results and Web pages–which, as any computer user knows, is pretty low in and of itself. If you see ads that are generated from a program called “VirtualDiscovery,” you’ve got Superfish on your computer.
But even worse, if you visit an encrypted Web site for banking, shopping or anything else that has a secure connection, Superfish replaces the security certificate for that site with one of its own. This makes it possible for malicious users to secretly hijack your browser and steal your banking information, passwords, and virtually anything else. Simply put, if you’ve got Superfish on your computer, you might as well have the hacker sitting next to you as you type. The Department of Homeland Security was alarmed enough to issue a formal advisory urging users to remove Superfish and its associated root certificate right away.
Slate tech writer David Auerbach sums up the reaction of most of the tech world–he and his colleagues have been “walking around with our jaws on the floor” since this broke. According to security expert Marc Rogers, Superfish is so invasive that “affected users cannot trust any secure connections they make ? TO ANY SITE.” He calls this “quite possibly the single worst thing I have seen a manufacturer do to its customer base.” Along similar lines, Auerbach calls it “one of the most irresponsible mistakes an established tech company has ever made.”
Both Rogers and Auerbach are being extremely kind. This is a breach of one of the most sacred trusts in computing–that a manufacturer will not intentionally or recklessly sell its users computers that have been compromised. I say “intentionally or recklessly” because according to Forbes, complaints about Superfish have abounded as early as 2010. Superfish’s founder, Adi Pinhas, has ties to a number of shady companies with little to no regard for users’ privacy. He set up Superfish with the help of a lot of money from venture capital firms. The most benign interpretation is that these firms didn’t do the most basic due diligence.
Lenovo initially claimed that Superfish had been disabled–but, as Auerbach points out, removing Superfish doesn’t remove the root certificate. It also claims that no ThinkPads are affected. However, you have to take it with a hefty grain of salt, considering that Lenovo should have known Superfish was smelly to start with and dealt with this company anyway. The company’s chief technology officer, Peter Hortensius, told The Wall Street Journal that Lenovo’s security people are merely dealing with “theoretical concerns,” but have no evidence that “anything malicious has occurred.” Auerbach was being kind when he called this statement “disingenuous and infuriating.”
Future Tense’s Lily Hay Newman writes that removing Superfish is fairly easy. Windows Defender has released an update that removes both the Superfish program itself and–more importantly–the certificate. You can also manually delete the program via Control Panel and then manually remove the certificate from your certificate manager. If you have Firefox, you should also delete it from that browser’s certificate storage. You should also change all of your passwords and keep a close watch on your bank accounts and credit cards for awhile.
It goes without saying that a lot of heads need to roll at Lenovo for this. That, and credit report monitoring for all affected users, is the absolute minimum for what should be done to address this. Even then, it may not be enough for me to buy anything from Lenovo any time soon. I’m due to get a new computer sometime this summer. After seeing this, I know it won’t be a Lenovo.
