World's top PC maker installed software that left customers susceptible to man-in-the-middle attacks
It's not too often that Lenovo gets dinged for making a bad decision. After all, Lenovo is the top supplier of PCs in the world, and it didn't get there through a series of mishaps. Nevertheless, Lenovo has come under fire for installing hidden software on its consumer laptop and desktop PCs that injects third-party ads on Google searches and websites. Even worse, Lenovo reportedly gave Superfish permission to issue its own security certificates, which allows it to hijack SSL/TLS connections to websites, also known as a man-in-the-middle attack.
Superfish is intended to help consumers find and discover products by analyzing images on the web. The visual search tool could allow you to look up an item you've stumbled upon but might not know the name of, or to find similar products that are perhaps more affordable.
Unfortunately, Superfish has been found to do more than it says. After users complained about it on Lenovo's forums, Lenovo social media program manager Mark Hopkins sought to extinguish the flames by telling users that Lenovo had removed the software, at least for now.
"Due to some issues (browser pop up behavior for example), with the Superfish Visual Discovery browser add-on, we have temporarily removed Superfish from our consumer systems until such time as Superfish is able to provide a software build that addresses these issues. As for units already in market, we have requested that Superfish auto-update a fix that addresses these issues," Hopkins said.
He went on to defend the software and tout its merits, though didn't address complaints that it's injecting its own self-signed certificates and intercepting web traffic, behavior that was confirmed on Twitter by a security engineer at Google.
BBC News spoke with security expert Prof Alan Woodward who described Superfish as being "like Google on steroids." He also said that people have shown it can intercept pretty much anything on the web.
"If someone went to, say, the Bank of America then Superfish would issue its own certificate pretending to be Bank of America and intercept whatever you are sending back and forth," Woodward said.
Users do have the option of declining the software when firing up their laptop or desktop for the first time, though according to The Guardian, some have complained that it installs anyway, and stays installed even if the software is uninstalled.
Update
Lenovo sent us the following statement on the matter:
Superfish was previously included on some consumer notebook products shipped in a short window between September and December to help customers potentially discover interesting products while shopping. However, user feedback was not positive, and we responded quickly and decisively:
1) Superfish has completely disabled server side interactions (since January) on all Lenovo products so that the product is no longer active. This disables Superfish for all products in market.
2) Lenovo stopped preloading the software in January.
3) We will not preload this software in the future.
We have thoroughly investigated this technology and do not find any evidence to substantiate security concerns. But we know that users reacted to this issue with concern, and so we have taken direct action to stop shipping any products with this software. We will continue to review what we do and how we do it in order to ensure we put our user needs, experience and priorities first.
To be clear, Superfish technology is purely based on contextual/image and not behavioral. It does not profile nor monitor user behavior. It does not record user information. It does not know who the user is. Users are not tracked nor re-targeted. Every session is independent. Users are given a choice whether or not to use the product. The relationship with Superfish is not financially significant; our goal was to enhance the experience for users. We recognize that the software did not meet that goal and have acted quickly and decisively.
We are providing support on our forums for any user with concerns. Our goal is to find technologies that best serve users. In this case, we have responded quickly to negative feedback, and taken decisive actions to ensure that we address these concerns. If users still wish to take further action, detail information is available at http://forums.lenovo.com.
Follow Paul on Google+, Twitter, and Facebook