Lenovo Caught Preloading Controversial Spyware ‘Superfish’ onto PCs

by Matt Klassen on February 26, 2015

Chinese computer manufacturer Lenovo came under fire this week for preloading controversial spyware onto laptops sold late in 2014. While preloading certain software is a common practice in both the PC and mobile worlds, what makes Lenovo’s actions so repugnant is that it loaded the same software cyber-criminals use to crack encrypted data on the Internet.

The software in question, named Superfish, “is purposely designed to bypass the security of HTTPS websites in a manner that would allow malware and attackers to also bypass the security provided by HTTPS,” explained Adam Ely, cofounder of Bluebox. “Users are inherently at risk of being directed to malicious sites that appear valid,” he told TechNewsWorld, “making it much easier for attackers to steal information and further infect computers with malware.”

So why would Lenovo need to install such a malicious piece of programming on its laptops? The company insists that such security concerns are unfounded, explaining that it employs Superfish to help customers potentially discover interesting products while shopping. The company goes on to say that its use of Superfish has not been financially significant, and it has since stopped the practice of pre-installing the program on its machines.

For its part Lenovo has denied that Superfish is the pernicious piece of spyware that many claim it to be, explaining that the program is designed to collect anonymous user data.

“To be clear,” the company said in its statement, “Superfish technology is purely based on contextual/image and not behavioral. It does not profile nor monitor user behavior,” the company maintained. “It does not record user information. It does not know who the user is. Users are not tracked nor re-targeted. Every session is independent. Users are given a choice whether or not to use the product,” Lenovo added.

As mentioned, what makes Superfish so problematic is that it bypasses the security protocols built-in to the Internet, meaning all the encrypted data sent via SSL security, the online security standard, can be read and recorded by the program.

“Superfish allows every bit of communication with your bank, your email provider, or your healthcare provider to be inspected,” said Kevin Bocek, vice president for security strategy and threat intelligence at Venafi. “It uses the exact same technique that cybercriminals use for bank account takeovers,” he told TechNewsWorld.

Beyond recording sensitive data, however, Superfish enables the user to compromise the data on one’s computer or mobile device. “It allows anything to be injected into the data stream from your computer,” Pavel Krcma, CTO of Sticky Password told TechNewsWorld. “It can install a backdoor to your computer.”

While Superfish can be removed through the Windows un-installation process, the process doesn’t repair the damage created by the program, meaning hackers can then create malicious websites that infected computers will see as authentic.

Although Lenovo denies the deployment of Superfish had any financial motivation, one has to wonder if this was simply a trial run for the pre-installation of similar tracking spyware that would collect user information that Lenovo would, in turn, sell to advertisers. The problem for consumers is that online advertising is a multi-billion dollar industry, and everyone from carriers to mobile manufacturers to tech giants like Lenovo would like a piece. While Lenovo’s inclusion of Superfish may be controversial, analysts claim that what other companies are currently doing is far more repugnant.

Did you like this post ? TheTelecomBlog.com publishes daily news, editorial, thoughts, and controversial opinion – you can subscribe by: RSS (click here), or email (click here).

Written by: Matt Klassen. www.digitcom.ca. Follow TheTelecomBlog.com by: RSS, Twitter, Facebook, or YouTube.

Comments on this entry are closed.

Previous post:

Next post: