Lenovo to stop pre-installing controversial software

Users reported as early as last June that a program, also called Superfish, was 'adware'. (File)

China's Lenovo Group Ltd, the world's largest PC maker, said on Thursday it will no longer pre-install software that cybersecurity experts said was malicious and made devices vulnerable to hacking.

Lenovo had come under fire from security researchers who said earlier on Thursday the company pre-installed a virus-like software from a company called Superfish on consumer laptops that hijacked web connections and allowed them to be spied upon.

Users reported as early as last June that a program, also called Superfish, was 'adware', or software that automatically displays adverts.

Superfish will no longer be pre-installed and has been disabled on all products in the market since January, when Lenovo also stopped pre-installing the software, said a Lenovo spokesman in an email to Reuters on Thursday. Superfish was included on some consumer notebooks shipped between September and December, he said.

"We have thoroughly investigated this technology and do not find any evidence to substantiate security concerns," the spokesman said. Superfish "does not profile nor monitor user behavior. It does not record user information. It does not know who the user is. Users are not tracked nor re-targeted... The relationship with Superfish is not financially significant."

Robert Graham, CEO of U.S.-based security research firm Errata Security, said Superfish was malicious software that hijacks and throws open encrypted connections, paving the way for hackers to also commandeer these connections and eavesdrop, in what is known as a man-in-the-middle attack.

"This hurts (Lenovo's) reputation," Graham told Reuters. "It demonstrates the deep flaw that the company neither knows nor cares what it bundles on their laptops."

Graham and other experts said Lenovo was negligent, and that computers could still be vulnerable even after uninstalling Superfish. The software throws open encryptions by giving itself authority to take over connections and declare them as trusted and secure, even when they are not.

"The way the Superfish functionality appears to work means that they must be intercepting traffic in order to insert the ads," said Eric Rand, a researcher at Brown Hat Security. "This amounts to a wiretap."

Concerns about cybersecurity have dogged Chinese firms, including telecoms equipment maker Huawei Technologies Ltd over ties to China's government and smartphone maker Xiaomi Inc over data privacy.

Lenovo commanded one-fifth of the global PC market in the third quarter of 2014, according to data research firm IDC.

Below is the full text of Lenovo's statement on Superfish

"At Lenovo, we make every effort to provide a great user experience for our customers.  We know that millions of people rely on our devices every day, and it is our responsibility to deliver quality, reliability, innovation and security to each and every customer. In our effort to enhance our user experience, we pre-installed a piece of third-party software, Superfish (based in Palo Alto, CA), on some of our consumer notebooks. 

"We thought the product would enhance the shopping experience, as intended by Superfish. It did not meet our expectations or those of our customers. In reality, we had customer complaints about the software.  We acted swiftly and decisively once these concerns began to be raised. We apologize for causing any concern to any users for any reason – and we are always trying to learn from experience and improve what we do and how we do it.

"We stopped the preloads beginning in January. We shut down the server connections that enable the software (also in January, and we are providing online resources to help users remove this software.  Finally, we are working directly with Superfish and with other industry partners to ensure we address any possible security issues now and in the future. Detailed information on these activities and tools for software removal are available here:

https://support.lenovo.com/us/en/product_security/superfish

https://support.lenovo.com/us/en/product_security/superfish_uninstall 

"To be clear: Lenovo never installed this software on any ThinkPad notebooks, nor any Lenovo desktops or  smartphones. This software has never been installed on any enterprise product -- servers or storage -- and these products are in no way impacted. And, Superfish is no longer being installed on any Lenovo device. In addition, we are going to spend the next few weeks digging in on this issue, learning what we can do better. We will talk with partners, industry experts and our users. We will get their feedback. By the end of this month, we will announce a plan to help lead Lenovo and our industry forward with deeper knowledge, more understanding and even greater focus on issues surrounding adware, pre-installs and security. We are eager to be held accountable for our products, your experience and the results of this new effort.

Superfish may have appeared on these models:

G Series: G410, G510, G710, G40-70, G50-70, G40-30, G50-30, G40-45, G50-45

U Series: U330P, U430P, U330Touch, U430Touch, U530Touch 

Y Series: Y430P, Y40-70, Y50-70

Z Series: Z40-75, Z50-75, Z40-70, Z50-70

S Series: S310, S410, S40-70, S415, S415Touch, S20-30, S20-30Touch

Flex Series: Flex2 14D, Flex2 15D, Flex2 14, Flex2 15, Flex2 14(BTM), Flex2 15(BTM), Flex 10

MIIX Series: MIIX2-8, MIIX2-10, MIIX2-11

YOGA Series: YOGA2Pro-13, YOGA2-13, YOGA2-11BTM, YOGA2-11HSW

E Series: E10-30"

Print Email