The Chinese PC manufacturer Lenovo said Thursday it will no longer pre-install on its devices the Superfish adware that has been denounced by cyber-security experts as making users vulnerable to hacking.
“Superfish has completely disabled server side interactions (since January) on all Lenovo products so that the product is no longer active,” Lenovo said in a statement Thursday. “Lenovo stopped preloading the software in January. We will not preload this software in the future.”
Currently, the vulnerabilities can only be manually removed by affected Lenovo device users, and Lenovo said it’s working on a software update to remove the security hole.
“As soon as the programmer is finished, we will provide a tool that removes all traces of the app from people’s laptops,” Lenovo’s CTO Peter Hortensius told the Wall Street Journal.
Cyber-security experts say that the Superfish adware exposes Lenovo devices to spying when using normally secure connections such as those for banking, and has called Lenovo’s decision to install the adware as a serious breach of ethics. Some have gone so far as to label Superfish as “malware.”
“We trust our hardware manufacturers to build products that are secure. In this current climate of rising cybercrime, if you can’t trust your hardware manufacturer you are in a very difficult position,” Marc Rogers, a security researcher at CloudFlare, wrote on his blog Thursday. “When bad guys are able to get into the supply chain and install malware it is devastating.”
Superfish makes users vulnerable to “man-in-the-middle” attacks even when browsing on an encrypted web connection, Rogers says. Because the software has an unrestricted trusted root certificate, the vulnerability is undetectable to usual security checks, security experts say.
“This is unbelievably ignorant and reckless of them. Its quite possibly the single worst thing I have seen a manufacturer do to its customer base,” Rogers wrote.
Lenovo has denied that the Superfish software posed a security threat, and states that it’s removing the adware for user experience reasons.
“We have thoroughly investigated this technology and do not find any evidence to substantiate security concerns,” Lenovo said. “But we know that users reacted to this issue with concern, and so we have taken direct action to stop shipping any products with this software.”
Robert Graham of Errata Security demonstrated on his blog Thursday how he cracked the password to the certificate for Superfish, thereby allowing him to “intercept the encrypted communications” of those using Lenovo laptops within the same Wifi-network, such as a cafe hotspot. The password for the certificate is the name of a company that markets software that intercepts secure connections to let parents spy on their children.
Lenovo has dismissed these concerns as “theoretical.”
“We’re not trying to get into an argument with the security guys. They’re dealing with theoretical concerns,” Hortensius said. “We have no insight that anything nefarious has occurred… The feedback from users was that it wasn’t useful, and that’s why we turned it off.”
This is not the first time a Chinese technology company has come under scrutiny for cyber-security related concerns. A congressional probe in 2012 found that Huawei Technologies Inc and ZTE Inc, both headquartered in China, were a national-security risk because their equipment likely contained back-doors that could be used to spy on Americans.
Much of the probe was inconclusive because the companies largely did not cooperate with the congressional investigation. For instance, neither firm explained the role served by the “Chinese Communist Party Committee” unit inside the companies, nor anything about their internal management structure.
According to the market research firm IDC, Lenovo is the largest PC manufacturer in the world, and its devices made up one-fifth of the global market in October of 2014.