China’s Lenovo to Remove Suspicious App but Denies It’s a Backdoor

The Chinese PC manufacturer Lenovo said Thursday it will no longer pre-install the Superfish adware that has been denounced by cyber-security experts as making users vulnerable to hacking.
China’s Lenovo to Remove Suspicious App but Denies It’s a Backdoor
A man walks past Lenovo advertising at a computer centre in Hong Kong on August 14, 2014. Dale de la Rey/AFP/Getty Images
Jonathan Zhou
Updated:

The Chinese PC manufacturer Lenovo said Thursday it will no longer pre-install on its devices the Superfish adware that has been denounced by cyber-security experts as making users vulnerable to hacking.

“Superfish has completely disabled server side interactions (since January) on all Lenovo products so that the product is no longer active,” Lenovo said in a statement Thursday. “Lenovo stopped preloading the software in January. We will not preload this software in the future.”

Currently, the vulnerabilities can only be manually removed by affected Lenovo device users, and Lenovo said it’s working on a software update to remove the security hole.

“As soon as the programmer is finished, we will provide a tool that removes all traces of the app from people’s laptops,” Lenovo’s CTO Peter Hortensius told the Wall Street Journal.

Cyber-security experts say that the Superfish adware exposes Lenovo devices to spying when using normally secure connections such as those for banking, and has called Lenovo’s decision to install the adware as a serious breach of ethics. Some have gone so far as to label Superfish as “malware.”

“We trust our hardware manufacturers to build products that are secure. In this current climate of rising cybercrime, if you can’t trust your hardware manufacturer you are in a very difficult position,” Marc Rogers, a security researcher at CloudFlare, wrote on his blog Thursday. “When bad guys are able to get into the supply chain and install malware it is devastating.”

Superfish makes users vulnerable to “man-in-the-middle” attacks even when browsing on an encrypted web connection, Rogers says. Because the software has an unrestricted trusted root certificate, the vulnerability is undetectable to usual security checks, security experts say.

“This is unbelievably ignorant and reckless of them. Its quite possibly the single worst thing I have seen a manufacturer do to its customer base,” Rogers wrote. 

This is unbelievably ignorant and reckless of them. Its quite possibly the single worst thing I have seen a manufacturer do to its customer base. 
Marc Rogers, CloudFlare security researcher
Jonathan Zhou
Jonathan Zhou
Author
Jonathan Zhou is a tech reporter who has written about drones, artificial intelligence, and space exploration.
Related Topics