Shame on You Lenovo - Superfish Scandal

Imagine you were a hardware manufacturer and you'd been discovered installing something that made you money whilst simultaneously breaking one of the most important security aspects of their web browser.   Now further try and picture the apology you'd have to write for this disgraceful, greedy and technically inept behaviour - well you can  read it here -

Superfish was previously included on some consumer notebook products shipped between September 2014 and February 2015 to assist customers with discovering products similar to what they are viewing.  However, user feedback was not positive, and we responded quickly and decisively:

This is the apology that Lenovo has written on it's web page in response to the superfish scandal.  Make no mistake Lenovo has been guilty of the most appalling disregard for both their customer's privacy and their online safety.

So What is Superfish?

Well despite what Lenovo is waffling on about product search technology, Superfish is simply adware which it installed on thousands of computers and laptops. It's function was to hijack your web browsing and inject adverts when you searched, which of course earned Lenovo commission for displaying.  What was worse, is the fact that this adware actually performed a Man in the middle attack on your web browser in order to decrypt the traffic.

Superfish Breaks security

It's appalling, Superfish actually installed a false self signed certificate which it used to decrypt your personal browsing.   It's exactly the same method that a hacker or identity thief would use to steal usernames and accounts from encrypted HTTPS traffic.  What's worse is that even if Lenovo didn't actually steal your data directly by 'breaking' HTTPS and using a standard, false and duplicated root CA certificate it made hacking into that machine much, much easier for anyone else.

So it was not surprising that 'user feedback was not positive', as here's a brief summary -

  • Lenovo secretly installs adware on brand new machines.
  • Machines are then sold to customers.
  • Superfish installs false ssl certificate when accessing secure sites.
  • Superfish then performs Man in the middle attack to decrypt HTTP traffic
  • Fee paying adverts are displayed in your browser window to earn Lenovo commission.
  • Superfish effectively makes machine more vulnerable to other attacks.

Obviously computer and information laws vary across the world, but needless to say  that what Lenovo did is skirting on the edge of criminality.  Certainly as far as UK law, the updates to the Computer Misuse Act covers adware and specify that the installation should be clear and allow the consumer choice of whether to run it.  There are also numerous statements about unauthorised access and modifications to customers computers.

Whatever the legal ramifications, what is certain is that Lenovo is quite happy to exploit it's customer's security and privacy in order to make more money by installing adware.  I for one will certainly never trust this company again and I would hope I am not alone.

Other Posts You Might Enjoy
Watching Iplayer on Your IPad