Lenovo Group Ltd. apologized to customers as it works with users to enable laptop computer owners to remove pre-installed software that potentially exposed them to hacking attacks and unauthorized activity monitoring.
The biggest maker of personal computers said it was a mistake to have the software, made by a company called Superfish, included on Lenovo machines. Lenovo posted links on Twitter to its website with information about the software and removal instructions.
The Beijing-based company was responding to a deluge of criticism from cyber-security specialists regarding Superfish’s ability to monitor Web behavior and suggest advertisements based on images that a user might be viewing. The technology used by Superfish essentially breaks the encryption between Web browsers and banking, e-commerce and other sites that handle sensitive information, potentially exposing machines to hacking.
“The Superfish software undermines Internet security for the rather ridiculous purpose of serving advertisements,” said Rainey Reitman, director of activism at the Electronic Frontier Foundation. “It’s a severe security issue, and frankly a betrayal by Lenovo of all of its affected customers.”
Superfish uses image-recognition algorithms that watch where users point on their screens and suggest ads based on the images they’re looking at. The software was included on some models of consumer laptops sold worldwide between September and December and was turned off in January after user complaints, Lenovo said.
“We messed up badly here,” Peter Hortensius, Lenovo’s chief technology officer, said in an interview. “We made a mistake. Our guys missed it. We’re not trying to hide from the issue -- we’re owning it.”
Superfish said in a statement that the company is “completely transparent in what our software does and at no time were consumers vulnerable.”
Lenovo got some “very minor compensation” for installing the software and the aim was to “try to improve people’s experience,” Hortensius said.
The use of Superfish software only impacted consumer laptops and didn’t violate any parts of Lenovo’s agreements with the U.S. government and the Committee on Foreign Investment in the United States, which lay out rules for ways the manufacturer’s products will be designed in order for the company to sell products to the U.S. government and businesses, Hortensius said. Lenovo needed the committee’s approval in 2005 to acquire the PC business from International Business Machines Corp. for $1.75 billion.
“We apologize for causing any concern to any users for any reason,” the company said in a statement. “Lenovo never installed this software on any ThinkPad notebooks, nor any Lenovo desktops or smartphones.”
Pre-installed software poses unique security and privacy concerns because questionable behavior is hard to detect, and the programs are often difficult or impossible to uninstall. Users don’t have to engage in risky behavior for their information to be put in danger. There are few good technical options for securing the machines, according to Jeremiah Grossman, founder of WhiteHat Security Inc.
“If we take Lenovo at their word, then Lenovo made a very poor security-versus-user-experience trade-off,” Grossman wrote in an e-mail. “The bigger challenge now is what the various stakeholders can and should do about all those vulnerable laptops in circulation, perhaps even perpetually so.”
The main concern is that the mechanism Superfish uses to collect data and display ads undermines the encryption on Internet traffic between computers and websites, which is vital to shielding credit-card numbers, passwords, the contents of e-mail messages and other sensitive data traveling across the Web.
Known as adware, spyware or bloatware, unwelcome software has been a scourge of the computing industry for years, blurring the line between helpful and harmful. Computer makers and wireless carriers, trying to squeeze more profit from each device they sell, are provoking controversy by installing such software without users’ permission.
In December, Verizon Communications Inc. and T-Mobile USA Inc. drew the ire of some users who noticed their smartphones and tablets came pre-installed with a program called Ignite, made by Austin, Texas-based Digital Turbine Inc., which allows carriers to install applications on devices without asking customers’ permission.
Bill Stone, Digital Turbine’s CEO, said the software benefits consumers because it also gives consumers the ability to delete unwanted applications, which most handsets don’t automatically allow. Albert Aydin, a spokesman for Verizon, echoed those statements and said deleted applications are only re-installed after phones are reset. A representative for T-Mobile didn’t immediately comment.
Superfish essentially tricks Web browsers into believing that it’s the bank or search engine or e-commerce site that users are trying to reach, which allows the software to intercept communications and monitor behavior. The danger is that hackers can co-opt the mechanism to spy on Lenovo users.
“If you can trick someone into believing you’re someone else, then the entire system is broken,” said Mark Gazit, CEO of ThetaRay, an Israeli cyber-security company.