Lenovo Group addresses malicious software claims

Computer maker to halt pre-installed software which allegedly left PCs vulnerable

Lenovo  Group Ltd said it will no longer pre-install software that cybersecurity experts say was malicious and made devices vulnerable to hacking. File photograph: Bobby Yip/Reuters
Lenovo Group Ltd said it will no longer pre-install software that cybersecurity experts say was malicious and made devices vulnerable to hacking. File photograph: Bobby Yip/Reuters

China's Lenovo Group Ltd, the world's largest PC maker, said it will no longer pre-install software that cybersecurity experts say was malicious and made devices vulnerable to hacking.

Lenovo had come under fire from security researchers who said the company pre-installed a virus-like software from a company called Superfish on consumer laptops that hijacked web connections and allowed them to be spied upon.

Users reported as early as last June that a programme, also called Superfish, was “adware”, or software that automatically displays adverts.

Superfish will no longer be pre-installed and has been disabled on all products in the market since January, a Lenovo spokesman told reporters. The spokesman said Superfish was included on some consumer notebooks shipped between October and December.

READ MORE

“We have thoroughly investigated this technology and do not find any evidence to substantiate security concerns,” the spokesman said. Superfish “does not profile nor monitor user behaviour. It does not record user information. It does not know who the user is. Users are not tracked nor re-targeted . . . The relationship with Superfish is not financially significant”.

'Hijacked connections'

Robert Graham, CEO of US-based security research firm Errata Security, said Superfish was malicious software that hijacks and throws open encrypted connections, paving the way for hackers to also take over these connections and eavesdrop, in what is known as a man-in-the-middle attack.

“This hurts [Lenovo’s] reputation,” Mr Graham told reporters. “It demonstrates the deep flaw that the company neither knows nor cares what it bundles on their [customers’] laptops.”

Mr Graham and other experts said Lenovo was negligent, and that computers could still be vulnerable even after uninstalling Superfish. The software throws open encryptions by giving itself authority to take over connections and declare them as trusted and secure, even when they are not.

“The way the Superfish functionality appears to work means that they must be intercepting traffic in order to insert the ads,” said Eric Rand, a researcher at Brown Hat Security. “This amounts to a wiretap.”

Concerns about cybersecurity have dogged Chinese firms, including telecoms equipment maker Huawei Technologies Ltd's alleged ties to China's government and alleged issues with smartphone maker Xiaomi Inc's data privacy.

Lenovo commanded one-fifth of the global PC market in the third quarter of 2014, according to data research firm IDC.

Reuters