This post is also available in: עברית (Hebrew)
The U.S. government is warning Lenovo users they must remove an adware (advertising-supported software) called ’Superfish’ from their digital platforms.
The Department of Homeland Security (DHS) issued a highly irregular and stern alert urging users to remove the adware. A DHS statement said “systems that came with the software already installed will continue to be vulnerable until corrective actions have been taken.” Additionally, it was publicized that “starting in as early as 2010, Lenovo has pre-installed Superfish VisualDiscovery spyware on some of their PCs.”
Lenovo has faced a scandal since news broke last Thursday that the company was pre installing an adware called ’Superfish’ on some of its consumer laptops. According to security experts, Superfish installs its own root certificate on computers. In addition to popups and using system resources, it also enables the adware to crack into HTTPS web connections. It also does this in a way that leaves ’Windows’ open for hackers to potentially eavesdrop on secure web connections and steal sensitive data, including banking information (see further below).
According to Mashable, the U.S. government’s Superfish timeline does not match up with the one provided by Lenovo. The company has said that it only preinstalled Superfish on laptops over the last few months.
“The 2010 date is not accurate,” Lenovo spokesman Brion Tingler told Mashable. “Lenovo has stated it preloaded this particular piece of software from Superfish starting in Sept 2014. Superfish has been around for years and its products have been available for download from sources other than Lenovo.”
The U.S. government asserts that Superfish intercepts HTTPS encrypted connections using a “man-in-the-middle” attack. This could potentially compromise banking information and email accounts, according to the Department of Homeland Security. This may account for the unusual urgency and firm alert issued.
Lenovo’s chief technology officer Peter Hortensius denied, in an interview to Mashable on Friday, that Superfish breaks HTTPS connections. The software itself is not malicious – according to Lenovo. Rather, it is a flaw in the design.
However, security experts believe otherwise. They further allege that Lenovo representatives are in damage control, attempting to quell a growing backlash.
Initially, Lenovo was hesitant to admit there were security risks caused by Superfish. The company has since backpedaled and is now claiming it is doing everything in its power to mend the problem.