Lenovo shipped laptops with security flaw, experts say

(Gil C / Shutterstock)

SAN FRANCISCO — If you’ve recently purchased a laptop computer made by Lenovo, you may want to hear this: Experts say the world’s biggest computer maker shipped laptops with pre-installed software that could let hackers steal passwords or other sensitive information when you use the web to shop, pay bills or check email.

Lenovo said Thursday that it has disabled the offending software, known as Superfish, and will provide customers with a tool that permanently removes the program from their computers. The company initially said its own investigation didn’t find “any evidence to substantiate security concerns.” But it later removed that sentence from a statement on its website.

The problem affects an unknown number of computers: Lenovo said it shipped “some” laptops with Superfish between September and December last year, before it stopped because of customer complaints. That could cover a large number of machines. Lenovo shipped more than 16 million laptop and desktop machines in the fourth quarter.

Superfish wasn’t intended as malware. Lenovo has said it was designed to show targeted ads by analyzing images of products that a user might see on the web and then presenting “identical and similar product offers that may have lower prices.” Lenovo said the software doesn’t track users or collect any identifying information.

But some users initially complained the software shows unwanted “pop-up” ads. And this week, several independent experts reported that Superfish works by substituting its own security key for the encryption certificates that many websites use to protect users’ information. “This means that anyone affected by this adware cannot trust any secure connections they make,” researcher Marc Rogers wrote on his blog.

What’s worse, experts said, is that Superfish appears to re-use the same encryption certificate for every computer, which means a hacker who cracked the Superfish key could have broad access to a variety of online transactions. Robert Graham, chief executive of Errata Security, boasted in a blog post Thursday that he was able to figure out the Superfish encryption password in a few hours.

So far, there’s been no evidence that hackers have used the vulnerability to steal information. To do that, some experts said, a hacker would probably need to search for owners of laptops that have the Superfish software and are using a public Wi-Fi connection to visit secure websites.

But some critics blasted Lenovo for acting irresponsibly by installing the software. “Lenovo has not just injected ads in a wildly inappropriate manner, but engineered a massive security catastrophe for its users,” said the Electronic Frontier Foundation, an Internet advocacy group, in a blog post Thursday.

Superfish is made by a tech startup based in Silicon Valley and Israel. A spokesperson wasn’t immediately available for comment.

Many PC-makers ship computers with pre-loaded software from other companies, often in exchange for commissions or fees. Lenovo said its arrangement with Superfish is “not financially significant.” The company said it stopped selling laptops with the program in January and added: “Our goal was to enhance the experience for users; we recognize that the software did not meet that goal and have acted quickly and decisively.”

“We’re not claiming it wasn’t a mistake,” Lenovo spokesman Brion Tingler added Thursday. “We do due diligence and it wasn’t good enough in this case.” He added that the company is reviewing its procedures.

While Lenovo says it stopped shipping computers with Superfish in January, some may still be in stock at retailers. Lenovo posted detailed instructions for removing the software and the Superfish encryption certificate from its computers. They can be found here.