Has PC maker Lenovo committed the ultimate breach of customer security?

How Lenovo deliberately infected its own customers' PCs with a malicious program

The Chinese company Lenovo has become known as the world's largest PC maker. Now it's also becoming famous as the computer company that may have committed the worst breach on record of its own customers' privacy and security.

Think that's an exaggeration? Security expert Marc Rogers calls Lenovo's actions "unbelievably ignorant and reckless" and "quite possibly the single worst thing I have seen a manufacturer do to its customer base."

Robert Graham of Errata Security reports that software Lenovo pre-installed on its PCs leaves them "open to hackers or NSA-style spies. For example, it can spy on your private bank connections." At Slate.com, software expert David Auerbach recommends that owners of affected Lenovo laptops do "nothing short of wiping the entire machine and installing vanilla Windows—not Lenovo’s Windows. Then change all of your passwords."

At issue is a program from a firm called Superfish, which Lenovo preinstalled on its consumer laptops starting in September. The ThinkPad line of business laptops, which Lenovo purchased from IBM in 2005 at the start of its climb in PC market share, isn't affected.

The Superfish program is properly described as "adware," or even "malware." It effectively hijacks users' web searches to inject ads from its own advertising partners; a user searching for a product to buy, for instance, would suddenly see ads for a similar product pushed by Superfish. Lenovo treats this as a great boon to its PC owners, designed "to assist customers with discovering products similar to what they are viewing."

But as security experts began to recognize months ago, Superfish's method destroys the computer's security safeguards through what is known as a "man in the middle" attack. (One of the first to sound the alarm was a Google engineer who noticed it was interfering with his Bank of America account page on his new Lenovo laptop.)

As Rogers lists the breaches, the program "monitors user activity. Collects personal information and uploads it to its servers. Injects advertising in legitimate pages. Displays popups with advertising software. Uses man-in-the-middle attack techniques to crack open secure connections." 

Part of the problem is that the software uses an easily crackable internal password that enables hackers to invade the computer--and it's the same password for all the affected computers. (If you're wondering, it's "komodia.") As Graham observed, "I can intercept the encrypted communications of SuperFish's victims (people with Lenovo laptops) while hanging out near them at a cafe wi-fi hotspot."

There isn't much mystery why Lenovo did this. Like other PC makers do with other partners, it cut a deal with Superfish, a third-party software firm, to bundle its program in new computers. Typically, unwary PC buyers "accept" the software when they open their new laptops for the first time by clicking a series of license agreements, almost always without reading them. Without their knowledge the software burrows into their systems, and their lives. Who benefits? Lenovo gets a commission, and Superfish gets the business. 

The habit of consumer companies shoving unwanted products, services or software at their customers has a long and discreditable history. Software mavens compare Lenovo's stunt to a famous episode involving Sony, which in 2005 installed an anti-piracy program on computers when customers loaded them with certain Sony music CDs. The program, stupidly, exposed those users to hackers. 

It's worth noting that the people behind Superfish itself have been regarded with great suspicion by computer security experts. In a statement to Forbes, Superfish said "at no time were consumers vulnerable," and said there was "no wrongdoing on our end." But it seems obvious that this was the wrong company for Lenovo to partner with--indeed, Lenovo shouldn't be loading its computers with any third-party programs. 

Lenovo's response to the uproar has been sluggish and for the most part inadequate. After the storm broke last week, the company said it would stop pre-installing the culprit software on its computers, and "spend the next few weeks digging in on this issue, learning what we can do better." In an interview with the Wall Street Journal, its chief technical officer, Peter Hortensius, dismissed the "security guys'" concerns as "theoretical." He said, "we have no insight that anything nefarious has occurred."

But it issued detailed instructions to help customers remove the software because, it said, "user feedback was not positive." The complexity of the removal process should tell you how deeply the Superfish software burrowed into users' computers. A tool to determine if your Lenovo computer is compromised is here. Microsoft also has issued a patch for wiping Windows computers clean of the Superfish infection.

As for Lenovo, although it had about 18.8% of the worldwide market for PCs last year, it certainly has blotted its future in the computing industry. If a company this prominent can blunder this badly, why should anyone trust its products? The first lawsuit over this episode has now been filed. There will be more, and should be.

Keep up to date with the Economy Hub. Follow @hiltzikm on Twitter, see our Facebook page, or email mhiltzik@latimes.com.

Copyright © 2016, Los Angeles Times
51°