Stories about potentially malicious software emerge practically every day, but it’s not often that a high-profile PC manufacturer admits to deliberately installing harmful files on consumer devices. However, that’s exactly what happened this week, when Lenovo was found to be pre-installing adware on its devices without the owner’s permission.
Superfish, as the adware has been dubbed, is reported to affect Lenovo units purchased between the latter half of 2014 and January this year. While its ability to insert third-party advertisements into Internet Explorer and Google Chrome searches is annoying, the way that it installs its own security certificate is invasive and possibly harmful.
By issuing its own security certificates, Superfish can intercept any information sent and received by the user’s device – known as a “man-in-the-middle” attack, something that puts the user at increased risk.
However, while the potential damage to the consumer is significant, the Superfish scandal has already greatly harmed Lenovo’s reputation.
The Chinese company initially defended the software, describing it as helping “users find and discover products visually,” but their swift removal of Superfish suggests that Lenovo is well aware it has damaged consumer trust.
“We have thoroughly investigated this technology and do not find any evidence to substantiate security concerns,” Lenovo said in a statement. “But we know that users reacted to this issue with concern, and so we have taken direct action to stop shipping any products with this software. We will continue to review what we do and how we do it in order to ensure we put our user needs, experience and priorities first.”
Although Lenovo has now issued tutorials on how to remove the software, it is believed that this will not remove the Superfish root certificate authority.
The reaction of many consumers has been one of anger and disbelief. For Lenovo to install this kind of software, essentially malware, onto its laptops in order to make more money from advertising is already galling, the fact that it also introduces a vulnerability into the user’s system is shocking.
Many Lenovo users have now criticised the brand over the Superfish install.
"It's not like they stuck it on the flier saying... we install adware on our computers so we can profit from our customers by using hidden software,” said one forum user. "However, I now know this. I now will not buy any Lenovo laptop again."
Consumers rely on manufacturers to put their security first. In an age where cybercrime and malicious threats are becoming increasingly sophisticated it is baffling that Lenovo would voluntarily compromise its devices in this way.
Moreover, the company responsible for the Superfish adware has been receiving numerous complaints regarding its software since its inception in 2006. A quick Google search reveals that Superfish has been criticised for the way it monitors user activity and hijacks legitimate connections, amongst other issues, for years.
As one of the industry’s leading PC manufacturers, Lenovo surely cannot claim ignorance over these concerns.
The question now is how the Chinese company goes about restoring user trust, if indeed it can.
Removing the root certificate of Superfish is the only way to be sure that the user’s PC is secure, but this is a complicated process – and one that many consumers are unlikely to undertake. Instead, it may be that Microsoft has to step in and solve the issue on Lenovo’s behalf.
The Redmond-based firm has fixed third-party problems in the past if they affect a significant number of Windows users, so a Microsoft patch could be forthcoming.
Read more: Lenovo reportedly shipping adware on its PCs
The Superfish issue will surely come as a lesson learned for Lenovo, but hopefully the fallout will be heeded by everyone in the hardware industry. Individual users may be able to fix the Superfish vulnerability on their personal devices, but the wider breakdown in consumer trust may be irreparable.