Lenovo Group apologises to customers over Superfish software

20 Feb 2015

Lenovo Group Ltd has apologised to customers as it worked with users to allow laptop computer owners remove pre-installed software that potentially exposed them to hacking attacks and unauthorised activity monitoring, Bloomberg reported.

According to the company, which is biggest maker of personal computers, it was a mistake to have the software made by a company called Superfish, included on Lenovo machines.

The company posted links on Twitter to its website that provided information about the software as also removal instructions.

The Beijing-based company was responding to criticism from cyber-security specialists regarding the ability of Superfish to monitor web behaviour and suggest advertisements on the basis of images that a user might be viewing.

The company's technology essentially broke the encryption between web browsers and banking, e-commerce and other sites that handled sensitive information, potentially exposing machines to hacking.

According to Rainey Reitman, director of activism at the Electronic Frontier Foundation, the Superfish software undermined internet security for the rather ridiculous purpose of serving advertisements.

He added it was a severe security issue, and frankly a betrayal by Lenovo of all of its affected customers.

Superfish used image-recognition algorithms that watched where users pointed on their screens and suggested ads on the basis of the images they were looking at.

Meanwhile, ABC news reported that Lenovo had removed a preloaded adware program called Superfish from its devices after users reported antivirus protection systems had deemed it a "potentially unwanted program."

According to the statement of the Chinese electronics company, it removed Superfish, a visual search engine, from all products it planned to ship, effective January.

It added, Superfish "has completely disabled server side interactions" on existing devices.

Users complained on Lenovo forums that the software injected advertisements into their system were like what the industry called a PUP, short for "potentially unwanted program."

What was rather most disconcerting was the allegation that the software could present users with a fake certificate instead of one belonging to a legitimate site they were trying to visit, that way Superfish could serve advertisements.

Security researcher, Marc Rogers wrote in his blog, "If this software or any of its control infrastructure is compromised, an attacker would have complete and unrestricted access to affected customers banking sites, personal data and private messages".