China’s Lenovo has some pre-installed adware that was found to be vulnerable to hackers and users complained about it in June 2014 with no response still, alleged security group Errata Security.
The software called superfish automatically displays advertisements but was malicious enough to be hijacked with encrypted versions opened up to eavesdropping malware known as man-in-the-middle attack, said Robert Graham, CEO of the US-based cyber security firm.
In fact, Errata had earlier warned India about the possible export of user data of Xiaomi Redmi 1s phones to servers in Beijing, prompting the company to hurriedly re-locate its servers in Singapore and the US.
Lenovo has brought out into open another major flaw in Lenovo laptops running on Microsoft Corp’s Windows. “This hurts (Lenovo’s) reputation,” Graham told Reuters. “It demonstrates the deep flaw that the company neither knows nor cares what it bundles on their laptops.”
Lenovo said last month that Superfish has since been removed from the laptops but Errata CEO said Lenovo was negligent as its computers could still be vulnerable even after uninstalling Superfish.
“Such software is usually bad, especially the ad-supported software, but the SuperFish software is particularly bad. It’s designed to intercept all encrypted connections, things is shouldn’t be able to see. It does this in a poor way that it leaves the system open to hackers or NSA-style spies. For example, it can spy on your private bank connections, as shown in this picture,” he wrote on the firm website.
Superfish has been alleged to have been using wiretap mechanism to violate encryptions by giving itself authority to declare websites as trusted while they are not, said other experts.
Chris Palmer (@fugueish), a security engineer for Google who just bought a new Lenovo laptop, first noticed how it was Man-in-the-Middling to his Bank of America connection and soon many users realised how bad it was.
“The way the Superfish functionality appears to work means that they must be intercepting traffic in order to insert the ads,” said Eric Rand, a researcher at Brown Hat Security.
“They (Superfish) rely upon the fact that unsophisticated users don’t know how to get rid of it, and will therefore endure the ads,” writes Graham.
Responding to the furore, Lenovo said on its website: “Due to some issues with the Superfish Visual Discovery browser add-on, we have temporarily removed Superfish from our consumer systems until such time as Superfish is able to provide a software build that addresses these issues. As for units already in market, we have requested that Superfish auto-update a fix that addresses these issues.”
Lenovo has cornered one-fifth of the global PC market in the world after the IBM PCs arm was taken over by the Chinese firm. Another Chinese telecom giant Huawei Technologies Ltd came under suspicion recently over its ties to China’s government.
Many times hackers from China have been blamed for major cyber attacks around the world and recently North Korean hackers have also come under cloud after allegedly attacking Sony last December.