China’s Lenovo Group Ltd, had said on Thursday that it would no longer pre-install software that cybersecurity experts perceived to be malicious and vulnerable to hacking.
The world’s largest PC maker, Lenovo had come under fire from security researchers who said that the company pre-installed a software from a company called Superfish on consumer laptops that hijacked web connections and allowed them to be spied upon.
Users reported as early as last June that a program, also called Superfish, was ‘hardware’, or ‘software’ that automatically displays adverts.
Superfish would no longer be pre-installed and has been disabled on all of Lenovo’s product in the market since January, when the PC maker also stopped pre-installing the software, said a Lenovo spokesman.
Superfish was included on some consumer notebooks shipped between September and December, he said.
CEO of U.S.-based security research firm, Errata Security, Robert Graham, said Superfish was a malicious software that hijacks and throws open encrypted connections, paving way for hackers to control these connections and eavesdrop, in what is known as a man-in-the-middle attack.
“This hurts (Lenovo’s) reputation,” Graham said. “It demonstrates the deep flaw that the company neither knows nor cares what it bundles on their laptops.”
Graham and other experts said Lenovo was negligent, and computers could still be vulnerable even after uninstalling Superfish.
Superfish throws open encryptions by giving itself the authority to take over connections and declare them as trusted, when they are not.
“The way the Superfish functionality appears to work means that they must be intercepting traffic in order to insert the ads,” said Eric Rand, a researcher at Brown Hat Security. “This amounts to a wiretap.”
Concerns about cyber security have dogged Chinese firms, including telecoms equipment maker, Huawei Technologies Ltd over ties to China’s government and smart phone maker, Xiaomi Inc over data privacy.