Lenovo is now apologizing after it was revealed that the Chinese company spent years jeopardizing the security of its users with the Superfish software. Lenovo was the subject of heavy criticism this week for allowing another company to plant adware on millions of its computers, thus making their financial information more vulnerable to hackers.
“We messed up badly here,” Peter Hortensius, Lenovo's chief technology officer, told Bloomberg News. “We made a mistake. Our guys missed it. We're not trying to hide from the issue – we're owning it.”
Update 2:50 ET: The U.S. Department of Homeland Security issued an alert Friday advising Lenovo to remove the Superfish software program, which started being planted on devices as early as 2010.
“Systems that came with the software already installed will continue to be vulnerable until corrective actions have been taken,” the advisory warned.
Lenovo, the largest computer manufacturer in the world, admitted it was a mistake to let a company called Superfish, of Palo Alto, California, include software on its machine. The adware, also known as Superfish, disrupted a user's connection to even encrypted websites and inserted Lenovo-friendly ads onto a user's Internet Explorer or Google Chrome browser. The subversion was the subject of heavy criticism Thursday from cybersecurity experts, who said the company also put users at risk by failing to use correct security around the entire process.
Lenovo got “very minor compensation” in exchange for allowing the adware, Hortensisus said, and was “trying to improve people's experience.”
The method of “improvement,” which has since been discontinued, specifically undermines HTTPS encryption, the browser protection that seals a user's connection to banking and e-commerce sites. Lenovo has also provided instructions on its website and social media feeds on how to disable the Superfish adware, though the changes have only highlighted how few good options users have when a trusted corporation agrees to undermine their security.
“If we take Lenovo at their word, then Lenovo made a very poor security-versus-user-experience tradeoff,” Jeremiah Grossman, founder of WhiteHat Security Inc., told Bloomberg after the Lenovo apology. “The bigger challenge now is what the various stakeholders can and should do about all those vulnerable laptops in circulation, perhaps even perpetually so.”