Lenovo, the Chinese tech giant, has been shipping PCs with spyware that tracks its customers’ every move online and renders the computers vulnerable to hackers.
Lenovo, the world’s largest PC manufacturer, was installing Superfish, a particularly pernicious form of adware that siphons data from a user’s machine via web browser. Banking and e-commerce sites — or any Web pages that are ostensibly secure, showing the image of a tiny padlock — are vulnerable.
The adware discovery was made early last month by Peter Horne, a 25-year veteran of the financial services technology industry, after he bought a new Lenovo Yoga 2 Notepad at a computer retailer in Sydney, Australia.
Even though the PC came with McAfee anti-virus software, Horne said, he installed anti-virus software made by Trend Micro. Neither virus scanner picked up any adware on the machine. But Horne noticed that traffic from the PC was being redirected to a website called best-deals-products.com. When he dug further, he found that website’s server was making calls to Superfish adware.
Superfish’s “visual discovery” adware, Horne and others now say, is far more intrusive than typical adware. It drops ads into a user’s web browser sessions and can also hijack a secure browsing session and scoop up data entered into secure websites. Superfish does this so it can introduce ads into an otherwise encrypted Web page, but the way it does so compromises the security of trusted websites and makes it easy for other hackers to intercept communications.
Horne returned his PC and went on to test Lenovo’s demonstration machines at Best Buy stores in New York and Boston, and other retailers in Sydney and Perth. There, he found the adware on other Lenovo Yoga 2 models and the Lenovo Edge 15.
“The company had placed the adware at a very low-level part of the operating system,” Horne said in an interview. “If they can do that, they can do anything.”
In a statement issued Thursday, Lenovo said it had included Superfish in some consumer notebook products shipped between September and December “to help customers potentially discover interesting products while shopping.”
Citing bad user reviews, the company said it stopped including the adware in January, the same month that Horne brought the issue to the company’s attention.