The adware, which came pre-installed on many recent Lenovo consumer PCs, monitored the user’s web browser and inserted ads that were related to the content being browsed. Most troubling was that the adware decrypted secure communications from e-commerce and banking websites and passed that content back to the Superfish web servers for analysis without the user’s knowledge. It did this through what’s called a “man in the middle” attack where a security certificate installed on the Lenovo PC tricked the PC’s browser (and its user) into thinking it was on a secured connection.
“It’s extremely concerning that, based on published reports, Lenovo installed this software — which appears to have no meaningful benefit to the consumer — on devices without the purchaser’s knowledge,” Attorney General Jepsen said.
It didn’t take long for security researchers to break Superfish’s own encryption and demonstrate the means by which the Superfish software could be exploited to leak information to third parties.
“After consultation with technical experts, I have opened an investigation and asked both Lenovo and Superfish to provide information in order for me to determine if they have violated Connecticut’s laws prohibiting unfair and deceptive trade practices,” Jepsen added.
“The goal was to improve the shopping experience using [Superfish’s] visual discovery techniques,” Lenovo initially said in a statement. Lenovo Chief Technical Officer Peter Hortensius later told tech news site Re/code, “We messed up.”
Pre-installed “junkware” is nothing new to Windows PCs, especially on less expensive devices. Manufacturers often offset the cost of hardware by charging software makers and websites to have items preinstalled on mass market PCs. Microsoft launched their “Signature Edition” program to offer PCs from major manufacturers (including Lenovo) that are guaranteed to be free of preinstalled clutter. But those PCs often come at a higher price.
Simply uninstalling the software through the Windows control panel won’t remove the security certificate vulnerability, so it’s important to use the Lenovo tool to properly remove it from the system. Lenovo says they installed the software on the following consumer PCs and laptops:
• G Series: G410, G510, G710, G40-70, G50-70, G40-30, G50-30, G40-45, G50-45, G40-80
• U Series: U330P, U430P, U330Touch, U430Touch, U530Touch
• Y Series: Y430P, Y40-70, Y50-70, Y40-80, Y70-70
• Z Series: Z40-75, Z50-75, Z40-70, Z50-70, Z70-80
• S Series: S310, S410, S40-70, S415, S415Touch, S435, S20-30, S20-30Touch
• Flex Series: Flex2 14D, Flex2 15D, Flex2 14, Flex2 15, Flex2 Pro, Flex 10
• MIIX Series: MIIX2-8, MIIX2-10, MIIX2-11, MIIX 3 1030
• YOGA Series: YOGA2Pro-13, YOGA2-13, YOGA2-11, YOGA3 Pro
• E Series: E10-30
• Edge Series: Lenovo Edge 15